dH & SECURITY.NNOV: buffer overflow in mshtml.dll
From: 3APA3A (3APA3A@SECURITY.NNOV.RU)Date: 02/14/02
- Previous message: Russ: "SNMP vulnerabilities"
- Next in thread: Toby Beaumont: "Re: dH & SECURITY.NNOV: buffer overflow in mshtml.dll"
- Reply: Toby Beaumont: "Re: dH & SECURITY.NNOV: buffer overflow in mshtml.dll"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Feb 2002 11:30:20 +0300 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Topic: buffer overflow in mshtml.dll
Authors: ERRor and DarkZorro of domain Hell
3APA3A of SECURITY.NNOV
Date: February, 13 2002
Vendor Informed: December, 20 2001
Software affected: Microsoft Internet Explorer 6.0 and prior
Microsoft Outlook Express 6.0 and prior*
Microsoft Outlook 2000 and prior*
Remote: Yes
Exploitable: Yes
Risk: High
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories
Thanks to: Microsoft Security Response Center
and CERT for working with us
Andrey Kolishak for helpful additional
information on this issue
Description:
mshtml.dll contains buffer overflow while parsing HTML with embedded
ActiveX components. Stack overrun occurs during concatenation of two
Unicode strings. It's possible to exploit this vulnerability to execute
any code of attacker's choice (we do have proof-of-concept code, it will
be published later with details of vulnerability). This overflow can
only be exploited if "Run ActiveX Controls and Plugins" security option
is enabled. *This option is disabled by default for Restricted Sites
Zone Outlook 2000, Outlook Express 6.0 and prior with security update
installed open all mail, but enabled by default in all different cases.
This bug doesn't depend on Windows version.
Workaround:
Make sue "Run ActiveX Controls and Plugins" option is disabled for
Internet and Restricted Sites zones in security options of Internet
Explorer. Check security zone for Outlook Express is set to Restricted
Sites.
Vendor and Solution:
Microsoft was notified on December, 20 2001. On February, 11 2002
Microsoft released advisory MS02-005 and cumulative patch q316059 for
Microsoft Internet Explorer
http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp
-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by Qualys - Make Your Network Secure oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Go Beyond PARTIAL Security: FREE White Paper
Stop hassling with half-baked ENTERPRISE SECURITY. FREE White Paper shows you how to ensure TOTAL security for your Internet perimeter with the most current and most complete PROACTIVE Vulnerability Assessment solution. Get your FREE White Paper now. Click here! https://www.qualys.com/forms/techwhite_86.html oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Russ: "SNMP vulnerabilities"
- Next in thread: Toby Beaumont: "Re: dH & SECURITY.NNOV: buffer overflow in mshtml.dll"
- Reply: Toby Beaumont: "Re: dH & SECURITY.NNOV: buffer overflow in mshtml.dll"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
