[Full-disclosure] TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2006-08-09T00:00:00


TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability

http://www.tippingpoint.com/security/advisories/TSRT-06-09.html August 8, 2006

-- CVE ID: CVE-2006-3638

-- Affected Vendor: Microsoft

-- Affected Products: Internet Explorer 6 All Versions Internet Explorer 5 SP4

-- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4593. For further product information on the TippingPoint IPS:


-- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

The specific flaw exists in the DirectAnimation.DATuple ActiveX control when improperly calling the Nth() method. By supplying a positive integer we can control a data reference calculation that is later used to control execution. The problem is due to the lack of sanity checking on the index used during a call to TupleNthBvrImpl::GetTypeInfo() in danim.dll.

-- Vendor Response: Microsoft has issued an update to correct this vulnerability. More details can be found at:


-- Disclosure Timeline: 2006.04.27 - Vulnerability reported to vendor 2006.08.08 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory

-- Credit: This vulnerability was discovered by Cody Pierce, Tipping Point Security Research Team.

-- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at:


The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service.

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/