Tuesday, February 13, 2007

Internet Explorer Multiple Vulnerabilities

TITLE: Internet Explorer Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA24156
VERIFY ADVISORY: http://secunia.com/advisories/24156/
CRITICAL: Highly critical
IMPACT: System access
WHERE: From remote
SOFTWARE:
Microsoft Internet Explorer 6.x
http://secunia.com/product/11/
Microsoft Internet Explorer 7.x
http://secunia.com/product/12366/
DESCRIPTION:
Some vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system.
1) An error within the instantiation of COM objects (Imjpcksid.dll and Imjpskdic.dll) not intended to be instantiated in Internet Explorer can be exploited to cause a memory corruption.
2) Another error within the instantiation of COM objects (Msb1fren.dll, Htmlmm.ocx, and Blnmgrps.dll) not intended to be instantiated in Internet Explorer can be exploited to cause a memory corruption.
3) An error within the parsing of FTP server responses can be exploited to cause a memory corruption via a specially crafted response sent to the FTP client in Internet Explorer.
Successful exploitation of the vulnerabilities allows execution of arbitrary code.
SOLUTION: Apply patches.
Internet Explorer 6 for Windows XP SP2
Internet Explorer 7 for Windows XP SP2

PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor.
2) The vendor credits H D Moore, BreakingPoint Systems.
3) The vendor credits iDefense Labs.

ORIGINAL ADVISORY: MS07-016 (KB928090)

EDITORIAL: The revolution in Internet browsing, Microsoft's secure browser, Internet Explorer 7 is... a flop. Just a few months after the much-heralded release of IE7, we find that it's just as full of holes as IE6. The Trustworthy Computing initiative hasn't worked. Internet Explorer is still a huge problem for network security admins around the world.