> ------------------------------
>
> Message: 2
> Date: Mon, 27 Mar 2006 21:10:42 -0800
> From: Alexander Sotirov <asotirov@xxxxxxxxxxxxx>
> Subject: [Dailydave] Determina Fix for the IE createTextRange() bug
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Message-ID: <4428C552.3080608@xxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> It seems like the IE 0-day generated a lot of activity among
> the HIPS vendors
> this weekend. We at Determina spent the weekend working on a
> fix for the IE
> createTextRange() bug. It's finally ready for download,
> including full source code:
>
>
> ecurityadvisory_march272006_1.asp
>
> DETCVE-2006-1359.msi
>
> MD5: 85b8bfc1c30c6b4451a3ab803f49708b
> SHA1: 308ae9a79e48adecf769fd50ac29ddc37a07d33c
>
> It supports all versions of IE 5.01 and IE6.
>
> The fix is a DLL that gets injected into all applications via
> the AppInit_DLLs
> registry key. The DLL fixes the bug by patching a _single_
> byte in MSHTML.DLL
> when it is loaded in memory. This change makes the
> createTextRange() function
> return an error code instead of returning 0. This exactly how
> the problem was
> fixed in the latest IE7 beta from March 20th.
>
> If you are interested in the analysis of the bug, check out
> the comment before
> the patch_module() function in CVE-2006-1359.cpp.
>
> 16 more days until the Microsoft patch.
>
> Alex
>
>
> ------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@xxxxxxxxxxxxxxxxxxxxx
>
>
>
> End of Dailydave Digest, Vol 8, Issue 23
> ****************************************
>
