A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to cause a denial of service. This flaw is due to a NULL pointer dereference error in the HTML Editing component ("mshtmled.dll") when setting the "fonts" property of an "HtmlDlgSafeHelper" object, which could be exploited by attackers to crash a vulnerable browser by tricking a user into visiting a malicious web page.

Affected Products

Microsoft Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition

Solution

VUPEN Security is not aware of any vendor-supplied patch.

References

http://www.vupen.com/english/advisories/2006/2743
http://browserfun.blogspot.com/2006/07/mobb-11-htmldlgsafehelper-fonts.html

Credits

Vulnerability reported by H.D. Moore

Changelog

2006-07-11 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.