SecurityTracker.com Archives - (Viruses Are Exploiting This Flaw) Microsoft Internet Explorer Buffer Overflow in IFRAME/EMBED Tag Processing Lets Remote Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Browser) > Microsoft Internet Explorer (IE)

Vendors: Microsoft

(Viruses Are Exploiting This Flaw) Microsoft Internet Explorer Buffer Overflow in IFRAME/EMBED Tag Processing Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1012146

SecurityTracker URL: http://securitytracker.com/id?1012146

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Nov 9 2004

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 6

Description: A buffer overflow vulnerability was reported in Microsoft Internet Explorer (IE) in the processing of IFRAME and EMBED tags. A remote user can execute arbitrary code on the target user's system.

ned from felinemenace.org and Berend-Jan Wever and others reported that IE does not properly validate certain IFRAME and EMBED tag attributes. A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A specially crafted SRC and NAME attribute can trigger the flaw, allowing the HTML to modify the EAX register, which can lead to modification of the ECX and subsequently the EIP register. A demonstration exploit is of the following form:

<IFRAME SRC=AAAAAAAAAAAA.... NAME="BBBBBBBBBBB....">

Exploit code has been released.

It is reported that systems running Windows XP SP2 are not affected.

AUSCERT subsequently reported that the MyDoom virus (variants W32/Mydoom.ag@MM and W32/Mydoom.ah@MM) are actively exploiting this vulnerability.

If the recipient clicks on a link contained in the viral e-mail message, a web page containing malicious code will load. The code triggers the buffer overflow and executes arbitrary code on the target user's system.

In these particular viruses, the malicious code requires javascript. However, the vulnerability itself does not require the use of javascript.

McAfee has assigned a "Medium" risk rating to the W32/Mydoom.ah@MM virus. The virus uses a variety of subject lines and message body contents. More information is available at:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631

Impact: A remote user can execute arbitrary code on the target user's system with the privileges of the target user.

Solution: No solution was available at the time of this entry.

It has been reported that Windows XP SP2 is not affected. 97ca9727e9f927e30723eeda3a935568 corporate/2.1/RPMS/ruby-tk-1.6.7-5.2.C21mdk.i586.rpm
451b383b9a34d35fb11bab1e917437de corporate/2.1/SRPMS/ruby-1.6.7-5.2.C21mdk.src.r pm

Corporate Server 2.1/x86_64:
175f8a45c99de3487df134df6fb22ef4 x86_64/corporate/2.1/RPMS/ruby-1.6.7-5.2.C21mdk.x86_64.rpm
1d303628932bff75f684be71a6e453f1 x86_64/corporate/2.1/RPMS/ruby-devel-1.6.7-5.2.C21mdk.x86_64.rpm
a937b87c10e5f3ecb41610e64b09c9ba x86_64/corporate/2.1/RPMS/ruby-doc-1.6.7-5.2.C21mdk.x86_64.rpm
40a44ec634f8929394835d5c561ad212 x86_64/corporate/2.1/RPMS/ruby-tk-1.6.7-5.2.C21mdk.x86_64.rpm
451b383b9a34d35fb11bab1e917437de x86_64/corporate/2.1/SRPMS/ruby-1.6.7-5.2.C21mdk.src.rpm

Mandrakelinux 9.2:
6f8ee2c9308debe5b391b322f93e9524 9.2/RPMS/ruby-1.8.0-4.2.92mdk.i586.rpm
58cabdd982a8c760e7af0fb5e81d9dc7 9.2/RPMS/ruby-devel-1.8.0-4.2.92mdk.i586.rpm
c7b7d678f4cb76b79996380f2f04a747 9.2/RPMS/ruby-doc-1.8.0-4.2.92mdk.i586.rpm
c613fe92253fdfe9f581eb0af17f75d1 9.2/RPMS/ruby-tk-1.8.0-4.2.92mdk.i586.rpm
95e4882f99900e40a8e9680ecf5d08e1 9.2/SRPMS/ruby-1.8.0-4.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
c4d3b440f5c11465b8d496bf4f531df4 amd64/9.2/RPMS/ruby-1.8.0-4.2.92mdk.amd64.rpm
ca6c4b4aac7aa3d091ef62f0cefa3820 amd64/9.2/RPMS/ruby-devel-1.8.0-4.2.92mdk.amd64.rpm
ce56f743c39e354939ff4ca43f288d14 amd64/9.2/RPMS/ruby-doc-1.8.0-4.2.92mdk.amd64.rp m
096e63f35549468726f50ffe2bfa28e7 amd64/9.2/RPMS/ruby-tk-1.8.0-4.2.92mdk.amd64.rpm
95e4882f99900e40a8e9680ecf5d08e1 amd64/9.2/SRPMS/ruby-1.8.0-4.2.92mdk.src.rpm

Vendor URL: www.microsoft.com/ (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (Any)

Underlying OS Comments: All versions except XP SP2

Message History: This archive entry is a follow-up to the message listed below.

Nov 2 2004

(Exploit Code Has Been Released) Microsoft Internet Explorer Buffer Overflow in IFRAME/EMBED Tag Processing Lets Remote Users Execute Arbitrary Code

Source Message Contents

Date: Tue, 9 Nov 2004 01:16:57 -0500
Subject: http://www.auscert.org.au/render.html?it=4542

 
 
AUSCERT reported that the MyDoom virus (variants W32/Mydoom.ag@MM and  
W32/Mydoom.ah@MM) are actively exploiting the recently disclosed Microsoft Internet
Explorer IFRAME/EMBED buffer overflow vulnerability.
 
If the recipient clicks on a link contained in the viral e-mail message, a web page 
containing malicious code will load.  The code triggers the buffer overflow and
executes arbitrary code on the target user's system.
 
In these particular viruses, the malicious code requires javascript.  However, the 
vulnerability itself does not require the use of javascript.
 
McAfee has assigned a "Medium" risk rating to the W32/Mydoom.ah@MM virus.  The virus
uses a variety of subject lines and message body contents.  More information is 
available at:
 
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC