[VulnWatch] Internet Explorer Plugin.ocx heap overflow (#NISR24042003)

From: NGSSoftware Insight Security Research (nisr@nextgenss.com)
Date: 04/24/03

  • Next message: KF: "[VulnWatch] SRT2003-04-24-1532 - Options Parsing Tool library buffer overflows."
    From: "NGSSoftware Insight Security Research" <nisr@nextgenss.com>
    To: <ntbugtraq@listserv.ntbugtraq.com>, <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
    Date: Thu, 24 Apr 2003 17:14:59 +0100
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Internet Explorer ActiveX Control Heap Overflow
    Systems Affected: IE 5.01 SP3, 5.5 SP2, 6.0 Gold, 6.0 SP1
    Severity: Critical Risk
    Category: Heap Overflow
    Vendor URL: http://www.microsoft.com
    Author: Mark Litchfield (mark@ngssoftware.com)
    Date: 24th April 2003
    Advisory number: #NISR24042003

    Description
    ***********
    Internet Explorer is the most popular web browser in use by the internet
    community with a reported 95% user base of internet users. IE suffers from a
    heap based buffer overflow vulnerability that can be exploited via e-mail or
    by viewing a web page.

    Details
    *******
    There is an exploitable heap overflow vulnerability in Microsoft's ActiveX
    control, Plugin.ocx. By default, plugin.ocx is marked safe for scripting,
    and as such, if an IE user were to visit a malicious web page, the overflow
    could be triggered allowing for a "remote" compromise of the user's machine.
    Alternatively, an attacker could send their target a specially crafted
    e-mail, loaded with an exploit to take advantage of this vulnerability. The
    problem arises by passing an overly long string to the Load method of the
    control.

    Fix Information
    ***************
    NGSSoftware alerted Microsoft to this vulnerability on 13th December 2002.
    The patch information is available from
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS03-015.asp

    Further Information
    *******************
    For further information about the scope and effects of buffer overflows,
    please see

    http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
    http://www.ngssoftware.com/papers/ntbufferoverflow.html
    http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
    http://www.ngssoftware.com/papers/unicodebo.pdf

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/
    http://www.ngsconsulting.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com


  • Next message: KF: "[VulnWatch] SRT2003-04-24-1532 - Options Parsing Tool library buffer overflows."

    Relevant Pages