[NT] Internet Explorer Memory Corruption Bug

From: SecuriTeam (support_at_securiteam.com)
Date: 07/05/04

  • Next message: SecuriTeam: "[NT] DiamondCS Process Guard Can Be Disabled by Direct Service Table Restoration" 
    To: list@securiteam.com
Date: 5 Jul 2004 15:28:36 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Internet Explorer Memory Corruption Bug
    ------------------------------------------------------------------------

    SUMMARY

    Internet Explorer is Microsoft's core browser that is a part of any
    Windows operating system and is the dominant browser currently in the
    world. Internet Explorer is vulnerable to a DoS condition through the use
    of an invalid CSS tag. As a result of this invalid CSS tag the browser's
    memory image is corrupted causing it to crash.

    DETAILS

    Vulnerable Systems:
     * Internet Explorer versions 5.x up to SP3 inclusive
     * Internet Explorer versions up to 6.1 SP1 inclusive

    Immune Systems:
     * Internet Explorer version 5 SP4

    The vulnerability allows a malicious web page to crash Internet Explorer
    by causing it to parse the CSS tag of the main page. A mere 11-byte HTML
    page is needed to exploit the denial of service condition. Any vulnerable
    version of Internet Explorer that parses the malicious page will get its
    memory image corrupted.

    The vulnerability does not allow any code execution on the client browser
    or system and poses no other damage other than the crashing of the
    browser. Internet Explorer has more than one problem with Cascading
    Style-Sheets (CSS) but this one in particularly simple to exploit.

    A page has to contain nothing but the following style tag in order to
    crash the vulnerable versions of IE:
    <STYLE>@;/*

    It is worth noting that other HTML tags in the page are not necessary and
    this alone is enough to trigger the vulnerability. Ecqurity has provided a
    sample page for convenience containing the malicious combination that
    could be used to test your version of IE. It can be found at
    <http://www.ecqurity.com/adv/11.html> http://www.ecqurity.com/adv/11.html.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dphuong@yahoo.com> Phuong
    Nguyen.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] DiamondCS Process Guard Can Be Disabled by Direct Service Table Restoration"