Info

Disclosure

Jan 26, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Microsoft Internet Explorer contains a flaw that may allow a malicious user to bypass the kill bit settings for ActiveX controls. The issue is triggered when user visits a malicious web page that contains specially crafted HTML which would cause the killbit setting for ActiveX controls to be bypassed. It is possible that the flaw may allow to execute arbitary code with user privileges.

Classification

Location: Remote / Network Access, Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified

Solution

Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): Stop ActiveX control from running in Internet Explorer.

Products

Microsoft Corporation	Internet Explorer	6.0
		6.0 SP1
		5.5 SP2
		5.5 SP1
		5.5
		5.0.1 SP4
		5.0.1 SP3
		5.0.1 SP2
		5.0.1 SP1
		5.0.1

References

Bugtraq ID: 16409
CVE ID: 2006-0057 (see also: NVD)
Microsoft Knowledge Base Article: 240797
ISS X-Force ID: 24379
CERT VU: 998297
Generic Informational URL: http://isc.sans.org/diary.php?storyid=1078
http://www.oreilly.com/catalog/malmobcode/chapter/ch11.html
Microsoft Security Bulletin: MS05-054

Credit

Will Dormann - -

Direct URL: http://osvdb.org/23657

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Internet Explorer

References

Credit