From nisr@nextgenss.com Sat May 3 04:55:45 2003 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com Date: Thu, 24 Apr 2003 17:14:59 +0100 Subject: Internet Explorer Plugin.ocx heap overflow (#NISR24042003) [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] NGSSoftware Insight Security Research Advisory Name: Internet Explorer ActiveX Control Heap Overflow Systems Affected: IE 5.01 SP3, 5.5 SP2, 6.0 Gold, 6.0 SP1 Severity: Critical Risk Category: Heap Overflow Vendor URL: http://www.microsoft.com Author: Mark Litchfield (mark@ngssoftware.com) Date: 24th April 2003 Advisory number: #NISR24042003 Description *********** Internet Explorer is the most popular web browser in use by the internet community with a reported 95% user base of internet users. IE suffers from a heap based buffer overflow vulnerability that can be exploited via e-mail or by viewing a web page. Details ******* There is an exploitable heap overflow vulnerability in Microsoft's ActiveX control, Plugin.ocx. By default, plugin.ocx is marked safe for scripting, and as such, if an IE user were to visit a malicious web page, the overflow could be triggered allowing for a "remote" compromise of the user's machine. Alternatively, an attacker could send their target a specially crafted e-mail, loaded with an exploit to take advantage of this vulnerability. The problem arises by passing an overly long string to the Load method of the control. Fix Information *************** NGSSoftware alerted Microsoft to this vulnerability on 13th December 2002. The patch information is available from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS03-015.asp Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ http://www.ngsconsulting.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com