<< Previous Next >>
Microsoft Internet Explorer
--------------------------------------------------
From: "MustLive" <mustlive@websecurity.com.ua>
Sent: Monday, May 31, 2010 9:33 PM
To: "Susan Bradley" <sbradcpa@pacbell.net>
Cc: <bugtraq@securityfocus.com>
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
Opera
> Hello Susan and other readers, who replied to my previous advisory.
>
> Earlier I've already answered Vladimir, now I'd answer Susan and soon I'd
ZDI-11-198: (Pwn2Own) Microsoft Internet Explorer Uninitialized Variable Information Leak Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-198
June 14, 2011
-- CVSS:
7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)
-- Affected Vendors:
Neat PoC. However, this requires the users to have configured IE to run
Active-X content. On my test machines, I was prompted by the Browser
before the code ran. Surprisingly, CSA never stopped it.
I tested this on:
Internet Explorer 7 on Windows XP 32-bit w/ Cisco Security Agent
v5.0.0.176
Internet Explorer 7 on Vista 32-bit (no CSA)
Thanks,
in IE (as I wrote recently). And in hole in Ad Muncher (which allows to
conduct this attack via any browser at all), which I found in 2006 and which
I wrote about in my article Local XSS (I mentioned a link to English version
of it in my advisory).
You also can read my articles Code Execution via XSS in Internet Explorer
(http://securityvulns.ru/Udocument911.html) and Cross-browser Code Execution
via XSS (http://securityvulns.ru/Udocument941.html), which I wrote in 2008
concerning this kind of vulnerabilities in browsers. How the attack can be
elevated from XSS to CE.
ZDI-09-070: Microsoft Internet Explorer Event Object Type Double-Free Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-070
October 13, 2009
-- CVE ID:
CVE-2009-2530
-- Affected Vendors:
Microsoft
VUPEN Security Research - Microsoft Internet Explorer "boundElements"
Property Use-after-free Vulnerability (CVE-2010-2557)
http://www.vupen.com/english/research.php
I. BACKGROUND
---------------------
"Microsoft Internet Explorer is a web browser developed by Microsoft and
ZDI-11-195: Microsoft Internet Explorer selection.empty Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-195
June 14, 2011
-- CVE ID:
CVE-2011-1261
-- CVSS:
ZDI-11-119: (Pwn2Own) Microsoft Internet Explorer onPropertyChange Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-119
April 12, 2011
-- CVE ID:
CVE-2011-1345
-- CVSS:
----- Original Message -----
From: "Jeremiah Gowdy" <Jeremiah.Gowdy@freedomvoice.com>
To: "MustLive" <mustlive@websecurity.com.ua>; <bugtraq@securityfocus.com>
Sent: Monday, July 20, 2009 10:16 PM
Subject: RE: DoS vulnerabilities in Firefox, Internet Explorer, Opera and
Chrome
> I've tested this DoS on Internet Explorer 8, does not significantly impact
> my system.
ZDI-08-087: Microsoft Internet Explorer Webdav Request Parsing Heap
Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-087
December 9, 2008
-- CVE ID:
CVE-2008-4259
-- Affected Vendors:
Microsoft
ZDI-09-048: Microsoft Internet Explorer CSS Behavior Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-048
August 5, 2009
-- CVE ID:
CVE-2009-1919
-- Affected Vendors:
Microsoft
ZDI-09-036: Microsoft Internet Explorer setCapture Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-036
June 10, 2009
-- CVE ID:
CVE-2009-1529
-- Affected Vendors:
Microsoft
ZDI-10-013: Microsoft Internet Explorer Table Layout Reuse Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-013
January 21, 2010
-- CVE ID:
CVE-2010-0245
-- Affected Vendors:
Microsoft
1. copy msf_smb_weak_nonce.rb to
<METASPLOIT_DIR>/modules/exploits/windows/smb
2. Run setup_smb_weak_nonce.rb specifying the IP of the victim (e.g.:
ruby setup_smb_weak_nonce.rb 192.168.10.1). After collecting the nonces
the script will listen on port 445 for incoming SMB connections.
3. Run Internet Explorer and load 'conn.html'. This will produce 1000+
connections to the SMB server implemented by setup_smb_weak_noce.rb.
(Note 1: setup_smb_weak_nonce.rb needs to be run as root to be able to
listen on port 445/tcp)
(Note 2: If you load 'conn.html' with Internet Explorer and
Microsoft Internet Explorer DHTML Handling Remote Memory Corruption Vulnerability
2009.June.09
Fortinet's FortiGuard Global Security Research Team Discovers Memory Corruption Vulnerability in Microsoft's Internet Explorer.
Summary:
========
A memory corruption vulnerability exists in the DHTML handling of Microsoft's Internet Explorer which allows a remote attacker to compromise a system through a malicious site.
Impact:
Due to advantages of JS exploit for these vulnerabilities over non-JS
exploit, I wrote JavaScript exploits for these advisories and I'd write for
future advisories (but I'd be reminding about possibility of attacking
without JS). But soon I'll present one exploit also in "pure-iframe" version
(without JS) for Internet Explorer and other applications - in case when
small amount of iframes lead to crash.
> Thank you. Now if you could wait for patches before disclosing I'd be
> even happier.
ZDI-09-087: Microsoft Internet Explorer CSS Race Condition Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-087
December 8, 2009
-- CVE ID:
CVE-2009-3673
-- Affected Vendors:
Microsoft
ZDI-10-014: Microsoft Internet Explorer item Object Memory Corruption Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-014
January 21, 2010
-- CVE ID:
CVE-2010-0248
-- Affected Vendors:
Microsoft
ZDI-08-039: Microsoft Internet Explorer DOM Ojbect substringData() Heap
Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-039
June 10, 2008
-- CVE ID:
CVE-2008-1442
-- Affected Vendors:
Microsoft
ZDI-10-033: Microsoft Internet Explorer TIME2 Behavior Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-033
April 2, 2010
-- CVE ID:
CVE-2010-0492
-- Affected Vendors:
Microsoft
ZDI-08-050: Microsoft Internet Explorer XHTML Rendering Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-050
August 12, 2008
-- CVE ID:
CVE-2008-2257
-- Affected Vendors:
Microsoft
ZDI-08-051: Microsoft Internet Explorer Table Layout Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-051
August 12, 2008
-- CVE ID:
CVE-2008-2258
-- Affected Vendors:
Microsoft
ZDI-10-012: Microsoft Internet Explorer Baseline Tag Rendering Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-012
January 21, 2010
-- CVE ID:
CVE-2010-0246
-- Affected Vendors:
Microsoft
ZDI-11-193: Microsoft Internet Explorer DOM Modification Race Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-193
June 14, 2011
-- CVE ID:
CVE-2011-1256
-- CVSS:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-12-036 : Microsoft Internet Explorer VML CDispScroller Remote Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-036
February 22, 2012
- -- CVE ID:
CVE-2012-0155
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 30, 2010
I. BACKGROUND
Internet Explorer is a graphical web browser developed by Microsoft
Corp. that has been included with Microsoft Windows since 1995. For
more information about Internet Explorer, please the visit following
website:
http://www.microsoft.com/ie/
C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url "hcp://system/sysinfo/sysinfomain.htm?svr=<script defer>eval(unescape('Run%28%22calc.exe%22%29'))</script>"
C:\>
While this is fun, this isn't a vulnerability unless an untrusted third party
can force you to access it. Testing suggests that by default, accessing an
hcp:// URL from within Internet Explorer >= 8, Firefox, Chrome (and presumably
other browsers) will result in a prompt. Although most users will click through
this prompt (perfectly reasonable, protocol handlers are intended to be safe),
it's not a particularly exciting attack.
I've found a way to avoid the prompt in a default Windows XP installation in all
ZDI-09-041: Microsoft Internet Explorer 8 Rows Property Dangling Pointer
Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-041
June 10, 2009
-- CVE ID:
CVE-2009-1532
-- Affected Vendors:
Microsoft
C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url "hcp://system/sysinfo/sysinfomain.htm?svr=<script defer>eval(unescape('Run%28%22calc.exe%22%29'))</script>"
C:\>
While this is fun, this isn't a vulnerability unless an untrusted third party
can force you to access it. Testing suggests that by default, accessing an
hcp:// URL from within Internet Explorer >= 8, Firefox, Chrome (and presumably
other browsers) will result in a prompt. Although most users will click through
this prompt (perfectly reasonable, protocol handlers are intended to be safe),
it's not a particularly exciting attack.
I've found a way to avoid the prompt in a default Windows XP installation in all
Hello Bugtraq!
I want to warn you about Denial of Service vulnerabilities in Firefox,
Internet Explorer, Chrome and Opera. Which belong to type of DoS via
protocol handlers. Earlier I already wrote about DoS vulnerabilities in
Firefox, Internet Explorer, Chrome and Opera and DoS attacks on email
clients via protocol handlers. This new advisory will show you the situation
of browsers behavior with other protocol handlers.
All those who doubt that these DoS vulnerabilities in browsers and email
<<Previous Next>>
|
