[NT] Internet Explorer DBCS Remote Memory Corruption (MS06-013)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Internet Explorer DBCS Remote Memory Corruption (MS06-013)
------------------------------------------------------------------------


SUMMARY

This vulnerability affects systems that use Double-Byte Character Sets.
Systems that are affected are Windows language versions that use a Double
Byte Character Set language. Examples of languages that use DBCS are
Chinese, Japanese, and Korean languages. Customers using other language
versions of Windows might also be affected if "Language for non-Unicode
programs" has been set to a Double Byte Character Set language.

This vulnerability could allow an attacker to execute arbitrary code on
the victim's system when the victim visits a web page or views an HTML
email message. This attack may be utilized wherever IE parses HTML, such
as webpages, email, newsgroups, and within applications utilizing
web-browsing functionality.

DETAILS

Products affected:
* Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service
Pack 4 and Microsoft Windows XP Service Pack 1
* Internet Explorer 6 for Microsoft Windows XP Service Pack 2
* Internet Explorer 6 for Microsoft Windows Server 2003
* Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, Microsoft
Windows 98 SE, and Microsoft Windows Millennium Edition

URLMON.DLL does not properly validate IDN containing double-byte character
sets (DBCS), which may lead to remote code execution. Exploiting this
vulnerability seems to need a lot of more work but we believe that
exploitation is possible.

Fix:
Microsoft has released an update for Internet Explorer which is set to
address this issue. This can be downloaded from:
<http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx>
http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1189>
CVE-2006-1189

Vendor Response:
* 2005.12.29 - Vendor notified via secure@xxxxxxxxxxxxx
* 2005.12.29 - Vendor responded
* 2006.04.11 - Vendor released MS06-0xx patch
* 2006.04.11 - Advisory released

References:
1. <http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx>
http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx
2. <http://www.nsfocus.com/english/homepage/research/0008.htm>
http://www.nsfocus.com/english/homepage/research/0008.htm
3. <http://xforce.iss.net/xforce/xfdb/5729>
http://xforce.iss.net/xforce/xfdb/5729
4. <http://www.securityfocus.com/bid/2100/discuss>
http://www.securityfocus.com/bid/2100/discuss
5. <http://www.inter-locale.com/whitepaper/IUC27-a303.html>
http://www.inter-locale.com/whitepaper/IUC27-a303.html
6. <http://blogs.msdn.com/michkap/archive/2005/10/28/486034.aspx>
http://blogs.msdn.com/michkap/archive/2005/10/28/486034.aspx
7. [Mozilla Firefox IDN "Host:" Buffer Overflow]
<http://www.security-protocols.com/advisory/sp-x17-advisory.txt>
http://www.security-protocols.com/advisory/sp-x17-advisory.txt
8. [Mozilla Firefox 1.5 Beta 1 IDN Buffer Overflow]
<http://www.security-protocols.com/advisory/sp-x18-advisory.txt>
http://www.security-protocols.com/advisory/sp-x18-advisory.txt
9. http://72.14.203.104/search?q=cache:Dxn-V4fil1IJ:developer.novell.com
/research/devnotes/1995/may/02/05.htm


ADDITIONAL INFORMATION

The original article can be found at:
<http://secway.org/advisory/AD20060411.txt>
http://secway.org/advisory/AD20060411.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] Windows Media Player Plug-in for Non-Microsoft Browsers Code Execution (MS06-006)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... // responsibility for damage that results. ... // Spray the heap ...
    (Securiteam)
  • [EXPL] Microsoft Windows POSIX Component Privilege Elevation (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... int client_connect; ...
    (Securiteam)
  • [EXPL] Windows RRAS Stack Overflow (Exploit, MS06-025)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a remote code execution vulnerability in the Routing and Remote ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)
  • [NT] Multiple Vulnerabilities in Internet Explorer (Heap Corruption, Race Condition)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The heap corruption and race condition in Internet Explorer allow ... * Windows XP Professional with Service Pack 2 ... Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows ...
    (Securiteam)
  • [EXPL] Microsoft Color Management Module Code Execution (MS05-036) - Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Color Management Module Code Execution - Exploit ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... void hexdump(char * pbuf,unsigned int size) ...
    (Securiteam)