Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2006 > Vulnerability in Microsoft Internet Explorer

March 2006

Vulnerability in Microsoft Internet Explorer

ID: 00230
Ref: 230/06
Date: 23 March 2006:16:40:11
Version: 1
Title: Vulnerability in Microsoft Internet Explorer
Abstract: UNIRAS has been made aware of a new vulnerability in Internet Explorer. It appears that there is a heap overflow relating to the createTextRange() DHTML method. If successfully exploited this will allow a remote attacker to execute arbitrary code
Vendors affected: Microsoft
Operating systems affected: Microsoft
Applications affected: Microsoft

Title
=====
Vulnerability in Microsoft Internet Explorer


Detail
======

UNIRAS has been made aware of a new vulnerability in Internet Explorer. It appears
that there is a heap overflow relating to the createTextRange() DHTML method. If
successfully exploited this will allow a remote attacker to execute arbitrary code.
It does not appear that this vulnerability affects versions of Outlook or Outlook
Express that are supported by Microsoft.

UNIRAS recommends that readers follow normal security practices such as visiting
only trusted sites and not following links from suspicious e-mails.

Further information can be found at the following URLs:

MICROSOFT SECURITY RESPONSE CENTER BLOG

" We're still investigating, but we have confirmed this vulnerability and I am
writing a Microsoft Security Advisory on this. But we wanted to make sure
customers knew we were aware of this and we will address it in a security
update. "

" Our initial investigation has revealed that if you turn off Active Scripting,
that will prevent the attack as this requires script. "

http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx


US-CERT - Microsoft Internet Explorer createTextRange() vulnerability

" By convincing a user to open a specially crafted web page, a remote
unauthenticated attacker may be able to execute arbitrary code on a vulnerable
system. "

" Known attack vectors for this vulnerability require Active Scripting to be
enabled. By disabling Active Scripting, the chances of exploitation are reduced.
For instructions on how to disable Active Script in Internet Explorer, please
refer to the Internet Explorer section of the Securing Your Web Browser
document. "

http://www.kb.cert.org/vuls/id/876678


  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |