In about a week and a half, three new Internet Explorer security holes were publicly disclosed:
- 13-Mar-06: Jeffrey van der Stad informed about a vulnerability in IE which allows running HTA files without the user's permission.
- 16-Mar-06: Michal Zalewski introduced a Proof-of-Concept of a vulnerability in the way IE handles a large number of events in a single HTML tag.
- 22-Mar-06 (Today): A memory corruption vulnerability was disclosed in Full-Disclosure by Stelian Ena (although he claims it to be a "well known issue").
The problem is with the way IE calls the createTextRange method from a CheckBox control. According to MSDN, the CheckBox control should not have the createTextRange method.
The published Proof-of-Concept will only crash the browser. But, I've managed to create another Proof-of-Concept (which I WILL NOT publicly disclose just yet), and it seems that this memory corruption vulnerability is exploitable for a remote code execution on a fully patched XP SP2. It might also be exploitable on other windows operating systems.
Too many holes in such a short time... We can only hope MS will take these problems seriously and provide a patch soon.
[UPDATE:] "Computer Terrorism (UK) :: Incident Response Centre" have published an advisory for the createTextRange vulnerability. They also confirm a production of a Proof-of-Concept, and that they already notified Microsoft about this issue.
[UPDATE2:] Secunia has also reported on this issue. This time about the Radio Control.
I would like to add that 3 types of input controls can be used to exploit this vulnerability: CheckBox, Radio (as already reported) and Image control (<input type="image">).
[UPDATE3:] Microsoft has published a security advisory for the createTextRange vulnerability.
[UPDATE4:] Beware.. createTextRange vulnerability exploits are out!