Internet Explorer daxctle.ocx "KeyFrame()" Method Vulnerability (altamente critico)
Release Date: 2006-09-14
Last Update: 2006-09-15
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
CVE reference: CVE-2006-4777 (Secunia mirror)
Description:
nop has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a memory corruption error in the Microsoft Multimedia Controls ActiveX control (daxctle.ocx) in the "CPathCtl::KeyFrame()" function. This can be exploited by e.g. tricking a user into viewing a malicious HTML document passing specially crafted arguments to the ActiveX control's "KeyFrame()" method.
Successful exploitation allows execution of arbitrary code.
NOTE: A somewhat working exploit is publicly available for partially patched versions of Windows 2000. However, Secunia has successfully created a fully working exploit for Windows XP SP2 (fully patched).
It is also possible to crash the browser via the "Spline()" method.
Solution:
Only allow trusted websites to run ActiveX controls.
Bollettino di sicurezza
Bollettino Microsoft
Soluzione mia
usate Firefox
Release Date: 2006-09-14
Last Update: 2006-09-15
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x
CVE reference: CVE-2006-4777 (Secunia mirror)
Description:
nop has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a memory corruption error in the Microsoft Multimedia Controls ActiveX control (daxctle.ocx) in the "CPathCtl::KeyFrame()" function. This can be exploited by e.g. tricking a user into viewing a malicious HTML document passing specially crafted arguments to the ActiveX control's "KeyFrame()" method.
Successful exploitation allows execution of arbitrary code.
NOTE: A somewhat working exploit is publicly available for partially patched versions of Windows 2000. However, Secunia has successfully created a fully working exploit for Windows XP SP2 (fully patched).
It is also possible to crash the browser via the "Spline()" method.
Solution:
Only allow trusted websites to run ActiveX controls.
Bollettino di sicurezza
Bollettino Microsoft
Soluzione mia
usate Firefox