[VulnWatch] Secunia Research: Microsoft Internet Explorer "createControlRange()" Memory Corruption

• Previous message: iDefense Customer Service: "[VulnWatch] iDEFENSE Security Advisory 02.10.05: Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln@secunia.com
Date: Fri, 11 Feb 2005 16:41:39 +0100

======================================================================

                     Secunia Research 09/02/2005

 Microsoft Internet Explorer "createControlRange()" Memory Corruption

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

Microsoft Internet Explorer 5.01, 5.5 and 6

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
Where: From remote

======================================================================
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Internet Explorer,
which can be exploited by malicious people to compromise a user's
system.

The vulnerability is caused due to an input validation error in the
javascript function "createControlRange()". This can be exploited by
e.g. a malicious website to cause a heap memory corruption situation
where the program flow is redirected to the heap.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched system
(without MS05-014) with Internet Explorer 6.0 and
Microsoft Windows XP SP2.

======================================================================
4) Solution

Microsoft has released patches (see MS05-014 for details).

======================================================================
5) Time Table

29/10/2004 - Vulnerability discovered.
04/11/2004 - Vendor notified.
30/11/2004 - Vendor confirms the vulnerability.
09/02/2005 - Public disclosure.

======================================================================
6) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
candidate number CAN-2005-0055 for the vulnerability.

MS05-014 (KB867282):
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx

US-CERT VU#843771:
http://www.kb.cert.org/vuls/id/843771

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2004-12/advisory/

======================================================================

• Previous message: iDefense Customer Service: "[VulnWatch] iDEFENSE Security Advisory 02.10.05: Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Microsoft Security Bulletin MS03-040 - 828750 ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ... (microsoft.public.security) Re: Microsoft Security Bulletin MS03-040 - 828750 ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ... (microsoft.public.security.virus) Re: Microsoft Security Bulletin MS03-040 - 828750 ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ... (microsoft.public.win2000.security) [NT] Cumulative Security Update for Internet Explorer (MS05-020) ... A remote code execution vulnerability exists in Internet Explorer because ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... Note Setting the level to High may cause some Web sites to work ... (Securiteam) Critical Microsoft Security Bulletin - MS04-004 ... - Microsoft Windows NTŪ Workstation 4.0 Service Pack 6a ... - Internet Explorer 6 for Windows Server 2003 ... IMPACT OF VULNERABILITY: Remote Code Execution ... (microsoft.public.windows.mediacenter)