A number of security holes in Internet Explorer
Once again, several weak points have been found in Internet Explorer. It is not yet clear whether they can be used to inject and execute arbitrary code. In tests conducted by heise Security, the weak points at least caused Internet Explorer to crash.
In his blog, Metasploit developer H. D. Moore has reported two security holes in ActiveX components. FrSIRT of France has categorized the hole that Moore found in the ActiveX module HHCtrl, which is used to display HTML help files, as critical. During the processing of manipulated Image properties, a heap-based buffer overflow occurs. Moore claims that attackers may be able to use this buffer overflow to inject malicious code into the system and execute it with the user's rights.
A web site can provoke a crash, if not more, if a filter is set several times for the property Recordset in the ActiveX Control database ADODB. The NULL pointer dereference that results then causes Internet Explorer to crash.
Moore says that both of these errors were reported to Microsoft in March, and he has now published simple demonstrations. Recently, the Metasploit developer has been drawing attention to himself as a proponent of a full-disclosure policy. For example, he was one of the first to develop a working exploit for the WMF hole. His exploit for the recently closed RRAS weak point also did not make him very popular at Microsoft. Now Moore has even announced the "Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July". He won't disclose a direct path to remote code execution, though.
Plebo Aesdi Nael has also reported two additional security holes at the Full Disclosure mailing list. Once again, one of them occurs when hta files are being processed. These hta files are HTML applications - in other words, programs packaged in HTML. As long as they are on a WebDAV server or a Windows share that can be reached, for instance, the only thing users need to do to execute such programs is double-click on them. It might even be possible to simplify the process for execution. Up to now, Microsoft has only made the very vague statement that it was looking into the problem.
The other weak point that Nael reported concerns cross-domain protection. Scripts in web sites should only be able to access their own content, not the content of other web sites, for example. In combination with a redirect, however, a script can also read out the content of external sites via the property object.documentElement.outerHTML. In Internet Explorer 7, this attack no longer works thanks to the browser's new security mechanisms. There were rumours that this weak point also affected Firefox, but that turned out to be a misunderstanding. While Firefox does open the second page and display the content, the script can not read out the content. Security service provider Secunia has published a demonstration site where you can check to see if your browser is vulnerable to this hole.
- IE_ONE_MINOR_ONE_MAJOR, Plebo Aesdi Nael's security alert at Full Disclosure
- Internet Explorer Information Disclosure Vulnerability Test, test of cross-domain weak point at Secunia
- ADODB.Recordset Filter Property, H.D. Moore's error report
- ADODB.Recordset Filter Property, H.D. Moore's error report
(ehe)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
