| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060322161954.4381.qmail@securityfocus.com> Date: 22 Mar 2006 16:19:54 -0000 From: advisories@...puterterrorism.com To: bugtraq@...urityfocus.com Subject: Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution Computer Terrorism (UK) :: Incident Response Centre ====================================== Security Advisory :: CT22-03-2006 ------------------------------------------- Title: Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution Organisation: Computer Terrorism (UK) Web: www.computerterrorism.com Advisory Date: 22nd March, 2006 Affected Software: Microsoft Internet Explorer 6.x, IE7 Beta 2 Severity: Critical Impact: Remote System Access Solution Status: ** UNPATCHED ** Overview: ------------- Pursuant to the publication of the aforementioned bug/vulnerability, this document serves as a preliminary Security Advisory for users of Microsoft Internet Explorer version 6 and 7 Beta 2. Successful exploitation will allow a remote attacker to execute arbitrary code against a fully patched Windows XP system, yielding system access with privileges of the underlying user. Technical Narrative: ------------------------- As per the publication, the bug originates from the use of a createTextRange() method, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. As a result, IE encounters an exception when trying to call a deferenced 32bit address, as highlighted by the following sniplet of code. 0x7D53C15D MOV ECX, DWORD PTR DS:[EDI] .. 0x7D53C166 CALL DWORD PTR [ECX] Due to the incorrect reference, ECX points to a very remote, non-existent memory location, causing IE to crash (DoS). However, although the location is some what distant, history dictates that a condition of this nature is conducive towards reliable exploitation. Proof of Concept: ----------------------- Computer Terrorism (UK) can confirm the production of reliable proof of concept (PoC) for this vulnerability (tested on Windows XP SP2). However, until a patch is developed, we will NOT be publicly disclosing our research. Temporary Solution: ------------------------- Users are advised to disable active scripting for non-trusted sites until a patch is released. Vendor Status: -------------------- The Vendor has been informed of all aspects of this new vulnerability (including PoC), but as of the date of the document, this vulnerability is UNPATCHED.
Powered by blists - more mailing lists