[security-alerts] FW: [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> 
> TITLE:
> Microsoft Internet Explorer Multiple Vulnerabilities
> 
> SECUNIA ADVISORY ID:
> SA20595
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/20595/
> 
> CRITICAL:
> Highly critical
> 
> IMPACT:
> Spoofing, System access
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> Microsoft Internet Explorer 6.x
> http://secunia.com/product/11/
> Microsoft Internet Explorer 5.01
> http://secunia.com/product/9/
> 
> DESCRIPTION:
> Some vulnerabilities have been reported in Internet Explorer, which
> can be exploited by malicious people to conduct phishing attacks and
> compromise a user's system.
> 
> 1) A memory corruption error within the decoding of specially crafted
> UTF-8 encoded HTML can be exploited to execute arbitrary code when a
> user e.g. visits a malicious web site.
> 
> 2) A memory corruption error within the
> DXImageTransform.Microsoft.Light ActiveX control's parameter
> validation can be exploited to execute arbitrary code when a user
> e.g. visits a malicious web site.
> 
> 3) An error within the way certain COM objects, which are not meant
> to be instantiated in Internet Explorer, are instantiated can be
> exploited to execute arbitrary code when e.g. a malicious web site is
> visited.
> 
> 4) An error allows spoofing of the information in the address bar and
> other parts of the trust UI, which can be exploited to conduct
> phishing attacks.
> 
> 5) A memory corruption error in the way multipart HTML (.mht) is
> saved can be exploited to execute arbitrary code if a user is tricked
> into saving a specially crafted web page as multipart HTML.
> 
> SOLUTION:
> Apply patches.
> 
> Internet Explorer 5.01 SP4 on Windows 2000 SP4:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=91A99
> 7DE-BAE4-4AC7-912D-79EF8ABAEF4F
> 
> Internet Explorer 6 SP1 on Windows 2000 SP4 or Windows XP SP1:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=0EB17
> A41-FB43-413B-A5CC-41E1F3DEDE4F
> 
> Internet Explorer 6 for Windows XP SP2:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=85CAB
> E87-C4A0-4F80-BD1C-210E23FD8D81
> 
> Internet Explorer 6 for Windows Server 2003 and Windows Server 2003
> SP1:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=CCE7C
> 875-C9A4-4C3D-A37B-946EE5E781E7
> 
> Internet Explorer 6 for Windows Server 2003 for Itanium-based systems
> (with or without SP1):
> http://www.microsoft.com/downloads/details.aspx?FamilyId=C8E4C
> FB6-1350-4AAE-B681-EE2ECAB41118
> 
> Internet Explorer 6 for Windows Server 2003 x64 Edition:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=1C7D5
> C6D-DDCF-485D-A1E3-60E55334FD74
> 
> Internet Explorer 6 for Windows XP Professional x64 Edition:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=F9179
> 1AC-8185-4346-AA66-89F74D4B5EA7
> 
> Internet Explorer 6 SP1 on Windows 98, Windows 98 SE, or Windows Me:
> Patches are available from the Windows Update web site.
> 
> PROVIDED AND/OR DISCOVERED BY:
> 1) The vendor credits TippingPoint and the Zero Day Initiative.
> 2) The vendor credits Will Dormann, CERT/CC.
> 3) The vendor credits TippingPoint and the Zero Day Initiative and HD
> Moore of Metasploit Project.
> 4) The vendor credits Yorick Koster of ITsec Security Services and
> hoshikuzu star_dust.
> 5) The vendor credits John Jones of DISC, State of Kansas.
> 
> ORIGINAL ADVISORY:
> MS06-021 (KB916281):
> http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx
> 
> OTHER REFERENCES:
> KB article discussing known issues when installing the update:
> http://support.microsoft.com/kb/916281
>