(Viruses Are Exploiting This Flaw) Microsoft Internet Explorer Buffer Overflow in IFRAME/EMBED Tag Processing Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1012146 |
|
SecurityTracker URL: http://securitytracker.com/id/1012146
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 9 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 6
|
Description:
A buffer overflow vulnerability was reported in Microsoft Internet Explorer (IE) in the processing of IFRAME and EMBED tags. A remote user can execute arbitrary code on the target user's system.
ned from felinemenace.org and Berend-Jan Wever and others reported that IE does not properly validate certain IFRAME and EMBED tag attributes. A remote user can create specially crafted HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
A specially crafted SRC and NAME attribute can trigger the flaw, allowing the HTML to modify the EAX register, which can lead to modification of the ECX and subsequently the EIP register. A demonstration exploit is of the following form:
<IFRAME SRC=AAAAAAAAAAAA.... NAME="BBBBBBBBBBB....">
Exploit code has been released.
It is reported that systems running Windows XP SP2 are not affected.
AUSCERT subsequently reported that the MyDoom virus (variants W32/Mydoom.ag@MM and W32/Mydoom.ah@MM) are actively exploiting this vulnerability.
If the recipient clicks on a link contained in the viral e-mail message, a web page containing malicious code will load. The code triggers the buffer overflow and executes arbitrary code on the target user's system.
In these particular viruses, the malicious code requires javascript. However, the vulnerability itself does not require the use of javascript.
McAfee has assigned a "Medium" risk rating to the W32/Mydoom.ah@MM virus. The virus uses a variety of subject lines and message body contents. More information is available at:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631
|
Impact:
A remote user can execute arbitrary code on the target user's system with the privileges of the target user.
|
Solution:
No solution was available at the time of this entry.
It has been reported that Windows XP SP2 is not affected.
|
Vendor URL: www.microsoft.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 9 Nov 2004 01:16:57 -0500
Subject: http://www.auscert.org.au/render.html?it=4542
|
AUSCERT reported that the MyDoom virus (variants W32/Mydoom.ag@MM and
W32/Mydoom.ah@MM) are actively exploiting the recently disclosed Microsoft Internet
Explorer IFRAME/EMBED buffer overflow vulnerability.
If the recipient clicks on a link contained in the viral e-mail message, a web page
containing malicious code will load. The code triggers the buffer overflow and
executes arbitrary code on the target user's system.
In these particular viruses, the malicious code requires javascript. However, the
vulnerability itself does not require the use of javascript.
McAfee has assigned a "Medium" risk rating to the W32/Mydoom.ah@MM virus. The virus
uses a variety of subject lines and message body contents. More information is
available at:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631
|
|
