Vulnerability Note VU#338828

Microsoft Internet Explorer exception handling vulnerability

Overview

Microsoft Internet Explorer fails to properly handle exception conditions. This may allow a remote, unauthenticated attacker to execute arbitrary code.

I. Description

Internet Explorer allows objects to register exception handlers. These handlers may not properly handle some conditions, which may cause memory corruption.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

III. Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS06-021. This update removes exception handlers from Internet Explorer.

Disable Active scripting

Disabling Active scripting in the Internet Zone (or any zone used by an attacker) appears to help prevent exploitation of this vulnerability. While it does not remove the vulnerability, it does help block known attack vectors. Instructions for disabling Active scripting in the Internet Zone can be found in the Securing Your Web Browser document.

Note that disabling Active scripting in the Internet Zone will reduce the functionality of some web sites.

Systems Affected

Vendor	Status	Date Updated
Microsoft Corporation	Vulnerable	13-Jun-2006

References

http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx
http://secunia.com/advisories/19762/

Credit

This vulnerability was reported by Secunia Research, who in turn credit Andreas Sandblad.

This document was written by Will Dormann.

Other Information

Date Public	04/23/2006
Date First Published	06/13/2006 02:26:23 PM
Date Last Updated	06/15/2006
CERT Advisory
CVE Name	CVE-2006-2218
US-CERT Technical Alerts
Metric	17.72
Document Revision	8

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader