[NT] Buffer Overflow Found in MSHTML.DLL
From: support@securiteam.comDate: 02/15/02
- Previous message: support@securiteam.com: "[NEWS] Privacy Exposure by Bypassing the HTTP Proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 15 Feb 2002 22:15:46 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Buffer Overflow Found in MSHTML.DLL
------------------------------------------------------------------------
SUMMARY
MSHTML.DLL contains buffer overflow while parsing HTML with embedded
ActiveX components. Stack overrun occurs during concatenation of two
Unicode strings. It is possible to exploit this vulnerability to execute
any code of attacker's choice (there is a proof-of-concept code, which
will be published later with details of vulnerability). This overflow can
only be exploited if "Run ActiveX Controls and Plugins" security option is
enabled.
This option is disabled by default for Restricted Sites Zone Outlook 2000,
Outlook Express 6.0, and prior with security update installed open all
mail, but enabled by default in all different cases. This bug does not
depend on Windows version.
DETAILS
Vulnerable systems:
Microsoft Internet Explorer 6.0 and prior
Microsoft Outlook Express 6.0 and prior
Microsoft Outlook 2000 and prior
Workaround:
Make sure "Run ActiveX Controls and Plugins" option is disabled for
Internet and Restricted Sites zones in security options of Internet
Explorer. Check security zone for Outlook Express is set to Restricted
Sites.
Vendor status and solution:
Microsoft was notified on December 20 2001. On February 11 2002, Microsoft
released advisory MS02-005 and cumulative patch q316059 for Microsoft
Internet Explorer:
<http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp> http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp
ADDITIONAL INFORMATION
The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
3APA3A.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Privacy Exposure by Bypassing the HTTP Proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
