[NT] Internet Explorer Memory Corruption Bug
From: SecuriTeam (support_at_securiteam.com)
Date: 07/05/04
- Previous message: SecuriTeam: "[UNIX] Linux Virtual Server/Secure Context Procfs Shared Permissions Flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 5 Jul 2004 15:28:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Internet Explorer Memory Corruption Bug
------------------------------------------------------------------------
SUMMARY
Internet Explorer is Microsoft's core browser that is a part of any
Windows operating system and is the dominant browser currently in the
world. Internet Explorer is vulnerable to a DoS condition through the use
of an invalid CSS tag. As a result of this invalid CSS tag the browser's
memory image is corrupted causing it to crash.
DETAILS
Vulnerable Systems:
* Internet Explorer versions 5.x up to SP3 inclusive
* Internet Explorer versions up to 6.1 SP1 inclusive
Immune Systems:
* Internet Explorer version 5 SP4
The vulnerability allows a malicious web page to crash Internet Explorer
by causing it to parse the CSS tag of the main page. A mere 11-byte HTML
page is needed to exploit the denial of service condition. Any vulnerable
version of Internet Explorer that parses the malicious page will get its
memory image corrupted.
The vulnerability does not allow any code execution on the client browser
or system and poses no other damage other than the crashing of the
browser. Internet Explorer has more than one problem with Cascading
Style-Sheets (CSS) but this one in particularly simple to exploit.
A page has to contain nothing but the following style tag in order to
crash the vulnerable versions of IE:
<STYLE>@;/*
It is worth noting that other HTML tags in the page are not necessary and
this alone is enough to trigger the vulnerability. Ecqurity has provided a
sample page for convenience containing the malicious combination that
could be used to test your version of IE. It can be found at
<http://www.ecqurity.com/adv/11.html> http://www.ecqurity.com/adv/11.html.
ADDITIONAL INFORMATION
The information has been provided by <mailto:dphuong@yahoo.com> Phuong
Nguyen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Linux Virtual Server/Secure Context Procfs Shared Permissions Flaw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]