Thread-topic: [SA18957] Internet Explorer Multiple Vulnerabilities
>
>
> TITLE:
> Internet Explorer Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA18957
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/18957/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Spoofing, System access, Cross Site Scripting
>
> WHERE:
> From remote
>
> SOFTWARE:
> Microsoft Internet Explorer 5.5
> http://secunia.com/product/10/
> Microsoft Internet Explorer 5.01
> http://secunia.com/product/9/
> Microsoft Internet Explorer 6.x
> http://secunia.com/product/11/
>
> DESCRIPTION:
> Multiple vulnerabilities have been reported in Internet Explorer,
> which can be exploited by malicious people to conduct cross-site
> scripting attacks, conduct phishing attacks, or compromise a user's
> system.
>
> 1) An error in the cross-domain restriction when accessing properties
> of certain dynamically created objects can be exploited to execute
> arbitrary HTML and script code in a user's browser session in context
> of an arbitrary site via a JavaScript URI handler applied on a
> dynamically created "object" tag.
>
> 2) An error within the handling of multiple event handlers (e.g.
> onLoad) in an HTML element can be exploited to corrupt memory in a
> way that may allow execution of arbitrary code.
>
> 3) An error within the parsing of specially crafted, non-valid HTML
> can be exploited to corrupt memory in a way that allows execution of
> arbitrary code when a malicious HTML document is viewed.
>
> 4) An error within the instantiation of COM objects that are not
> intended to be instantiated in Internet Explorer can be exploited to
> corrupt memory in a way that allows execution of arbitrary code.
>
> 5) An error within the handling of HTML elements containing a
> specially crafted tag can be exploited to corrupt memory in a way
> that allows execution of arbitrary code.
>
> 6) An error within the handling of double-byte characters in
> specially crafted URLs can be exploited to corrupt memory in a way
> that allows execution of arbitrary code.
>
> Successful exploitation requires that the system uses double-byte
> character sets.
>
> 7) An error in the way IOleClientSite information is returned when an
> embedded object is dynamically created can be exploited to execute
> arbitrary code in context of another site or security zone.
>
> 8) An unspecified error can be exploited to spoof information
> displayed in the address bar and other parts of the trust UI.
>
> 9) Some unspecified vulnerabilities exist in the two ActiveX controls
> included with Danim.dll and Dxtmsft.dll.
>
> SOLUTION:
> Apply patches.
>
> Internet Explorer 5.01 SP4 on Windows 2000 SP4:
> http://www.microsoft.com/downloa...7B87-AF8F-4346-9164-596E3E5C22B1
>
> Internet Explorer 6 SP1 on Windows 2000 SP4 or Windows XP SP1:
> http://www.microsoft.com/downloa...41E1-2B36-4696-987A-099FC57E0129
>
> Internet Explorer 6 for Windows XP SP2:
> http://www.microsoft.com/downloa...FB31-E6B4-4771-81F1-4ACCEBF72133
>
> Internet Explorer 6 for Windows Server 2003 and Windows Server 2003
> SP1:
> http://www.microsoft.com/downloa...6871-D217-41D3-BECC-B27FAFA00054
>
> Internet Explorer 6 for Windows Server 2003 for Itanium-based systems
> and Windows Server 2003 with SP1 for Itanium-based systems:
> http://www.microsoft.com/downloa...957C-0ABE-4129-ABAF-AA2852AD62A3
>
> Internet Explorer 6 for Windows Server 2003 x64 Edition:
> http://www.microsoft.com/downloa...8BE3-39EE-4937-9BD1-280FC35125C6
>
> Internet Explorer 6 for Windows XP Professional x64 Edition:
> http://www.microsoft.com/downloa...FE3E-620A-4BBC-868B-CA2D9EFF7AC3
>
> Internet Explorer 6 SP1 on Windows 98, Windows 98 SE, or Windows ME:
> Patches are available via the Microsoft Update Web site or the
> Windows Update Web site.
>
> PROVIDED AND/OR DISCOVERED BY:
> 1) Discovered by anonymous person.
> 2) Michal Zalewski
> 3) The vendor credits Jan P. Monsch, Compass Security Network
> Computing.
> 4) The vendor credits Richard M. Smith, Boston Software Forensics.
> 5) The vendor credits Thomas Waldegger.
> 6) The vendor credits Sowhat, Nevis Labs.
> 7) The vendor credits Heiko Schultze, SAP.
> 9) The vendor credits Will Dormann, CERT/CC.
>
> ORIGINAL ADVISORY:
> MS06-013 (KB912812):
> http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
>
>