TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability
http://www.tippingpoint.com/security/advisories/TSRT-06-09.html August 8, 2006
-- CVE ID: CVE-2006-3638
-- Affected Vendor: Microsoft
-- Affected Products: Internet Explorer 6 All Versions Internet Explorer 5 SP4
-- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4593. For further product information on the TippingPoint IPS:
-- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists in the DirectAnimation.DATuple ActiveX control when improperly calling the Nth() method. By supplying a positive integer we can control a data reference calculation that is later used to control execution. The problem is due to the lack of sanity checking on the index used during a call to TupleNthBvrImpl::GetTypeInfo() in danim.dll.
-- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at:
-- Disclosure Timeline: 2006.04.27 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory
-- Credit: This vulnerability was discovered by Cody Pierce, Tipping Point Security Research Team.
-- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at:
The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service.
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/