[SNS Advisory No.68] Internet Explorer Object Type Buffer Overflow in Double-Byte Character Set Environment

From: SecureNet Service(SNS) Spiffy Reviews (snsadvat_private)
Date: Wed Aug 20 2003 - 21:59:51 PDT

Next message: SecureNet Service(SNS) Spiffy Reviews: "[SNS Advisory No.67] The Return of the Content-Disposition Vulnerability in IE"

Previous message: Nicholas Weaver: "Re: msblast.d and a review of defensive worms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------
SNS Advisory No.68
Internet Explorer Object Type Buffer Overflow in Double-Byte Character Set Environment 

Problem first discovered on: Fri, 06 June 2003 
Published on: Thu, 21 Aug 2003
----------------------------------------------------------------------

Overview:
---------
  Microsoft Internet Explorer is vulnerable to a buffer overflow under 
  the double-byte character set environment.


Problem Description:
--------------------
  A buffer overflow occurs in Microsoft Internet Explorer when HTML 
  files with an unusually long string including double-byte character 
  sets in the Type property of the Object tag are processed. 

  In order to trigger this vulnerability, malicious website administrators
  could induce Internet Explorer users to view a specially crafted web 
  site and consequently execute arbitrary code with the users' privileges.

  This problem differs from the issue described in MS03-020 in that it
  affects only specific language versions, including Japanese.  
  Arbitrary codes could be successfully executed on Internet Explorer 
  6 SP1 Japanese in a testing environment. 


Tested Version:
---------------
  Internet Explorer 6 Service Pack 1 Japanese Edition


Solution:
---------
  Apply an appropriate patch available at:

  Microsoft Security Bulletin MS03-032:
  http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

  Microsoft Security Bulletin MS03-032(Japanese site):
  http://www.microsoft.com/japan/technet/security/bulletin/MS03-032.asp 


Discovered by:
--------------
  Yuu Arai y.araiat_private


Acknowledgements:
-----------------

  Thanks to:
  Security Response Team of Microsoft Asia Limited

  The attack technique was originally found by:
  eEye Digital Security  http://www.eEye.com


Disclaimer:
-----------
  The information contained in this advisory may be revised without prior 
  notice and is provided as it is. Users shall take their own risk when 
  taking any actions following reading this advisory. LAC Co., Ltd. shall 
  take no responsibility for any problems, loss or damage caused by, or 
  by the use of information provided here.

  This advisory can be found at the following URL: 
  http://www.lac.co.jp/security/english/snsadv_e/68_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: SecureNet Service(SNS) Spiffy Reviews: "[SNS Advisory No.67] The Return of the Content-Disposition Vulnerability in IE"
Previous message: Nicholas Weaver: "Re: msblast.d and a review of defensive worms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 09:53:29 PDT