Microsoft Internet Explorer Nested OBJECT Tag Memory Corruption Vulnerability
BID:17658
Info
Microsoft Internet Explorer Nested OBJECT Tag Memory Corruption Vulnerability
| Bugtraq ID: | 17658 |
| Class: | Unknown |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 22 2006 12:00AM |
| Updated: | Apr 24 2006 05:56PM |
| Credit: | Michal Zalewski <[email protected]> is credited with the discovery of this vulnerability. |
| Vulnerable: |
Microsoft Internet Explorer 6.0 SP2 - do not use |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer Nested OBJECT Tag Memory Corruption Vulnerability
Microsoft Internet Explorer is prone to a memory-corruption vulnerability. This issue is due to a flaw in the application in handling nested OBJECT tags in HTML content.
An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user, but this has not been confirmed. Exploit attempts likely result in crashing the affected application. Attackers could exploit this issue through HTML email/newsgroup postings or through other applications that employ the affected component.
Microsoft Internet Explorer 6 for Microsoft Windows XP SP2 is reportedly vulnerable to this issue; other versions may also be affected.
Microsoft Internet Explorer is prone to a memory-corruption vulnerability. This issue is due to a flaw in the application in handling nested OBJECT tags in HTML content.
An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user, but this has not been confirmed. Exploit attempts likely result in crashing the affected application. Attackers could exploit this issue through HTML email/newsgroup postings or through other applications that employ the affected component.
Microsoft Internet Explorer 6 for Microsoft Windows XP SP2 is reportedly vulnerable to this issue; other versions may also be affected.
Exploit / POC
Microsoft Internet Explorer Nested OBJECT Tag Memory Corruption Vulnerability
The following command generates HTML content sufficient to crash applications that use 'mshtml.dll':
perl -e '{print "<STYLE></STYLE>\n<OBJECT>\nBork\n"x32}' >test.html
The referenced proof-of-concept HTML content is sufficient to demonstrate this issue with several differing results.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]
The following command generates HTML content sufficient to crash applications that use 'mshtml.dll':
perl -e '{print "<STYLE></STYLE>\n<OBJECT>\nBork\n"x32}' >test.html
The referenced proof-of-concept HTML content is sufficient to demonstrate this issue with several differing results.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]
Solution / Fix
Microsoft Internet Explorer Nested OBJECT Tag Memory Corruption Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Microsoft Internet Explorer Nested OBJECT Tag Memory Corruption Vulnerability
References:
References:
- Mozilla Firefox Home Page (Mozilla)
- MSIE (mshtml.dll) OBJECT tag vulnerability (Michal Zalewski