If at first you don't succeed; call it version 1.0
Wednesday, 22 March 2006

In about a week and a half, three new Internet Explorer security holes were publicly disclosed:

- 13-Mar-06: Jeffrey van der Stad informed about a vulnerability in IE which allows running HTA files without the user's permission.
- 16-Mar-06: Michal Zalewski introduced a Proof-of-Concept of a vulnerability in the way IE handles a large number of events in a single HTML tag.
- 22-Mar-06 (Today): A memory corruption vulnerability was disclosed in Full-Disclosure by Stelian Ena (although he claims it to be a "well known issue").
The problem is with the way IE calls the createTextRange method from a CheckBox control. According to MSDN, the CheckBox control should not have the createTextRange method.
The published Proof-of-Concept will only crash the browser. But, I've managed to create another Proof-of-Concept (which I WILL NOT publicly disclose just yet), and it seems that this memory corruption vulnerability is exploitable for a remote code execution on a fully patched XP SP2. It might also be exploitable on other windows operating systems.

Too many holes in such a short time... We can only hope MS will take these problems seriously and provide a patch soon.

[UPDATE:] "Computer Terrorism (UK) :: Incident Response Centre" have published an advisory for the createTextRange vulnerability. They also confirm a production of a Proof-of-Concept, and that they already notified Microsoft about this issue.

[UPDATE2:] Secunia has also reported on this issue. This time about the Radio Control.

I would like to add that 3 types of input controls can be used to exploit this vulnerability: CheckBox, Radio (as already reported) and Image control (<input type="image">).

[UPDATE3:] Microsoft has published a security advisory for the createTextRange vulnerability.

[UPDATE4:] Beware.. createTextRange vulnerability exploits are out!

Wednesday, 22 March 2006 13:09:24 UTC | Comments [0] | Security#
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.