===================================================================== CERT-Renater Note d'Information No. 2006/VULN443 _____________________________________________________________________ DATE : 09/08/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Internet Explorer sous Windows ====================================================================== MS06-042 - Cumulative Security Update for Internet Explorer (918899) - Affected Software: - Microsoft Windows 2000 Service Pack 4 - Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Microsoft Windows XP Professional x64 Edition - Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Microsoft Windows Server 2003 x64 Edition - Impact: Remote Code Execution - Version Number: 1.0 - - From the Microsoft Security Bulletin MS05-042: Vulnerability Details Redirect Cross-Domain Information Disclosure Vulnerability - CVE-2006-3280 An information disclosure vulnerability exists in Internet Explorer in the way that a redirect is handled. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could read file data from a Web page in another Internet Explorer domain. This other Web page must use gzip encoding or some other compression type supported by Internet Explorer for any information disclosure to occur. This other Web page must also be cached on the client side for a successful exploit. HTML Layout and Positioning Memory Corruption Vulnerability - CVE-2006-3450 A remote code execution vulnerability exists in the way Internet Explorer interprets HTML with certain layout positioning combinations. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. CSS Memory Corruption Vulnerability - CVE-2006-3451 A remote code execution vulnerability exists in the way Internet Explorer handles chained Cascading Style Sheets (CSS). An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. HTML Rendering Memory Corruption Vulnerability - CVE-2006-3637 A remote code execution vulnerability exists in the way Internet Explorer interprets HTML with certain layout combinations. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. COM Object Instantiation Memory Corruption Vulnerability - CVE-2006-3638 A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. Source Element Cross-Domain Vulnerability - CVE-2006-3639 A remote code execution and information disclosure vulnerability exists in Internet Explorer in the way that a redirect is handled. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could read file data from a Web page in another Internet Explorer domain. On Windows 2000 Service Pack 4 and Windows XP Service Pack 1 an attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. Window Location Information Disclosure Vulnerability - CVE-2006-3640 An information disclosure vulnerability exists in Internet Explorer where script can be persisted across navigations and used to gain access to the location of a Window in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could gain access to the Window location of a Web page in another domain or Internet Explorer zone. FTP Server Command Injection Vulnerability - CVE-2004-1166 An elevation of privilege vulnerability exists in the way Internet Explorer handles specially crafted FTP links that contain line feeds. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow the attacker to issue FTP server commands if a user clicked on an FTP link. An attacker who successfully exploited this vulnerability could issue server commands as the user to servers. ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================