lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4428C552.3080608@determina.com>
Date: Tue Mar 28 06:11:04 2006
From: asotirov at determina.com (Alexander Sotirov)
Subject: Determina Fix for the IE createTextRange() bug

Hi,

It seems like the IE 0-day generated a lot of activity among the HIPS vendors
this weekend. We at Determina spent the weekend working on a fix for the IE
createTextRange() bug. It's finally ready for download, including full source code:

http://www.determina.com/security_center/security_advisories/securityadvisory_march272006_1.asp

DETCVE-2006-1359.msi

MD5: 85b8bfc1c30c6b4451a3ab803f49708b
SHA1: 308ae9a79e48adecf769fd50ac29ddc37a07d33c

It supports all versions of IE 5.01 and IE6.

The fix is a DLL that gets injected into all applications via the AppInit_DLLs
registry key. The DLL fixes the bug by patching a _single_ byte in MSHTML.DLL
when it is loaded in memory. This change makes the createTextRange() function
return an error code instead of returning 0. This exactly how the problem was
fixed in the latest IE7 beta from March 20th.

If you are interested in the analysis of the bug, check out the comment before
the patch_module() function in CVE-2006-1359.cpp.

16 more days until the Microsoft patch.

Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ