Exploit code targets IE memory corruption flaw

By Bill Brenner, News Writer 21 Nov 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Updated Tuesday, Nov. 22, to include advisories from Microsoft, Symantec and the SANS Internet Storm Center.

Exploit code is now circulating for a memory corruption flaw in Internet Explorer (IE) that first came to light in May, security experts warned Monday. Malicious people could take advantage of the security hole by using specially crafted JavaScript code to launch an attack.

Cupertino, Calif.-based Symantec told customers of its DeepSight Threat Management System that the appearance of proof-of-concept code is one of the reasons why its ThreatCon remains at Level 2. The rating applies when "knowledge or the expectation of attack activity is present, without specific events occuring or when malicious code reaches a moderate risk rating."

The Bethesda, Md.-based SANS Internet Storm Center, meanwhile, has raised its alert status to yellow. The center typically does so to increase awareness when a new threat appears.

"A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands," the French Security Incident Response Team (FrSIRT) said in an advisory. "This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript 'window()' object and the 'body onload' tag, which could be exploited by remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page."

Danish vulnerability clearinghouse Secunia first issued an advisory for the vulnerability May 31, saying certain objects aren't initialized correctly "when the 'window()' function is used in conjunction with the '' event." This could be exploited "to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded," said the firm, which updated its advisory Monday to note the appearance of exploit code. The firm also raised the severity rating to "extremely critical."

Secunia confirmed the vulnerability on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4.

The firm recommended users protect themselves by disabling Active Scripting unless it's on a trusted site.

FrSIRT said users can do this by:

• Starting Internet Explorer;
• Clicking "Internet Options" under the Tools menu;
• Clicking "Custom Level" on the Security tab;
• Clicking "Disable" under Active scripting in the Settings box; and
• Clicking OK.

Microsoft has issued an advisory on the flaw and exploit code, saying, "This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible."

The software giant added, "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application Security,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary