CERT-In Vulnerability Note CIVN-2006-94
Microsoft Internet Explorer WebViewFolderIcon Buffer Overflow Vulnerability

Original Issue Date: September 28, 2006
Updated on: October 11, 2006

Severity Rating: High

System Affected

Microsoft Internet Explorer 6

Overview

A buffer overflow vulnerability has been reported in Microsoft Internet Explorer that could be exploited by remote attackers to take complete control of the vulnerable system.

Description

The vulnerability is caused due to a buffer overflow error in the WebViewFolderIcon ActiveX control while processing a malformed WebViewFolderIcon ActiveX object with an invalid argument to the "setSlice&:QUOT; method.

The attacker could exploit this vulnerability by creating and hosting a malicious website and by persuading the user to visit the website typically by getting them click on a link to the website and could cause denial of service or execute the arbitrary code to take complete control of the vulnerable system.

It may be noted that exploit code of the vulnerability is publicly available.

Workarounds

• Do not visit untrusted websites
• Disable the WebViewFolderIcon ActiveX control if not required
• Disable ActiveX or set to “Prompt before Running”

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-057

References

USCERT
http://www.kb.cert.org/vuls/id/753044

ISS
http://xforce.iss.net/xforce/xfdb/27804

OBVSD
http://osvdb.org/27110

SecurityFocus
http://www.securityfocus.com/bid/19030

BrowserFun Blog
http://browserfun.blogspot.com/2006/07/mobb-18-
webviewfoldericon-setslice.html

CVE Name
CVE-2006-3730

Revisions:
October 11, 2006: Solution.

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003