[NT] Microsoft Internet Explorer Legacy Text Control Buffer Overflow

From: support@securiteam.com
Date: 08/27/02

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 27 Aug 2002 08:55:45 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Microsoft Internet Explorer Legacy Text Control Buffer Overflow


Microsoft® ActiveX® controls, formerly known as OLE controls or OCX
controls are components (or objects) you can insert into a Web page or
other application to reuse packaged functionality someone else programmed.
Whether you use an ActiveX control (formerly called an OLE control) or a
Java object, Microsoft Visual Basic Scripting Edition and Microsoft
Internet Explorer handle it the same way.


An unchecked buffer exists in the ActiveX control used to display
specially formatted text. This could be executed by encouraging an
unsuspecting user to visit a malicious web page including the below code.

<PARAM NAME="Angle" VALUE="90">
<PARAM NAME="Alignment" VALUE="4">
<PARAM NAME="BackStyle" VALUE="0">
<PARAM NAME="Caption" VALUE="long char string">
<PARAM NAME="FontName" VALUE="NGS Software Font">
<PARAM NAME="FontSize" VALUE="50">
<PARAM NAME="FontBold" VALUE="1">
<PARAM NAME="FrColor" VALUE="0">

(Note the letter O has been replaced with an 0)

By supplying an overly long value for the "Caption" parameter, a saved
return address stored on the stack will be overwritten allowing an
attacker to gain control of Internet Explorer's path of execution. Any
arbitrary code would execute in the context of the logged on user. By
sending the intended target a specially crafted e-mail or by enticing them
to a malicious website an attacker will be able to gain remote control of
that users desktop.

Fix Information:
NGSSoftware alerted Microsoft to these problems on 29 April 2002.
NGSSoftware highly recommend installing Microsoft Patch found at
<http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp> http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp.


The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Virus E-Mail After Newsgroup Post
    ... This has absolutely nothing to do with Microsoft security and is not at all ... It is entirely under your control. ... you are actually posting to public Usenet newsgroups. ...
  • Re: No Wonder Kodak Went Broke ...
    ... Many emotions in general ... Many activities are without risk. ... security "experts" didn't supports my contention that the security experts ... I don't allow emotion to control my behavior. ...
  • [NEWS] HelixPlayer Based Players Format String
    ... Get your security news from a reliable source. ... media player for Linux, Solaris (versions for other operating systems are ... between 0x0822** - 0x082f** and with control of one pointer at a time ... $ An open security advisory #13 - RealPlayer and Helix Player Remote ...
  • Re: why microsoft choose mfc rather than wtl?
    ... to lower security settings, etc. ... For a client to get ... the particular AX control is never accessed, shown, or downloaded. ... unethical to deliver an automobile to customers because it is possible ...
  • A Way to Attack Nuclear Plants
    ... Industrial computer systems are typically far less secure than they ... officials in Iran confirmed that Stuxnet ... PLCs connect to, and control, devices ... security experts say. ...