- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Internet Explorer JavaScript setExpression Heap Corruption
Vulnerability
------------------------------------------------------------------------
SUMMARY
Internet Explorer is "a graphical web browser developed by Microsoft Corp.
and included as part of Microsoft Windows since 1995. The setExpression
method is commonly used to assign a JavaScript expression to a CSS or
DHTML object within a web page". Remote exploitation of a heap corruption
vulnerability in Microsoft Corp.'s Internet Explorer web browser allows
attackers to execute arbitrary code in the context of the current user.
DETAILS
Vulnerable Systems:
* Internet Explorer version 6.0
* Internet Explorer version 7.0
The vulnerability lies in the JavaScript setExpression method, which is
implemented in mshtml.dll. When malformed parameters are supplied, memory
can be corrupted in a way that results in Internet Explorer accessing a
previously deleted object. By creating a specially crafted web page, it is
possible for an attacker to control the contents of the memory pointed to
by the released object. This allows an attacker to execute arbitrary code.
Analysis:
Exploitation of this vulnerability would allow an attacker to execute
arbitrary code in the context of the user running Internet Explorer.
In order to exploit this vulnerability, an attacker must persuade a user
to render a malicious web page using Internet Explorer. This is usually
accomplished by providing a link to the malicious page in an e-mail or
instant message.
On Windows Vista, Internet Explorer 7 runs in "Protected Mode". Since
"Protected Mode" processes web pages with lower privileges than a normal
user, it lessens the impact of this vulnerability. However, it does not
prevent arbitrary code execution on the affected system.
Workaround:
Disable Active Scripting (JavaScript) to prevent exploitation of this
issue. Applying this workaround will prevent proper rendering of web sites
that rely on JavaScript.
Vendor response:
Microsoft has addressed this vulnerability within Microsoft Security
Bulletin MS07-069. For more information, consult their bulletin at the
following URL:
<http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS07-069.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3902>
CVE-2007-3902
Disclosure Timeline:
05/08/2007 - Initial vendor notification
05/08/2007 - Initial vendor response
12/11/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=631>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=631
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment