[NT] Internet Explorer HTML Objects Memory Corruption Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 10 May 2007 15:41:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Internet Explorer HTML Objects Memory Corruption Vulnerability
------------------------------------------------------------------------
SUMMARY
Internet Explorer 7 provides "improved navigation through tabbed browsing,
web search right from the toolbar, advanced printing, easy discovery,
reading and subscription to RSS feeds, and much more". Secunia Research
has discovered a vulnerability in Internet Explorer, which can be
exploited by malicious people to compromise a vulnerable system.
DETAILS
The vulnerability in Internet Explorer is caused due to an error in the
handling of HTML objects as a CMarkup object is used in certain cases
after it has been freed. This can be exploited to corrupt memory via a
specially crafted web page.
Successful exploitation allows execution of arbitrary code.
Solution:
Apply patches (see the Microsoft security bulletin for details):
<http://www.microsoft.com/technet/security/Bulletin/MS07-027.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS07-027.mspx
Time Table:
18/01/2007 - Vendor notified.
19/01/2007 - Vendor response.
09/05/2007 - Public disclosure.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0947>
CVE-2007-0947
ADDITIONAL INFORMATION
The information has been provided by <mailto:vuln@xxxxxxxxxxx> Secunia
Research.
The original article can be found at:
<http://secunia.com/secunia_research/2007-36/>
http://secunia.com/secunia_research/2007-36/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] BearShare NCTAudioFile2 ActiveX Control Buffer Overflow
- Next by Date: [UNIX] AFFLIB Multiple Buffer Overflows
- Previous by thread: [NT] BearShare NCTAudioFile2 ActiveX Control Buffer Overflow
- Next by thread: [UNIX] AFFLIB Multiple Buffer Overflows
- Index(es):
Relevant Pages
- [NT] Comodo DLL Injection via Weak Hash Function Exploitation Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Comodo DLL Injection via
Weak Hash Function Exploitation Vulnerability ... register unsigned long crc; ...
This program assumes that Internet Explorer is a privileged application ... (Securiteam) - [NT] Microsoft Internet Explorer Property Memory Corruption Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer
Property Memory Corruption Vulnerability ... (Securiteam) - [NT] Microsoft License Manager and urlmon.dll COM Object Interaction Invalid Memory Access Vulnerabi
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Internet Explorer is "a
set of core technologies in Microsoft Windows ... exploitation of an invalid memory access
vulnerability in various ... COM objects may allow an attacker to execute arbitrary code.
... (Securiteam) - [NT] Multiple Vulnerabilities in Internet Explorer (Heap Corruption, Race Condition)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The heap corruption and race condition
in Internet Explorer allow ... * Windows XP Professional with Service Pack 2 ...
Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows ... (Securiteam) - [NT] Microsoft Internet Explorer Multiple Vulnerabilities (Content-Disposition, codebase)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Internet Explorer, which
can be exploited by malicious people to disclose ... The vulnerability of "Content-Disposition"
is caused due to insufficient ... in context of the "Temporary Internet Files" folder when
a user clicks on ... (Securiteam)
