Product:
Microsoft: Internet Explorer 6.0 SP2
Microsoft: Internet Explorer 6.0 SP1
Microsoft: Internet Explorer 6.0
Microsoft: Internet Explorer 7.0 Beta 2
Severity: High (7)
CVSS vector: (AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
Vulnerability type: Design error
Attack`s vector: Remotly exploitable
Potential loss type: Gain user access, Availability
Vulnerability description:
Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer.
References:
BUGTRAQ: http://www.securityfocus.com/archive/1/428441
http://www.computerterrorism.com/research/ct22-03-2006
BID: http://www.securityfocus.com/bid/17196
FRSIRT: http://www.frsirt.com/english/advisories/2006/1050
SECUNIA: http://secunia.com/advisories/18680
CERT-VN: http://www.kb.cert.org/vuls/id/876678
Affected Software: | Microsoft Internet Explorer 6.x & 7 Beta 2 |
Severity: | Critical |
Impact: | Remote System Access |
Solution Status: | Unpatched |
CVE Reference: | Awaiting Confirmation |
Advisory Date: | 22nd March, 2006 |
1. OVERVIEW
Pursuant to the publication of the aforementioned bug/vulnerability, this document serves as a preliminary Security Advisory for users of Microsoft Internet Explorer 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary code against a fully patched Windows XP system, yeilding system access with privileges of the underlying user.
2. TECHNICAL NARRATIVE
As per the publication, the bug originates from the use of a createTextRange() method, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced 32bit address, as highlighted by the following sniplet of code.
0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
..
0x7D53C166 CALL DWORD PTR [ECX]
Due to the incorrect reference, ECX points to a very remote, non-existent memory location, causing IE to crash (DoS). However, although the location is some what distant, history dictates that a condition of this nature is conducive towards
reliable exploitation.
3. PROOF OF CONCEPT
Computer Terrorism (UK) can confirm the production of reliable proof of concept (PoC) for this vulnerability (tested on Windows XP SP2). However, until a patch is developed, we will NOT be publicly disclosing our research.
4. TEMPORARY SOLUTION
Users are advised to disable active scripting for non-trusted sites until a patch is released.
5. VENDOR STATUS
The Vendor has been informed of all aspects of this new vulnerability (including PoC), but as of the date of the document, this vulnerability is UNPATCHED.
5. REFERENCES
Originally Discovered @ http://www.shog9.com/crashIE.html
Subsequent postings @
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044297.html
Computer Terrorism (UK) :: Incident Response Centre.
Systems Affected:
Windows NT 4.0
Windows 98 / ME
Windows 2000 SP4
Windows XP SP1 / SP2
Windows 2003
Internet Explorer 5.01 Service Pack 4
Internet Explorer 6
Internet Explorer 6 Service Pack 1
Internet Explorer SP2 (On Windows XP SP2)
Overview:
eEye Digital Security is advising customers to the existence of exploit code that targets a critical security vulnerability in Microsoft Internet Explorer. The exploit pertains to an unpatched vulnerability that has been released on various public mailing lists. Microsoft has released the following security alert on this issue:
http://www.microsoft.com/technet/security/advisory/917077.mspx
This issue affects any Windows operating system running Internet Explorer versions 5.01 SP4 through 6.0 SP1. The vulnerability results from the method in which Internet Explorer handles HTML Objects. This flaw allows for remote code to be executed on the target system. If successfully exploited, an attacker will only have the rights of the currently logged on user. System Administrators should be careful to not use Administrator accounts for general system use.
Currently, there have been numerous reports of this vulnerability being used on various websites in attempts to install Spyware and remote control "bot" software for use in Distributed Denial of Service (DDoS) attacks.
Recommendations:
The recommended action required to protect systems against this attack is to disable Active Scripting from within Internet Explorer. Following are the steps required to disable Active Scripting:
Protecting Your Systems:
eEye Digital Security's Research Team has confirmed that eEye's Blink® host-based intrusion prevention solution protects from the exploitation of this Internet Explorer flaw without requiring invasive firewalling, or the presence of any patch. Current Blink customers should ensure that the Application Protection is enabled in their Blink policies.
Blink® Endpoint Vulnerability Prevention
http://www.eeye.com/blink
eEye's Temporary Workaround:
eEye Digital Security's Research Team has released a workaround for the vulnerability as a temporary measure for customers who have not yet installed Blink. This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw. Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation.
Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw. Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation.
Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. Please note that at this time this workaround only supports Windows NT, Windows 2000, Windows XP, and Windows 2003 and is fully removable.
Patch Location: Download Now!
Patch Version: 1.0.1
Patch Source Code: View