|
|
>> Microsoft Internet Explorer Remote Code Execution Vulnerabilities (MS06-013)
|
Multiple vulnerabilities have been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of an affected system, disclose sensitive information, or display spoofed content.
The first flaw is due to a memory corruption error when processing a specially crafted "createTextRange()" call associated with a "checkbox" object, which could be exploited by attackers to execute arbitrary commands via a specially crafted Web page. For additional information, see : VUPEN/ADV-2006-1050
The second vulnerability is due to a memory corruption error when handling multiple event handlers in an HTML element, which could be exploited by attackers to execute arbitrary commands via a specially crafted Web page.
The third issue is due to a security control bypass when handling HTML Application (HTA) files, which could be exploited by remote attackers to compromise a vulnerable system via a malicious web page.
The fourth flaw is due to a memory corruption error when processing specially crafted and not valid HTML code, which could be exploited by attackers to execute arbitrary commands via a malicious web page.
The fifth vulnerability is due to memory corruption errors when instantiating certain COM objects (Mdt2gddr.dll, Mdt2dd.dll, and Mdt2gddo.dll) as ActiveX controls, which could be exploited by remote attackers to execute arbitrary commands. This issue is similar to VUPEN/ADV-2005-0935 and VUPEN/ADV-2005-1450
The sixth flaw is due to a memory corruption error when processing HTML elements that contain a specially crafted tag, which could be exploited by attackers to execute arbitrary commands via a malicious web page.
The seventh issue is due to a memory corruption error when processing double-byte characters in specially crafted URLs, which could be exploited by attackers to compromise a vulnerable system via a malicious web page.
The eighth flaw is due to an error in the way the application returns "IOleClientSite" information when an embedded object is dynamically created, which could allow remote code execution or information disclosure.
The ninth vulnerability is due to an error when handling navigation methods, which could be exploited by remote attackers to read cookies and data from another domain via a malicious web page or email message.
The tenth flaw is due to an error when navigating the address bar and other parts of the trust UI away from a web site, which could be exploited by attackers to display spoofed content in a browser window.
Affected Products
Microsoft Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
Solution
Apply patches :
http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
References
http://www.vupen.com/english/advisories/2006/1318
http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
Credits
Vulnerabilities reported by Andreas Sandblad, Jeffrey van der Stad, Jan P. Monsch, Richard M. Smith, Thomas Waldegger, Sowhat, Heiko Schultze, and Will Dormann.
ChangeLog
2006-04-11 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
