Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer createTextRange() Memory Error Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015812
SecurityTracker URL:
CVE Reference:   CVE-2006-1359   (Links to External Site)
Updated:  Mar 24 2006
Original Entry Date:  Mar 23 2006
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 6.0 and prior versions, 7 Beta 2
Description:   A vulnerability was reported in Microsoft Internet Explorer (IE) in 'mshtml.dll'. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger an invalid table pointer dereference and potentially execute arbitrary code.

The vulnerability can be triggered by the createTextRange() method.

Computer Terrorism (UK) reported this vulnerability. Joshua Heyer discovered this vulnerability.

A demonstration exploit (that causes the browser to crash) is available at:

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
Solution:   No solution was available at the time of this entry.

The vendor has confirmed the vulnerability in the following advisory:

The vendor indicates that, as a temporary workaround, you can disable Active Scripting.

The vendor indicates that the new refresh of the IE7 Beta 2 Preview available on March 20, 2006 is not affected.

Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 11 2006 (Vendor Issues Fix) Microsoft Internet Explorer createTextRange() Memory Error Lets Remote Users Execute Arbitrary Code
Microsoft has issued a fix.

 Source Message Contents

Subject:  [Full-disclosure] Microsoft Internet Explorer (mshtml.dll) - Remote

Computer Terrorism  (UK) :: Incident Response Centre

Security Advisory :: CT22-03-2006

Title:   Microsoft Internet Explorer (mshtml.dll) - Remote Code Execution

Organisation:  Computer Terrorism (UK)
Advisory Date:  22nd March, 2006

Affected Software:  Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity:    Critical
Impact:   Remote System Access
Solution Status:  ** UNPATCHED **


Pursuant to the publication of the aforementioned bug/vulnerability, this 
document serves as a preliminary Security Advisory for users of Microsoft 
Internet Explorer version 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary 
code against a fully patched Windows XP system, yielding system access with 
privileges of the underlying user.

Technical Narrative:

As per the publication, the bug originates from the use of a 
createTextRange() method, which, under certain circumstances, can lead to an 
invalid/corrupt table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced 
32bit address, as highlighted by the following sniplet of code.


Due to the incorrect reference, ECX points to a very remote, non-existent 
memory location, causing IE to crash (DoS).

However, although the location is some what distant, history dictates that a 
condition of this nature is conducive towards reliable exploitation.

Proof of Concept:

Computer Terrorism (UK) can confirm the production of reliable proof of 
concept (PoC) for this vulnerability (tested on Windows XP SP2).
However, until a patch is developed, we will NOT be publicly disclosing our 

Temporary Solution:

Users are advised to disable active scripting for non-trusted sites until a 
patch is released.

Vendor Status:

The Vendor has been informed of all aspects of this new vulnerability 
(including PoC), but as of the date of the document, this vulnerability is 

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC