Overview
»IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

IE Compressed Content URL Heap Overflow Vulnerability
Date Discovered: 09/12/2006
Severity: High
Operating Systems Affected: Microsoft Windows 2000, Microsoft Windows XP SP1, Microsoft Windows Server 2003 SP0
Applications Affected: Microsoft Internet Explorer 6.0 SP1 and prior
Synopsis
Heap overflow vulnerability has been identified in URLMON.DLL in Internet Explorer which when exploited allows remote attackers to cause a denial of service condition in the form of application crash or cause execution of remote code.
Recommended Actions
Please download the latest vendor-supplied patch available at:
http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx
Threat Analysis
Microsoft Internet Explorer (IE) is the most widely used web browser application. The browser is capable of processing HTML, images, scripting languages, and various other popular Internet specifications.

The heap overflow occurs in URLMON.DLL in IE as follows:
When an access to a URL causes an HTTP redirect (statuses 300 through 303) from the web server, and the subsequent access to the "Location" URL returns a GZIP- or deflate-encoded response, CMimeFt::ReportProgress attempts to copy the URL into the 104h-byte string buffer using the lstrcpynA API function, but it passes a maximum length argument of 824h (2084 decimal), a value typically used as the maximum length of a URL. As a result, fields within the CMimeFt class instance, as well as the contents of adjacent heap blocks, can be overwritten with attacker-supplied data from the malicious URL.

In order for the attack to be successful, the user needs to be tricked into visiting a malicious web page or clicking on a hyperlink from the IE browser with an HTTP redirect to a compressed web page. This vulnerability affects IE versions without application of 9/12/06 re-released patch for MS06-042 (part of August 2006 Microsoft Security Bulletin).
References
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3873
http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx
http://www.securityfocus.com/bid/19987
Write-up by: Vishal Asthana
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2008 iPolicy Networks - Security Product Division of Tech Mahindra Limited | Privacy Policy | Site Map