HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-77
Multiple vulnerabilities in Microsoft Internet Explorer

Original Issue Date: August 09, 2006

Severity Rating: High

Systems Affected

  • Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
  • Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1
  • Internet Explorer 6 for Microsoft Windows XP Service Pack 2
  • Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
  • Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition

Overview

Multiple vulnerabilities have been reported in the Microsoft Internet Explorer , which could be exploited by remote/local users that allows information disclosure, remote code execution and elevation of privilege. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system.

Description

Redirect Cross-Domain Information Disclosure Vulnerability - (CVE-2006-3280)

This is an information disclosure vulnerability in Internet Explorer in the way that a redirect is handled. Internet Explorer incorrectly interprets the location of a Web page after a redirect to a Web page that uses gzip encoding or some other compression type supported by Internet Explorer. In addition, data from Web pages in other domains or Internet Explorer zones could only be exposed to an attacker if those Web pages allow caching of their content.

An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could read data from a Web page in another Internet Explorer domain. An attacker who successfully exploited this vulnerability could read data from another security zone or domain in Internet Explorer.

HTML Layout and Positioning Memory Corruption Vulnerability- (CVE-2006-3450)

This is a remote execution vulnerability. When Internet Explorer handles specially crafted HTML with certain layout positioning combinations it may corrupt system memory in such a way that an attacker could execute arbitrary code. Malicious users could exploit this vulnerability by crafting a Web pages or links that could potentially allow remote code execution if a user viewed the Web page. After successful exploitation malicious users could access sensitive information as administrator and take complete control of affected systems.

CSS Memory Corruption Vulnerability - (CVE-2006-3451)

This is a remote code execution vulnerability. When Internet Explorer handles chained Cascading Style Sheets (CSS) it may corrupt system memory in such a way that an attacker could execute arbitrary code.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

HTML Rendering Memory Corruption Vulnerability- (CVE-2006-3637)

This is a remote code execution vulnerability. When Internet Explorer handles certain layout positioning combinations it may corrupt system memory in such a way that an attacker could execute arbitrary code.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

COM Object Instantiation Memory Corruption Vulnerability - (CVE-2006-3638)

This is a remote code execution vulnerability. When Internet Explorer tries to instantiate certain COM objects as ActiveX Controls, the COM objects may corrupt the system state in such a way that an attacker could execute arbitrary code.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Source Element Cross-Domain Vulnerability- (CVE-2006-3639)

Internet Explorer incorrectly interprets the origin of script and allows the script to run in a domain or Internet Explorer zone other than where it originates from.

This is remote code execution and information disclosure vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could read data from a Web page in another Internet Explorer domain.

On Windows 2000 Service Pack 4 and Windows XP Service Pack 1 an attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Window Location Information Disclosure Vulnerability- (CVE-2006-3640)

This is an information disclosure vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. It is possible to persist script across navigations and then use this script to gain access to the window location of a Web page in another domain or Internet Explorer zone. After a user visits a Web site containing the exploit the attacker can see the location of subsequent Web pages visited in the same Internet Explorer session.

FTP Server Command Injection Vulnerability- (CVE-2004-1166)

When Internet Explorer handles specially crafted FTP links that contain line feeds, it passes the line feeds on to the server. The server may then interpret the substrings between the line feeds as additional commands.

This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could issue FTP server commands as the user to FTP servers. The attacker would be limited by what the user could do on the FTP server. An attacker would need to know the location of the FTP server. User interaction is required to exploit this vulnerability.

In order to exploit most of these vulnerabilities an attacker would have to host a specially crafted Web site or HTML e-mail message that is used to attempt to exploit these vulnerabilities. Then, an attacker would have to persuade users by getting them a link in an e-mail message, in an instant messenger request or displaying specially crafted Web content by using banner advertisements.

Workarounds

  • Disable caching of Web content in Internet Explorer
  • Disable caching of your Web site's content
  • Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Read e-mail messages in plain text format when using Outlook 2002 or a later version, or Outlook Express 6 SP1 or a later version.
  • Prevent COM objects from running in Internet Explorer

Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-042

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

Refrences

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

FrSIRT
http://www.frsirt.com/english/advisories/2006/3212

Secunia
http://secunia.com/advisories/20825/ http://secunia.com/advisories/21396/ http://secunia.com/advisories/13404/

US-Cert
http://www.kb.cert.org/vuls/id/883108 http://www.kb.cert.org/vuls/id/119180 http://www.kb.cert.org/vuls/id/262004 http://www.kb.cert.org/vuls/id/340060 http://www.kb.cert.org/vuls/id/959049 http://www.kb.cert.org/vuls/id/252764

SecurityFocus
http://www.securityfocus.com/bid/18682 http://www.securityfocus.com/bid/19312 http://www.securityfocus.com/bid/19316 http://www.securityfocus.com/bid/18277 http://www.securityfocus.com/bid/19340 http://www.securityfocus.com/bid/19400 http://www.securityfocus.com/bid/19339 http://www.securityfocus.com/bid/11826

CVE-Name
CVE-2006-3280
CVE-2006-3450
CVE-2006-3451
CVE-2006-3637
CVE-2006-3638
CVE-2006-3639
CVE-2006-3640
CVE-2004-1166

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003