Technical Description

A vulnerability was identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to an error in the "javaprxy.dll" COM Object when instantiated in Internet Explorer via a specially crafted HTML tag, which could be exploited via a malicious Web page to compromise and take complete control of a vulnerable system.

Proof of concept Exploit :
http://www.frsirt.com/exploits/20050702.iejavaprxyexploit.pl.php

Affected Products

Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium)
Internet Explorer 6 for Microsoft Windows Server 2003
Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems
Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium
Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition

Solution

Apply the patch :
http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx
Or disable the Javaprxy.dll COM object from running in Internet Explorer using the registry key update (KB903235) :
Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=25982E02-EC6D-44CE-82DE-12DDEF1ADDD6&displaylang=en

Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
http://www.microsoft.com/downloads/details.aspx?FamilyId=25982E02-EC6D-44CE-82DE-12DDEF1ADDD6&displaylang=en

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=2A506C16-01EF-4060-BCF8-6993C55840A9&displaylang=en

Internet Explorer 6 for Microsoft Windows XP Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=C1381768-6C6D-4568-97B1-600DB8798EBF&displaylang=en

Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=F368E231-9918-4881-9F17-60312F82183F&displaylang=en

Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium), Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
http://www.microsoft.com/downloads/details.aspx?FamilyId=D785F9AB-DBE9-4272-A87E-64205690F98E&displaylang=en

Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=68209225-A682-4008-A22B-881C401486F7&displaylang=en

Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=06F8CD1B-93A0-4522-AF7D-603DD5C2BACB&displaylang=en

Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=2A506C16-01EF-4060-BCF8-6993C55840A9&displaylang=en

References

http://www.vupen.com/english/advisories/2005/0935
http://www.sec-consult.com/184.html
http://www.microsoft.com/technet/security/advisory/903144.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx

Credits

Vulnerability reported by Bernhard Müller and Martin Eiszner

ChangeLog

2005-07-01 : Initial release
2005-07-02 : Exploit available
2005-07-05 : Updated CVE
2005-07-05 : Updated Solution (KB903235 tool)
2005-07-12 : Updated Solution (MS05-037)

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.