Microsoft fills holes in big April security fix

Posted on 12 Apr 2006 at 11:11

Microsoft has released five patches covering multiple security vulnerabilities in Internet Explorer in addition to flaws in Windows Explorer, Outlook Express, FrontPage Server Extensions and Data Access Components.

The patches includes a cumulative fix IE which addresses the high profile 'CreateTextRange' flaw. This particular fix will be welcome to many businesses worried about tales of exploits circulating ever since the bug was publicly disclosed in March.

Just days later, numerous websites were discovered that had been set up to exploit the flaw.

Although security companies offered temporary fixes, Microsoft advised against using them and instead to wait until it had thoroughly tested the patch it was working on. eEye Digital has said that the patch it offered to fix the CreateTextRange flaw is compatible with Microsoft's update and will offer to uninstall once the update is complete.

However, even as Microsoft patches up its products, more holes are being discovered. This time, security company Finjan - in which Microsoft has an investment - reports a bypass and cross zone scripting vulnerability in the Remote Data Service (RDS) object affecting Internet Explorer on Windows, including those updated to Service Pack 2 and also the latest beta version of IE 7.

However, information on the vulnerability, which could allow an attacker remote access to a system and the ability to run code on the target machine, is being disclosed responsibly: ie only Finjan and Microsoft have the full details and are already working on a fix.

Microsoft's five security patches for April comprise:

Security Bulletin MS06-013 details nine critical vulnerabilities in Internet Explorer 5.01, 5.5 and 6.x. The vulnerabilities could be exploited by malicious people to conduct cross-site scripting attacks, conduct phishing attacks, or compromise a user's system. These are:

An error in the cross-domain restriction when accessing properties of certain dynamically created objects can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site via a JavaScript URI handler applied on a dynamically created "object" tag.

An error within the handling of multiple event handlers (e.g. onLoad) in an HTML element can be exploited to corrupt memory in a way that may allow execution of arbitrary code.

An error within the parsing of specially crafted, non-valid HTML can be exploited to corrupt memory in a way that allows execution of arbitrary code when a malicious HTML document is viewed.

An error within the instantiation of COM objects that are not intended to be instantiated in Internet Explorer can be exploited to corrupt memory in a way that allows execution of arbitrary code.

An error within the handling of HTML elements containing a specially crafted tag can be exploited to corrupt memory in a way that allows execution of arbitrary code.

An error within the handling of double-byte characters in specially crafted URLs can be exploited to corrupt memory in a way that allows execution of arbitrary code. Successful exploitation requires that the system uses double-byte character sets.

An error in the way IOleClientSite information is returned when an embedded object is dynamically created can be exploited to execute arbitrary code in context of another site or security zone.