Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the “COM Object Instantiation Memory Corruption vulnerability.”
isc.sans.org/diary.php?date=2005-08-18
secunia.com/advisories/16480
secunia.com/advisories/17172
secunia.com/advisories/17223
secunia.com/advisories/17509
securityreason.com/securityalert/72
securitytracker.com/id?1014727
support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
www.kb.cert.org/vuls/id/740372
www.kb.cert.org/vuls/id/898241
www.kb.cert.org/vuls/id/959049
www.microsoft.com/technet/security/advisory/906267.mspx
www.securityfocus.com/archive/1/470690/100/0/threaded
www.securityfocus.com/bid/14594
www.securityfocus.com/bid/15061
www.us-cert.gov/cas/techalerts/TA05-284A.html
www.us-cert.gov/cas/techalerts/TA05-347A.html
www.us-cert.gov/cas/techalerts/TA06-220A.html
www.vupen.com/english/advisories/2005/1450
docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-052
exchange.xforce.ibmcloud.com/vulnerabilities/21895
exchange.xforce.ibmcloud.com/vulnerabilities/34754
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1155
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1454
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1464
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1468
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1535
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1538