Random Entry: Climate Change Resources
< Laptop Encryption, Solved | Stupidity always threatens Litigation >

User Interaction vs Remote Code Execution, oh and an IE 0day

The quick summary is that Microsoft Internet Explorer is vulnerable to a flaw in the application that results in an invalid table-pointer dereference why mucking around with CreateTextRange().

The Internet Storm Centre has raised the alert to InfoCon Yellow.
The original advisory was released by Computer Terrorism:
There are code execution exploits (one, two) roaming around.
Interestingly enough this appears to have been first released as early as January. Well, that's the date on this one(careful on that one) anyway.
Vulnerability databases have the dirt:

SecurityFocus, Secunia, US-CERT, CVE, (No X-Force?)

Microsoft's response "Duh, turn off ActiveScripting and use 'Safe Browsing Habits'."
Everyone else's response, "Use another browser".
No word on Snort signatures as yet.

Now all of that is fine, another 0day, another firefight. What interests me is that SecurityFocus recons this is a "Remote Code Execution" vulnerability. It isn't, it requires user interaction to actually browse to a naughty page or open a naughty e-mail. Is it because the user interaction part is considered so trivial the author of that description labelled it as remote, or is it just a mistake?

Friday, March 24. 2006
Posted by Dominic White in Security
Comments (2) | Trackbacks (0)

Last modified on 2006-03-30 09:43

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

#1 Shog9 wrote (Link) (Reply)
Posted on Wednesday, March 29. 2006

For what it's worth, there are reports of this as a crashing bug on USENET dating back to at least 2003. The only reason i put up a demo page this year was that it was annoying me one day (one of my applications uses MSHTML internally), and i thought i'd complain about it a bit. A month or so later, i drop a link into a forum, and bam! Within days, exploits abound. Of course, my thought process was, "It must be no more than an annoyance - surely, MS wouldn't let an exploitable crash remain in their browser for *three years* after it's reported"... Silly me.

#1.1 Dominic White wrote (Link) (Reply)
Posted on Thursday, March 30. 2006

Haha, that is classic. I guess Theo De Raadt has a point then :)

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry