|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Secunia Research: Microsoft Internet Explorer "createControlRange()" Memory Corruption
From: Andreas Sandblad (as
SECUNIA.COM)
Date: Fri Feb 11 2005 - 09:41:39 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
======================================================================
Secunia Research 09/02/2005
Microsoft Internet Explorer "createControlRange()" Memory Corruption
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9
======================================================================
1) Affected Software
Microsoft Internet Explorer 5.01, 5.5 and 6
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in Internet Explorer,
which can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused due to an input validation error in the
javascript function "createControlRange()". This can be exploited by
e.g. a malicious website to cause a heap memory corruption situation
where the program flow is redirected to the heap.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully patched system
(without MS05-014) with Internet Explorer 6.0 and
Microsoft Windows XP SP2.
======================================================================
4) Solution
Microsoft has released patches (see MS05-014 for details).
======================================================================
5) Time Table
29/10/2004 - Vulnerability discovered.
04/11/2004 - Vendor notified.
30/11/2004 - Vendor confirms the vulnerability.
09/02/2005 - Public disclosure.
======================================================================
6) Credits
Discovered by Andreas Sandblad, Secunia Research.
======================================================================
7) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
candidate number CAN-2005-0055 for the vulnerability.
MS05-014 (KB867282):
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
US-CERT VU#843771:
http://www.kb.cert.org/vuls/id/843771
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:
http://secunia.com/
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2004-12/advisory/
======================================================================
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]