Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability
BID:17196
Info
Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability
| Bugtraq ID: | 17196 |
| Class: | Design Error |
| CVE: |
CVE-2006-1359 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 22 2006 12:00AM |
| Updated: | Apr 17 2006 06:02PM |
| Credit: | Discovered by Joshua Heyer. |
| Vulnerable: |
Microsoft Internet Explorer 5.0.1 SP4 Microsoft Internet Explorer 5.0.1 SP3 Microsoft Internet Explorer 5.0.1 SP2 Microsoft Internet Explorer 5.0.1 SP1 Microsoft Internet Explorer 7.0 beta2 Microsoft Internet Explorer 6.0 SP2 - do not use Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability
Microsoft Internet Explorer is susceptible to a remote code-execution vulnerability. This issue is due to a flaw that results in an invalid table-pointer dereference.
Remote attackers may exploit this issue to crash affected browsers or to execute arbitrary machine code in the context of affected users.
Microsoft has reported that this issue does not affect the March 20, 2006 release of Internet Explorer 7 Beta 2 Preview.
Microsoft Internet Explorer is susceptible to a remote code-execution vulnerability. This issue is due to a flaw that results in an invalid table-pointer dereference.
Remote attackers may exploit this issue to crash affected browsers or to execute arbitrary machine code in the context of affected users.
Microsoft has reported that this issue does not affect the March 20, 2006 release of Internet Explorer 7 Beta 2 Preview.
Exploit / POC
Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability
The following HTML content demonstrates this issue by crashing the browser:
<input type="checkbox" id='c'>
<script><!--
r=document.getElementById("c");
a=r.createTextRange();
--></script>
Exploit code is available.
The following HTML content demonstrates this issue by crashing the browser:
<input type="checkbox" id='c'>
<script><!--
r=document.getElementById("c");
a=r.createTextRange();
--></script>
Exploit code is available.
Solution / Fix
Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability
Solution:
The Internet Explorer 7 Beta 2 Preview released on March 20, 2006 is not affected by this vulnerability. Users of earlier Internet Explorer 7 beta releases are advised to upgrade. Updates are not currently available for other Internet Explorer releases.
Microsoft has released a cumulative update to address this issue. Please see the referenced advisories for further information.
Reportedly, the fixes provided in MS06-013 may cause unintended breakage with certain ActiveX controls. Symantec has not confirmed this. Before deploying this patch in production environments, users should thoroughly test the patch to ensure that it doesn't interfere with other software.
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0 SP2 - do not use
Microsoft Internet Explorer 6.0
Solution:
The Internet Explorer 7 Beta 2 Preview released on March 20, 2006 is not affected by this vulnerability. Users of earlier Internet Explorer 7 beta releases are advised to upgrade. Updates are not currently available for other Internet Explorer releases.
Microsoft has released a cumulative update to address this issue. Please see the referenced advisories for further information.
Reportedly, the fixes provided in MS06-013 may cause unintended breakage with certain ActiveX controls. Symantec has not confirmed this. Before deploying this patch in production environments, users should thoroughly test the patch to ensure that it doesn't interfere with other software.
Microsoft Internet Explorer 6.0 SP1
-
Microsoft Cumulative Update for Internet Explorer 6 SP1 (KB912812)
http://www.microsoft.com/downloads/details.aspx?familyid=033C41E1-2B36 -4696-987A-099FC57E0129&displaylang=en
Microsoft Internet Explorer 6.0 SP2 - do not use
-
Microsoft Cumulative Update for Internet Explorer for Windows XP Service Pack 2 (KB912812)
http://www.microsoft.com/downloads/details.aspx?familyid=F05FFB31-E6B4 -4771-81F1-4ACCEBF72133&displaylang=en
Microsoft Internet Explorer 6.0
-
Microsoft Cumulative Update for Internet Explorer 6 SP1 (KB912812)
http://www.microsoft.com/downloads/details.aspx?familyid=033C41E1-2B36 -4696-987A-099FC57E0129&displaylang=en -
Microsoft Cumulative Update for Internet Explorer for Windows Server 2003 (KB912812)
http://www.microsoft.com/downloads/details.aspx?familyid=EE566871-D217 -41D3-BECC-B27FAFA00054&displaylang=en -
Microsoft Cumulative Update for Internet Explorer for Windows Server 2003 64-bit Itanium Edition (KB912812) -
http://www.microsoft.com/downloads/details.aspx?familyid=E584957C-0ABE -4129-ABAF-AA2852AD62A3&displaylang=en -
Microsoft Cumulative Update for Internet Explorer for Windows Server 2003 x64 Edition (KB912812) - English
http://www.microsoft.com/downloads/details.aspx?familyid=5A1C8BE3-39EE -4937-9BD1-280FC35125C6&displaylang=en -
Microsoft Cumulative Update for Internet Explorer for Windows XP Service Pack 2 (KB912812)
http://www.microsoft.com/downloads/details.aspx?familyid=F05FFB31-E6B4 -4771-81F1-4ACCEBF72133&displaylang=en -
Microsoft Cumulative Update for Internet Explorer for Windows XP x64 Edition (KB912812)
http://www.microsoft.com/downloads/details.aspx?familyid=C278FE3E-620A -4BBC-868B-CA2D9EFF7AC3&displaylang=en
References
Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability
References:
References:
- Microsoft Internet Explorer (mshtml.dll) Remote Code Execution (Computer Terrorism)
- Microsoft Security Advisory (917077) (Microsoft)
- Microsoft Security Bulletin MS06-013 (Microsoft)
- Microsoft Technet Security (Microsoft)
- Mozilla Firefox Home Page (Mozilla)
- IE crash (Stelian Ene
- Secunia Research: Microsoft Internet Explorer "createTextRange()" Code Execution (Secunia Research