Wednesday, October 15, 2008

Internet Explorer 6 componentFromPoint() remote memory disclosure and remote code execution

There is a bug in Internet Explorer 6 JavaScript implementation enabling remote memory disclosure and remote code execution. The vulnerability is caused by improper implementation of componentFromPoint() method of xml object.

The vulnerability

The vulnerability is triggered by errornous behavior of componentFromPoint() method when invoked on a newly created xml object.

Impact

This vulnerability can be used (trivially) to remotely disclose Internet Explorer's memory when a victim visits a specially crafted web page or (less trivially) to achieve remote code execution when a victim visits a specially crafted web page.

PoC

Due to the spread and the impact of the vulnerability, exploiting details will be released at a later date, once everyone has had plenty of time to patch.

References

http://www.zerodayinitiative.com/advisories/ZDI-08-069/
http://www.microsoft.com/technet/security/bulletin/MS08-058.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3475