(Vendor Issues Fix) Microsoft Internet Explorer 'mshtml.dll' Bug in Processing Multiple Action Handlers Lets Remote Users Deny Service
SecurityTracker Alert ID: 1015794|
SecurityTracker URL: http://securitytracker.com/id/1015794
(Links to External Site)
Updated: Apr 11 2006|
Original Entry Date: Mar 21 2006
Denial of service via network, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 5.01 SP4, 6 SP1; and prior service packs|
A vulnerability was reported in Microsoft Internet Explorer. A remote user can cause denial of service conditions.|
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger an overflow in 'mshtml.dll' and cause the target user's browser to crash.
It is also possible to execute arbitrary code.
HTML that specifies several thousand thousand script action handlers (e.g., onLoad, onMouseMove) for a single HTML tag can trigger the vulnerability.
A demonstration denial of service exploit is available at:
Michal Zalewski reported this vulnerability.
A remote user can create HTML that, when loaded by the target user, will cause the target user's browser to crash or execute arbitrary code.|
The vendor has issued the following fixes as part of a cumulative update:|
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4:
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1:
Internet Explorer 6 for Microsoft Windows XP Service Pack 2:
Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1:
Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems:
Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition:
Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition:
A restart is required.
The vendor's advisory is available at:
Vendor URL: www.microsoft.com/technet/security/bulletin/ms06-013.mspx (Links to External Site)
|Underlying OS: Windows (98), Windows (2000), Windows (2003), Windows (XP)|
|Underlying OS Comments: 2000 SP4, XP SP2, 2003 SP1; and prior service packs|
Source Message Contents
Subject: Remote overflow in MSIE script action handlers (mshtml.dll)|
This might not come as a surprise, but there appears to be a *very*
interesting and apparently very much exploitable overflow in Microsoft
Internet Explorer (mshtml.dll).
This vulnerability can be triggered by specifying more than a couple
thousand script action handlers (such as onLoad, onMouseMove, etc) for any
single HTML tag. Due to a programming error, MSIE will then attempt to
write memory array out of bounds, at an offset corresponding to the ID of
the script action handler multiplied by 4 (due to 32-bit address clipping,
the result is a small positive integer).
The list of IDs can be found on the Web, and is as follows (values in
parentheses = resulting offsets):
onhelp = 0x8001177d (+0x45df4)
onclick = 0x80011778 (+0x45de0)
ondblclick = 0x80011779 (+0x45de4)
onkeyup = 0x80011776 (+0x45dd8)
onkeydown = 0x80011775 (+0x45dd4)
onkeypress = 0x80011777 (+0x45ddc)
onmouseup = 0x80011773 (+0x45dcc)
onmousedown = 0x80011772 (+0x45dc8)
onmousemove = 0x80011774 (+0x45dd0)
onmouseout = 0x80011771 (+0x45dc4)
onmouseover = 0x80011770 (+0x45dc0)
onreadystatechange = 0x80011789 (+0x45e24)
onafterupdate = 0x80011786 (+0x45e18)
onrowexit = 0x80011782 (+0x45e08)
onrowenter = 0x80011783 (+0x45e0c)
ondragstart = 0x80011793 (+0x45e4c)
onselectstart = 0x80011795 (+0x45e54)
What happens next depends on the structure of the page in which the
malicious tag is embedded, as well as previously visited page and
previously initialized extensions (all these factors can be controlled by
When the offending page contains no additional elements, and the user is
not redirected from elsewhere, the browser will typically crash
immediately, because there is no allocated memory at the resulting offset.
In all other cases, crashes will typically occur later, due to attempted
use of unrelated but corrupted in-memory buffers -for example, when the
user attempts to leave or reload the page. Another good example is coming
from a page that contains Macromedia Flash - this usually causes the Flash
plugin itself to choke on corrupted memory on cleanup.
For non-believers, there's a short but fiery demonstration page available
at http://lcamtuf.coredump.cx/iedie.html (yes, it will probably crash your
Tested on MSIE 6.0.2900.2180.xpsp2.040806-1825 on Windows XP SP2. As far
as I can tell, other browser makes (Firefox, Opera) are not susceptible to
I eagerly await due reprimend from Microsoft for not disclosing this
vulnerability in a manner that benefits them most, not passing start, not
collecting $200 (from iDefense?).