(A Variant is Reported) Re: Microsoft Internet Explorer (IE) Object Tag Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1007554 |
|
SecurityTracker URL: http://securitytracker.com/id/1007554
|
|
CVE Reference:
CAN-2003-0701
(Links to External Site)
|
Updated: Jan 9 2004
|
Original Entry Date: Aug 22 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 6.0 SP1 Japanese Edition
|
Description:
A vulnerability was reported in Microsoft Internet Explorer (IE) in the processing of certain object tags. A remote user can cause arbitrary code to be executed by the target user's IE browser.
In the original alert (based on MS03-020), it was reported that a remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code. The code will run with the privileges of the target user.
The buffer overflow reportedly occurs when IE attempts to determine an object's type, where a specially crafted parameter can trigger the overflow.
Microsoft credited eEye Digital Security with reporting this flaw.
A variant of the orignally reported flaw was reported by SNS. A remote user can execute arbitrary code on Internet Explorer 6 Service Pack 1 Japanese Edition.
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code with the privileges of the target user.
|
Solution:
Microsoft originally issued a patch (MS03-020), but with the discovery of a variant of the original flaw, has released a new patch (MS03-032).
For all versions except Microsoft Internet Explorer 6.0 for Windows Server 2003:
http://www.microsoft.com/windows/ie/downloads/critical/822925/default.asp
For Microsoft Internet Explorer 6.0 for Windows Server 2003:
http://www.microsoft.com/windows/ie/downloads/critical/822925s/default.asp
The appropriate patch can be installed on IE 5.01 running on Windows 2000 systems with SP3 or SP4 installed, IE 5.5 SP2, IE 6.0 Gold, and IE 6.0 SP1.
This patch will reportedly be included in Windows XP SP2 and Windows Server 2003 SP1.
A reboot is required after installing this patch.
This patch supersedes the one reported in MS03-020.
See the vendor advisory for some important caveats regarding the HTML Help feature.
Microsoft plans to issue Knowledge Base article 822925 regarding this issue, to be available shortly on the Microsoft Online Support web site:
http://support.microsoft.com/defau lt.aspx?scid=kb;en-us;822925
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS03-032.asp (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 21 Aug 2003 13:59:51 +0900
Subject: [SNS Advisory No.68] Internet Explorer Object Type Buffer Overflow in Double-Byte Character Set Environment
|
----------------------------------------------------------------------
SNS Advisory No.68
Internet Explorer Object Type Buffer Overflow in Double-Byte Character Set Environment
Problem first discovered on: Fri, 06 June 2003
Published on: Thu, 21 Aug 2003
----------------------------------------------------------------------
Overview:
---------
Microsoft Internet Explorer is vulnerable to a buffer overflow under
the double-byte character set environment.
Problem Description:
--------------------
A buffer overflow occurs in Microsoft Internet Explorer when HTML
files with an unusually long string including double-byte character
sets in the Type property of the Object tag are processed.
In order to trigger this vulnerability, malicious website administrators
could induce Internet Explorer users to view a specially crafted web
site and consequently execute arbitrary code with the users' privileges.
This problem differs from the issue described in MS03-020 in that it
affects only specific language versions, including Japanese.
Arbitrary codes could be successfully executed on Internet Explorer
6 SP1 Japanese in a testing environment.
Tested Version:
---------------
Internet Explorer 6 Service Pack 1 Japanese Edition
Solution:
---------
Apply an appropriate patch available at:
Microsoft Security Bulletin MS03-032:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
Microsoft Security Bulletin MS03-032(Japanese site):
http://www.microsoft.com/japan/technet/security/bulletin/MS03-032.asp
Discovered by:
--------------
Yuu Arai y.arai@lac.co.jp
Acknowledgements:
-----------------
Thanks to:
Security Response Team of Microsoft Asia Limited
The attack technique was originally found by:
eEye Digital Security http://www.eEye.com
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd. shall
take no responsibility for any problems, loss or damage caused by, or
by the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/security/english/snsadv_e/68_e.html
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
|
|
