Thread-topic: [SA18957] Internet Explorer Multiple Vulnerabilities
>
>
> TITLE:
> Internet Explorer Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA18957
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Spoofing, System access, Cross Site Scripting
>
> WHERE:
> From remote
>
> SOFTWARE:
> Microsoft Internet Explorer 5.5
>
> Microsoft Internet Explorer 5.01
>
> Microsoft Internet Explorer 6.x
>
>
> DESCRIPTION:
> Multiple vulnerabilities have been reported in Internet Explorer,
> which can be exploited by malicious people to conduct cross-site
> scripting attacks, conduct phishing attacks, or compromise a user's
> system.
>
> 1) An error in the cross-domain restriction when accessing properties
> of certain dynamically created objects can be exploited to execute
> arbitrary HTML and script code in a user's browser session in context
> of an arbitrary site via a JavaScript URI handler applied on a
> dynamically created "object" tag.
>
> 2) An error within the handling of multiple event handlers (e.g.
> onLoad) in an HTML element can be exploited to corrupt memory in a
> way that may allow execution of arbitrary code.
>
> 3) An error within the parsing of specially crafted, non-valid HTML
> can be exploited to corrupt memory in a way that allows execution of
> arbitrary code when a malicious HTML document is viewed.
>
> 4) An error within the instantiation of COM objects that are not
> intended to be instantiated in Internet Explorer can be exploited to
> corrupt memory in a way that allows execution of arbitrary code.
>
> 5) An error within the handling of HTML elements containing a
> specially crafted tag can be exploited to corrupt memory in a way
> that allows execution of arbitrary code.
>
> 6) An error within the handling of double-byte characters in
> specially crafted URLs can be exploited to corrupt memory in a way
> that allows execution of arbitrary code.
>
> Successful exploitation requires that the system uses double-byte
> character sets.
>
> 7) An error in the way IOleClientSite information is returned when an
> embedded object is dynamically created can be exploited to execute
> arbitrary code in context of another site or security zone.
>
> 8) An unspecified error can be exploited to spoof information
> displayed in the address bar and other parts of the trust UI.
>
> 9) Some unspecified vulnerabilities exist in the two ActiveX controls
> included with Danim.dll and Dxtmsft.dll.
>
> SOLUTION:
> Apply patches.
>
> Internet Explorer 5.01 SP4 on Windows 2000 SP4:
>
>
> Internet Explorer 6 SP1 on Windows 2000 SP4 or Windows XP SP1:
>
>
> Internet Explorer 6 for Windows XP SP2:
>
>
> Internet Explorer 6 for Windows Server 2003 and Windows Server 2003
> SP1:
>
>
> Internet Explorer 6 for Windows Server 2003 for Itanium-based systems
> and Windows Server 2003 with SP1 for Itanium-based systems:
>
>
> Internet Explorer 6 for Windows Server 2003 x64 Edition:
>
>
> Internet Explorer 6 for Windows XP Professional x64 Edition:
>
>
> Internet Explorer 6 SP1 on Windows 98, Windows 98 SE, or Windows ME:
> Patches are available via the Microsoft Update Web site or the
> Windows Update Web site.
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) Discovered by anonymous person.
> 2) Michal Zalewski
> 3) The vendor credits Jan P. Monsch, Compass Security Network
> Computing.
> 4) The vendor credits Richard M. Smith, Boston Software Forensics.
> 5) The vendor credits Thomas Waldegger.
> 6) The vendor credits Sowhat, Nevis Labs.
> 7) The vendor credits Heiko Schultze, SAP.
> 9) The vendor credits Will Dormann, CERT/CC.
>
> ORIGINAL ADVISORY:
> MS06-013 (KB912812):
>
>
>
