(Vendor Issues Fix) Microsoft Internet Explorer Buffer Overflow in IFRAME/EMBED Tag Processing Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1012370
|
|
SecurityTracker URL: http://securitytracker.com/id?1012370
|
|
CVE Reference: CAN-2004-1050
(Links to External Site)
|
Date: Dec 1 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 6
|
Description: A buffer overflow vulnerability was reported in Microsoft Internet Explorer (IE) in the processing of IFRAME and EMBED tags. A remote user can execute arbitrary code on the target user's system.
ned from felinemenace.org and Berend-Jan Wever and others reported that IE does not properly validate certain IFRAME and EMBED tag
attributes. A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code on
the target user's system.
A specially crafted SRC and NAME attribute can trigger the flaw, allowing the HTML to modify the EAX
register, which can lead to modification of the ECX and subsequently the EIP register. A demonstration exploit is of the following
form:
<IFRAME SRC=AAAAAAAAAAAA.... NAME="BBBBBBBBBBB....">
Exploit code has been released.
It is reported that systems
running Windows XP SP2 are not affected.
|
Impact: A remote user can execute arbitrary code on the target user's system with the privileges of the target user.
|
Solution: The vendor has issued a fix as part of a cumulative update:
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service
Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3A9DBD51-4348-4E
E6-9BC1-D9A1E12963EC
Internet Explorer 6 Service Pack 1 on Microsoft Windows NT Server 4.0 Service Pack 6a, on Microsoft Windows
NT Server 4.0 Terminal Service Edition Service Pack 6, on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows
Me:
http://www.microsoft.com/downloads/details.aspx?FamilyId=96DE6C13-4F67-4581-8F51-2C8A90E11C57
Internet Explorer 6 for
Windows XP Service Pack 1 (64-Bit Edition):
http://www.microsoft.com/downloads/details.aspx?FamilyId=1e9105cf-eb5b-4af5-b73d-03e8969e0b5c
This
update requires a system restart.
This update supercedes the update provided in MS04-038.
Microsoft warns that the update
may not include hotfixes that have been released since the release of MS04-004 or MS04-038. So, customers who have received hotfixes
from Microsoft or from their support providers since the release of MS04-004 or MS04-038 should install update 889669 (http://support.microsoft.com/kb/889669)
instead of this update.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms04-040.mspx (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (NT), Windows (98), Windows (2000), Windows (XP)
|
Underlying OS Comments: XP SP2 is not affected
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 1 Dec 2004 15:29:53 -0500
Subject: http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx
|
http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx
|
|
