If at first you don't succeed; call it version 1.0
Monday, August 14, 2006

I was more than happy to help HD Moore with MoBB, and provided some nice browser bugs for this project.

One of those bugs was "MoBB #30 - Orphan Object Properties". This bug occurs when referencing an object that was created inside an object data window inside a frame, and then relocating the frame to a different position, leaving the created object orphan.
I've found this bug while creating a subset of the Hamachi fuzzer. So, I've decided to create a specific fuzzer that will find all possible orphan object referencing bugs. I've actually found over 15 crashes involving 8 different objects.

Last Tuesday Microsoft released a cumulative security update for Internet Explorer, MS06-042. I was surprised to find out that they were quick to fix the orphan objects issue, with no mention of fixing this vulnerability in the security bulletin.

As this vulnerability was silently patched and the orphan objects' bugs cannot be exploited anymore, I've decided to stop my research on this issue and I'm releasing the fuzzer to the public.
The Orphan Objects Fuzzer can be downloaded from here. An online version of the fuzzer can be found here.


On the other hand, this cumulative security patch included another patch for the "COM Object Instantiation Memory Corruption Vulnerability". Those patches (the first was MS05-038) are actually a workaround for the real problem. Instead of fixing the browser's code, Microsoft has decided to update IE's kill-bit repository with the problematic COM objects' CLSIDs.

By now, all they did is to add CLSIDs of the operating system's COM objects. What they forgot is that their user base includes a lot of PCs with 3rd party COM objects installed. Some of them (e.g. Yahoo Messenger, AOL's new Anti-Virus' Security Toolbar, and more) can be used to exploit the same vulnerability.

I don't know if they did this on purpose, or because they were not aware of the 3rd party issue. I can only hope they are going to fix this vulnerability, which is known for over 10 months now, and this time for real.

P.S. AOL's new security toolbar is not playing nice in another point of view. I will discuss this on one of my next posts.


Monday, August 14, 2006 9:12:53 AM UTC | Comments [2] | Security#
Wednesday, August 16, 2006 6:21:02 PM UTC
It appears that the patch has been causing browsers to crash when viewing http 1.1 content. I put together a .reg file to disable http 1.1 for the current user.

http://www.alicent.com/ms06-04crash.asp

Useful for admins that need to manage multiple PC's.

Hope this helps...

Matt Fleming
Alicent Small Business Solutions
Wednesday, August 16, 2006 7:16:56 PM UTC
Microsoft has released a (provided by support services only) hotfix for the http 1.1 issue: http://support.microsoft.com/kb/923762/en-us

-- Aviv Raff
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.