Exploit code targets IE memory corruption flaw

By Bill Brenner, News Writer 21 Nov 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Updated Tuesday, Nov. 22, to include advisories from Microsoft, Symantec and the SANS Internet Storm Center.

Exploit code is now circulating for a memory corruption flaw in Internet Explorer (IE) that first came to light in May, security experts warned Monday. Malicious people could take advantage of the security hole by using specially crafted JavaScript code to launch an attack.

Cupertino, Calif.-based Symantec told customers of its DeepSight Threat Management System that the appearance of proof-of-concept code is one of the reasons why its ThreatCon remains at Level 2. The rating applies when "knowledge or the expectation of attack activity is present, without specific events occuring or when malicious code reaches a moderate risk rating."

The Bethesda, Md.-based SANS Internet Storm Center, meanwhile, has raised its alert status to yellow. The center typically does so to increase awareness when a new threat appears.

"A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands," the French Security Incident Response Team (FrSIRT) said in an advisory. "This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript 'window()' object and the 'body onload' tag, which could be exploited by remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page."

Danish vulnerability clearinghouse Secunia first issued an advisory for the vulnerability May 31, saying certain objects aren't initialized correctly "when the 'window()' function is used in conjunction with the '' event." This could be exploited "to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded," said the firm, which updated its advisory Monday to note the appearance of exploit code. The firm also raised the severity rating to "extremely critical."

Secunia confirmed the vulnerability on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2, and Internet Explorer 6.0 and Microsoft Windows 2000 SP4.

The firm recommended users protect themselves by disabling Active Scripting unless it's on a trusted site.

FrSIRT said users can do this by:

• Starting Internet Explorer;
• Clicking "Internet Options" under the Tools menu;
• Clicking "Custom Level" on the Security tab;
• Clicking "Disable" under Active scripting in the Settings box; and
• Clicking OK.

Microsoft has issued an advisory on the flaw and exploit code, saying, "This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible."

The software giant added, "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application Security,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Web Browser Security Microsoft warns that IE zero-day vulnerability causes data leakage Browser exploit kit probe highlights need for patching, vigilance Google to pay for Chrome browser vulnerabilities Attackers continue barrage of SEO attacks Microsoft emergency IE update to block latest corporate attacks Facebook, McAfee partner to fix social network security issues Firefox, Opera, Safari browsers top list of high risk software Mozilla fixes Firefox critical memory corruption errors FBI estimates rogue antivirus losses exceeding $150 million Adobe updates Flash Player, fixes seven serious vulnerabilities Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary