SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#876678

Microsoft Internet Explorer createTextRange() vulnerability

Overview

Microsoft Internet Explorer (IE) fails to properly handle the createTextRange() DHTML method, possibly allowing a remote, unauthenticated attacker to execute arbitrary code.

I. Description

DHTML, TextRanges, and the createTextRange Method

According to Microsoft:


    Dynamic HTML (DHTML) is built on an object model that extends the traditional static HTML document which enables Web authors to create more engaging and interactive Web pages.
A TextRange is a DHTML object that represents text. createTextRange() is a DHTML method to generate a TextRange for a DHTML Object.

The Problem

IE fails to properly handle the createTextRange() method. When this method is called for certain DHTML objects, memory may be corrupted in a way that could allow an attacker to execute arbitrary code.

More information is available in Microsoft Security Bulletin MS06-013 and Microsoft Security Advisory 917077.

Note that working exploit code is available for this vulnerability.

II. Impact

By convincing a user to open a specially crafted web page, a remote unauthenticated attacker can execute arbitrary code on a vulnerable system.

III. Solution

Apply an Update

This issue is addressed in Microsoft Security Bulletin MS06-013.

Disable Active Scripting

Known attack vectors for this vulnerability require Active Scripting to be enabled. By disabling Active Scripting, the chances of exploitation are reduced. For instructions on how to disable Active Script in Internet Explorer, please refer to the Internet Explorer section of the Securing Your Web Browser document.

Additional workarounds are available in Microsoft Security Advisory 917077.

Read and send email in plain text format

An attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted HTML email. Only reading email in plaintext will prevent exploitation of this vulnerability through email. Consider the security of fellow Internet users and send email in plain text format when possible.

If you use Microsoft Outlook, we encourage you to apply the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable11-Apr-2006

References


http://www.microsoft.com/technet/security/advisory/917077.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
http://secunia.com/advisories/18680/
http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/createtextrange.asp

Credit

This issue was reported by Andreas Sandblad of Secunia Researcha.

This document was written by Jeff Gennari.

Other Information

Date Public:2006-03-22
Date First Published:2006-03-22
Date Last Updated:2006-04-11
CERT Advisory: 
CVE-ID(s):CVE-2006-1359
NVD-ID(s):CVE-2006-1359
US-CERT Technical Alerts: 
Metric:35.63
Document Revision:45

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader