RESOURCES
Microsoft Internet Explorer - Heap Memory Corruption Vulnerability

DESCRIPTION

Internet Explorer is the flagship browser for the Microsoft Windows OS.

SUMMARY

PRODUCT Internet Explorer
VENDOR Microsoft
AFFECTED VERSIONS 5.x up to SP3 inclusive, up to 6.1 SP1 inclusive
SEVERITY HIGH
IDENTIFIER N/A
TESTED PLATFORM Windows 2k, Windows XP

A vulnerability has been discovered in IE5.x and IE6.x that allows an attacker to effectively corrupt the allocated memory space and cause IE to crash upon successful exploitation. Microsoft later acknowledged the issue and confirmed the vulnerability is an exploitable heap overflow vulnerability which ultimately gives an attacker the luxury to execute arbitrary code against IE users.

IMPACT

Execute Arbitrary Code

DETAILS

[Vulnerability] Cascading Style Sheets(CSS) Memory Corruption

Cascading Style Sheets (CSS) is a technology that allows Web authors to have increased control of the design and interaction of their Web pages. The issue arises when IE is presented a STYLE tag followed by a sequence of comment character /* that is not terminated, which triggers IE to perform an invalid memory copy operation, for example:

<STYLE>@;/*

The attacker can simply cause a Denial of Service and crash the vulnerable IE versions by constructing a malicious web page that has the <STYLE>@;/*embedded. The attacker needs to use merely 11 bytes to crash a 20mb software package.

PROOF OF CONCEPT

For demonstration purposes, we also construct a sample page here http://www.ecqurity.com/adv/11.html (visiting 11.html will crash your IE without any warning, make sure you save whatever you're doing first before visiting the page). Additionally, a more sophisticated exploit can also be crafted to have the malicious code executed in the context of the IE user whenever the malicious web page is loaded. For the exploit to work, the attacker only needs to entice the users to visit the malicious page.

VENDOR STATUS

Microsoft acknowledged the issue and released a patch on the October 12th, 2004. For more information about the patch and where you can download it, please visit http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx

CREDIT

Phuong Nguyen -- phuong at ecqurity . com

David Coomber -- david at ecqurity . com

DISCLOSURE TIMELINE

N/A

APPENDIX

N/A

REFERENCES

N/A

We use cookies

This website uses cookies to ensure you get the best experience on our website. By continuing to browse the site, you agree to our use of cookies.Learn more