|
|
|
|
| |
Credit:
The information has been provided by ZDI.
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-06-017.html
The vendor advisory can be found at: http://www.securiteam.com/windowsntfocus/5OP0C15IUS.html
|
| |
Vulnerable Systems:
* Internet Explorer 6 All Versions
* Internet Explorer 5 SP4
The specific vulnerability is due to a miscalculation of memory sizes when translating UTF-8 characters to Unicode.
A size mismatch between a heap allocation and memory copy results in an exploitable heap corruption.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. Successful exploitation requires that the target user browse to a malicious web page. Exploitation does not require JavaScript, Java or ActiveX to be enabled.
CVE Information:
CVE-2006-2382
Vendor Status:
Microsoft has issued an update to correct this vulnerability. More details can be found at: http://www.microsoft.com/technet/security/bulletin/MS06-021.mspx.
Disclosure Timeline:
2006.01.20 - Vulnerability reported to vendor
2006.06.13 - Digital Vaccine released to TippingPoint customers
2006.06.13 - Coordinated public release of advisory
|
|
|
|
|
