SecurityvulnsSECURITYVULNS:DOC:7800[Full-Disclosure] Secunia Research: Microsoft Internet Explorer "createControlRange()" Memory Corruption
======================================================================
Secunia Research 09/02/2005
Microsoft Internet Explorer "createControlRange()" Memory Corruption
======================================================================
Table of Contents
Affected Software…1
Severity…2
Description of Vulnerability…3
Solution…4
Time Table…5
Credits…6
References…7
About Secunia…8
Verification…9
======================================================================
1) Affected Software
Microsoft Internet Explorer 5.01, 5.5 and 6
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: From remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in Internet Explorer,
which can be exploited by malicious people to compromise a user's
system.
The vulnerability is caused due to an input validation error in the
javascript function "createControlRange()". This can be exploited by
e.g. a malicious website to cause a heap memory corruption situation
where the program flow is redirected to the heap.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully patched system
(without MS05-014) with Internet Explorer 6.0 and
Microsoft Windows XP SP2.
======================================================================
4) Solution
Microsoft has released patches (see MS05-014 for details).
======================================================================
5) Time Table
29/10/2004 - Vulnerability discovered.
04/11/2004 - Vendor notified.
30/11/2004 - Vendor confirms the vulnerability.
09/02/2005 - Public disclosure.
======================================================================
6) Credits
Discovered by Andreas Sandblad, Secunia Research.
======================================================================
7) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
candidate number CAN-2005-0055 for the vulnerability.
MS05-014 (KB867282):
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
US-CERT VU#843771:
http://www.kb.cert.org/vuls/id/843771
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2004-12/advisory/
======================================================================
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
