OSVDB ID: 26444

Title: Microsoft IE DXImageTransform.Microsoft.Light ActiveX Arbitrary Code Execution

Info

Disclosure

Jun 13, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Microsoft IE contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered due to an error in the parameter validation in the DXImageTransform.Microsoft.Light ActiveX control. It is possible that the flaw may allow arbitrary code execution when a user e.g. visits a malicious web site resulting in a loss of integrity.

Classification

Location: Remote / Network Access, Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Disclosure: OSVDB Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

Products

Microsoft Corporation	Internet Explorer	5.01 SP4 on Windows 2000 SP4
		6 SP1 on Windows 2000 SP4
		6 Windows XP SP1
		6 for Windows XP SP2
		6 for Windows Server 2003
		6 for Windows Server 2003 SP1
		6 for Windows Server 2003 for Itanium-based systems (with or without SP1)
		6 for Windows Server 2003 x64 Edition:
		6 for Windows XP Professional x64 Edition
		6 SP1 on Windows 98
		6 SP1 on Windows 98 SE
		6 SP1 on Windows Me

References

Bugtraq ID: 18303
CVE ID: 2006-2383 (see also: NVD)
Secunia Advisory ID: 20595
Related OSVDB ID: 26442 26443 26445 26446
CERT VU: 417585
Microsoft Knowledge Base Article: 916281
VUPEN Advisory: ADV-2006-2319
Microsoft Security Bulletin: MS06-021

Credit

Will Dormann - -
Dan Plakosh -

Direct URL: http://osvdb.org/26444

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Internet Explorer

References

Credit