Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability

From: TSRT () 3com com
Date: Tue, 8 Aug 2006 12:17:25 -0700
TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption
            Vulnerability

http://www.tippingpoint.com/security/advisories/TSRT-06-09.html
August 8, 2006

-- CVE ID:
CVE-2006-3638

-- Affected Vendor:
Microsoft

-- Affected Products:
Internet Explorer 6 All Versions
Internet Explorer 5 SP4

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since August 8, 2006 by Digital Vaccine protection
filter ID 4593. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the
target must visit a malicious page.

The specific flaw exists in the DirectAnimation.DATuple ActiveX control
when improperly calling the Nth() method. By supplying a positive
integer we can control a data reference calculation that is later used
to control execution. The problem is due to the lack of sanity checking
on the index used during a call to TupleNthBvrImpl::GetTypeInfo() in
danim.dll.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx

-- Disclosure Timeline:
2006.04.27 - Vulnerability reported to vendor
2006.08.08 - Digital Vaccine released to TippingPoint customers
2006.08.08 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Cody Pierce, Tipping Point Security
Research Team.

-- About the TippingPoint Security Research Team (TSRT):
The TippingPoint Security Research Team (TSRT) consists of industry
recognized security researchers that apply their cutting-edge
engineering, reverse engineering and analysis talents in our daily
operations. More information about the team is available at:

    http://www.tippingpoint.com/security
 
The by-product of these efforts fuels the creation of vulnerability
filters that are automatically delivered to our customers' intrusion
prevention systems through the Digital Vaccine(R) service.
Previous By Date Next
Previous By Thread Next

Current thread: