Microsoft Internet Explorer createTextRange() Memory Error Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1015812|
SecurityTracker URL: http://securitytracker.com/id/1015812
(Links to External Site)
Updated: Mar 24 2006|
Original Entry Date: Mar 23 2006
Execution of arbitrary code via network, User access via network|
Vendor Confirmed: Yes |
Version(s): 6.0 and prior versions, 7 Beta 2|
A vulnerability was reported in Microsoft Internet Explorer (IE) in 'mshtml.dll'. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger an invalid table pointer dereference and potentially execute arbitrary code.
The vulnerability can be triggered by the createTextRange() method.
Computer Terrorism (UK) reported this vulnerability. Joshua Heyer discovered this vulnerability.
A demonstration exploit (that causes the browser to crash) is available at:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.|
No solution was available at the time of this entry.|
The vendor has confirmed the vulnerability in the following advisory:
The vendor indicates that, as a temporary workaround, you can disable Active Scripting.
The vendor indicates that the new refresh of the IE7 Beta 2 Preview available on March 20, 2006 is not affected.
Vendor URL: www.microsoft.com/technet/security/advisory/917077.mspx (Links to External Site)
Access control error, State error|
|Underlying OS: Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] Microsoft Internet Explorer (mshtml.dll) - Remote|
Computer Terrorism (UK) :: Incident Response Centre
Security Advisory :: CT22-03-2006
Title: Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution
Organisation: Computer Terrorism (UK)
Advisory Date: 22nd March, 2006
Affected Software: Microsoft Internet Explorer 6.x, IE7 Beta 2
Impact: Remote System Access
Solution Status: ** UNPATCHED **
Pursuant to the publication of the aforementioned bug/vulnerability, this
document serves as a preliminary Security Advisory for users of Microsoft
Internet Explorer version 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary
code against a fully patched Windows XP system, yielding system access with
privileges of the underlying user.
As per the publication, the bug originates from the use of a
createTextRange() method, which, under certain circumstances, can lead to an
invalid/corrupt table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced
32bit address, as highlighted by the following sniplet of code.
0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
0x7D53C166 CALL DWORD PTR [ECX]
Due to the incorrect reference, ECX points to a very remote, non-existent
memory location, causing IE to crash (DoS).
However, although the location is some what distant, history dictates that a
condition of this nature is conducive towards reliable exploitation.
Proof of Concept:
Computer Terrorism (UK) can confirm the production of reliable proof of
concept (PoC) for this vulnerability (tested on Windows XP SP2).
However, until a patch is developed, we will NOT be publicly disclosing our
Users are advised to disable active scripting for non-trusted sites until a
patch is released.
The Vendor has been informed of all aspects of this new vulnerability
(including PoC), but as of the date of the document, this vulnerability is
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/