Thread-topic: [NT] MS06-042 Related Internet Explorer 'Crash' is Exploitable
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Wednesday, August 23, 2006 12:00 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] MS06-042 Related Internet Explorer 'Crash' is
> Exploitable
>
>
> MS06-042 Related Internet Explorer 'Crash' is Exploitable
>
>
>
> Due to a problem in Internet Explorer's decompression
> algorithm it is possible for a malicious web site to cause
> the browser to execute arbitrary code.
>
>
> Vulnerable Systems:
> * Windows 2000 with IE6 SP1 and MS06-042 hotfix installed
> * Windows XP SP1 with IE6 SP1 and MS06-042 hotfix installed
>
> On August 8th Microsoft released MS06-042 which was a
> cumulative update for Internet Explorer[1]. Over the course
> of a few days after the release of this patch various
> Internet Explorer users and businesses started to experience
> Internet Explorer crashing problems when viewing certain
> websites[2]. Later on August 11th Microsoft created a
> knowledge base article which talked about problems with the
> MS06-042 patch and how Internet Explorer could crash when
> viewing some web pages that used compression[3]. This
> Microsoft KB article referenced a patch, which could be
> requested through Microsoft Product Support Services, that
> would fix the "crashing" bug. There was further discussion
> about the extent of the crashes and widespread nature of the
> bug on places such as SANS and various patch and IT mailing
> lists[4]. Because of the widespread discussions and number of
> people experiencing the Internet Explorer crash various
> security researchers, including eEye, decided to investigate
> as a lot of times crashes can be exploitable.
>
> We have since found that indeed the reason that people are
> experiencing Internet Explorer browser crashes is certain
> websites, that use compression (as stated by Microsoft[5]),
> are causing a non-malicious buffer overflow to occur within
> Internet Explorer. After investigating and confirming that
> indeed this is an exploitable condition we are alerting
> people to the true severity of these "crashing" problems that
> people are experiencing, so that they can take the
> appropriate mitigation steps as need be.
>
> This information is already known in various research circles
> and also with exploit writers. So it is important that IT
> administrators
> understand the true threat of this problem that this is not
> simply a crashing bug, as Microsoft has been incorrectly
> misrepresenting it, but in fact that it is an exploitable
> security bug. Researchers and exploit developers know this,
> therefore it is extremely important that IT administrators
> are told what really is going on.
>
> Prevention:
> Windows 2000 IE6 SP1 Systems
> Patch: Microsoft created and released a non-public patch on
> August 11th. You can find out more about this patch here:
> . This patch can
> only currently be obtained through the Microsoft PSS process.
> However, Microsoft does plan to eventually release a public
> patch through Windows Update etc... Workaround: Disable
> HTTP1.1 functionality as outlined by Microsoft in their
> knowledge base article:
> . Please review the
> caveats of doing this as outlined by Microsoft.
>
> Windows XP SP1 IE6 SP1 Systems
> Patch: The best way to protect your XP systems is to upgrade
> to Windows XP SP2 as it is protected against this
> vulnerability. Also support for XP SP1 ends in October and
> there are huge security benefits to XP SP2 so hopefully
> your're already migrated to it. If you are not however and
> you are stuck on XP SP1 then you can use the Microsoft
> Knowledge base patch which was released on August 11th
> through the PSS process.
>
> Workaround: Disable HTTP1.1 functionality as outlined by
> Microsoft in their knowledge base article:
> . Please review
> the caveats of doing this as outlined by Microsoft.
>
> References:
> [1] - MS06-042 Bulletin -
>
> [2] - SANS -
> [3] - Microsoft KB Article -
>
> [4] - SANS Thread -
> [5] -
>
>
> Additional Information:
> The information has been provided by Derek Soeder (eEye).
>
>
> ==============================================================
> ==================
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> In order to subscribe to the mailing list and receive
> advisories in HTML format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx
>
>
>
> ==============================================================
> ==================
> ==============================================================
> ==================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without
> warranty of any kind.
> In no event shall we be liable for any damages whatsoever
> including direct, indirect, incidental, consequential, loss
> of business profits or special damages.
>
>
>
>
>
>
