CERT-In Vulnerability Note
CIVN-2006-0030
Multiple Vulnerabilities in Internet Explorer
Original Issue Date:April 12, 2006
Severity Rating: HIGH
Systems Affected
Microsoft Internet Explorer 5.0 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.x
Overview
Multiple vulnerabilities has been reported in Internet Explorer which could exploited by malicious user to perform cross side scripting or conduct phishing attacks and compromise the affected system.
Description
DHTML Method Call Memory Corruption Vulnerability - CVE-2006-1359
A vulnerability has been reported in Microsoft Internet Explorer in the way it handles createTextRange DHTML method which could allow a remote attacker to execute arbitrary commands on the affected system. For details refer to CIVN-2006-0028
Multiple Event Handler Memory Corruption Vulnerability - CVE-2006-1245 This vulnerability is caused due to an error within the handling of multiple event handlers e.g. onLoad in an HTML element. This could allow an attacker to get complete control of the system with full user rights. This could be exploited to corrupt memory in such a way that it may allow execution of arbitrary code. HTA Execution Vulnerability - CVE-2006-1388 HTA HTML Applications are HTML documents that are executed as trusted applications. This vulnerability exits when the process used by Internet Explorer fails to handle HTA files. This vulnerability could allow an attacker to bypass IEs Security checks and execute an HTA application without a users consent and execute arbitrary code with the privileges of the logged in user. Microsoft has suggested to un-register the Mshta.exe file as workaround.
HTML Parsing Vulnerability - CVE-2006-1185 This vulnerability is caused when Internet Explorer fails to handle Malicious HTML file. When a user open a malicious HTML file in IE, the system memory can be corrupted in such way which could allow an attacker to execute arbitrary code with the privileges of the logged in user. COM Object Instantiation Memory Corruption Vulnerability - CVE-2006-1186 The Component Object Model COM allows an object to expose its functionality to other components and to host applications. A vulnerability exists when Internet Explorer, instantiates certain COM objects as ActiveX Controls. The affected COM objects may corrupt the system state and allow arbitrary code to be executed. This could allow the attacker to get complete control of the system with full user rights.
HTML Tag Memory Corruption Vulnerability - CVE-2006-1188 This vulnerability is caused when Internet Explorer fails to handle Malicious HTML tag. When a user open a HTML file containing malicious HTML tags in IE, the system memory can be corrupted in such way which could allow an attacker to execute arbitrary code with the privileges of the logged in user. Double-Byte Character Parsing Memory Corruption Vulnerability - CVE-2006-1189 Double-Byte Character Sets DBCS are an expanded 8-bit character set where the smallest unit is a byte. This vulnerability exits when Internet Explorer fails to handle double byte characters in URLs. This could be exploited to corrupt memory in such a way that it may allow execution of arbitrary code on the affected system with the privileges of the logged in user. Script Execution Vulnerability - CVE-2006-1190 This vulnerability is due to an error in the way IOleClientSite information is returned when an embedded object is dynamically created. The IOleClientSite interface is the primary means by which an embedded object obtains information about the location and extent of its display site, its moniker, its user interface, and other resources provided by its container. Successful exploitation of this vulnerability may allow this object to use the IOleClientSite information returned to make an incorrect security related decision and run in the context of the wrong site or the wrong Internet Explorer security zone.
Cross-Domain Information Disclosure Vulnerability - CVE-2006-1191 An information disclosure vulnerability exits in Internet Explorer windows script which runs in a browser window after a navigation to another site has been performed. This vulnerability could potentially lead to information disclosure or spoofing attacks and allows an attacker to read cookies and data from another domain.
Address Bar Spoofing Vulnerability - CVE-2006-1192 A vulnerability has been reported in Microsoft Internet Explorer due to a race condition in the loading of web content and Flash Format files ".swf" in browser windows. This vulnerability could be exploited by malicious user to spoof the contents of address bar. For details refer to civn-2006-29
Workaround
- Disable active scripting or configure Internet Explorer to prompt before running Active Scripting.
- Add trusted sites to Internet Explorers Trusted sites zone.
Exercise caution while visiting untrusted websites
Solution
Apply appropriate patch as mentioned in MS security Bulletin
MS06-013
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
References
FrSIRT- ADV-2006-1318
http://www.frsirt.com/english/advisories/2006/1318
US-CERT
http://www.kb.cert.org/vuls/id/876678
http://www.us-cert.gov/cas/techalerts/TA06-101A.html
http://www.kb.cert.org/vuls/id/984477
http://www.kb.cert.org/vuls/id/434641
http://www.kb.cert.org/vuls/id/503124
http://www.kb.cert.org/vuls/id/959049
http://www.kb.cert.org/vuls/id/234812
http://www.kb.cert.org/vuls/id/641460
http://www.kb.cert.org/vuls/id/341028
http://www.kb.cert.org/vuls/id/824324
Secunia Advisory: SA18957
http://secunia.com/advisories/18957/
CVE Name
CVE-2006-1245
CVE-2006-1359
CVE-2006-1388
CVE-2006-1185
CVE-2006-1186
CVE-2006-1188
CVE-2006-1189
CVE-2006-1190
CVE-2006-1191
CVE-2006-1192
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|