Microsoft Internet Explorer JavaScript setExpression Heap Corruption Vulnerability
13 Dec. 2007
Summary
Internet Explorer is "a graphical web browser developed by Microsoft Corp. and included as part of Microsoft Windows since 1995. The setExpression method is commonly used to assign a JavaScript expression to a CSS or DHTML object within a web page". Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s Internet Explorer web browser allows attackers to execute arbitrary code in the context of the current user.
Vulnerable Systems:
* Internet Explorer version 6.0
* Internet Explorer version 7.0
The vulnerability lies in the JavaScript setExpression method, which is implemented in mshtml.dll. When malformed parameters are supplied, memory can be corrupted in a way that results in Internet Explorer accessing a previously deleted object. By creating a specially crafted web page, it is possible for an attacker to control the contents of the memory pointed to by the released object. This allows an attacker to execute arbitrary code.
Analysis:
Exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user running Internet Explorer.
In order to exploit this vulnerability, an attacker must persuade a user to render a malicious web page using Internet Explorer. This is usually accomplished by providing a link to the malicious page in an e-mail or instant message.
On Windows Vista, Internet Explorer 7 runs in "Protected Mode". Since "Protected Mode" processes web pages with lower privileges than a normal user, it lessens the impact of this vulnerability. However, it does not prevent arbitrary code execution on the affected system.
Workaround:
Disable Active Scripting (JavaScript) to prevent exploitation of this issue. Applying this workaround will prevent proper rendering of web sites that rely on JavaScript.
