Security Advisory : CT22-03-2006
Microsoft Internet Explorer (mshtml.dll)
Remote Code Execution
Internet Explorer 6.x & 7 Beta 2
Pursuant to the publication of the aforementioned bug/vulnerability, this
document serves as a preliminary Security Advisory for users of Microsoft
Internet Explorer 6 and 7 Beta 2.
Successful exploitation will allow a remote attacker to execute arbitrary
code against a fully patched Windows XP system, yeilding system access with
privileges of the underlying user.
2. TECHNICAL NARRATIVE
As per the publication, the bug originates from the use of a createTextRange()
method, which, under certain circumstances, can lead to an invalid/corrupt
table pointer dereference.
As a result, IE encounters an exception when trying to call a deferenced
32bit address, as highlighted by the following sniplet of code.
0x7D53C15D MOV ECX, DWORD PTR DS:[EDI]
0x7D53C166 CALL DWORD PTR [ECX]
Due to the incorrect reference, ECX points to a very remote, non-existent
memory location, causing IE to crash (DoS). However, although the location
is some what distant, history dictates that a condition of this nature is
3. PROOF OF CONCEPT
Computer Terrorism (UK) can confirm the production of reliable proof of
concept (PoC) for this vulnerability (tested on Windows XP SP2). However,
until a patch is developed, we will NOT be publicly disclosing our research.
4. TEMPORARY SOLUTION
Users are advised to disable active scripting for non-trusted
sites until a patch is released.
5. VENDOR STATUS
The Vendor has been informed of all aspects of this new vulnerability
(including PoC), but as of the date of the document, this vulnerability is
Originally Discovered @
Subsequent postings @
Computer Terrorism (UK) :: Incident Response Centre.
Contact Us |