Security Advisory

September 28 , 2006

Zero-day Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability and Free Downloadable Fix

Affected Systems

Microsoft Internet Explorer 5.01 Service Pack 2
Microsoft Internet Explorer 5.01 Service Pack 3
Microsoft Internet Explorer 5.01 Service Pack 4
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 Service Pack 1

Threat Severity

Critical,

Vulnerability can be exploited to compromise a remote system.

Overview

UPDATE: Additional content about the vulnerability and risk mitigation was added on September 29, 2006.

There is new zero-day integer buffer overflow vulnerability in the Microsoft Windows WebViewFolderIcon ActiveX control. The vulnerability is due to an integer overflow error in the
"setSlice()" method in the "WebViewFolderIcon" ActiveX control.

An attacker could exploit this vulnerability through Microsoft Internet Explorer (IE) or any other application that hosts the WebViewFolderIcon control

Exploit code for this vulnerability is publicly available.

Risk Mitigation

Determina VPS Desktop by default protects users against code execution that may result from exploitation of the memory corruption based vulnerability reported in this advisory.

Determina has also released a free, downloadable Shield to the general public. This standalone Shield for Internet Explorer will prevent this critical vulnerabilty from being exploited until Microsoft is able to issue a patch. Desktop users without proactive protection against vulnerability exploits may consider installing this Shield if they believe they might have exposure to web-based attacks.

The Shield can be downloaded from Determina's Security Research website at http://www.determina.com/security.research/. The Shield applies to all currently known affected versions of Windows. The Shield fixes the flawed code in memory when a vulnerable version of the ActiveX control in Internet Explorer is running, without affecting the installation of the web browser on disk or disabling any browser functionality. It will also protect other applications that may load the WebViewFolderIcon ActiveX control. It should not interfere with the installation of a Microsoft patch when one becomes available.

Currently no known vendor patch is available for this vulnerability. Some information from the vendor can be obtained at:

http://www.microsoft.com/technet/security/advisory/926043.mspx

References

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Determina) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

	September 28 , 2006 Zero-day Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability and Free Downloadable Fix Affected Systems Microsoft Internet Explorer 5.01 Service Pack 2 Microsoft Internet Explorer 5.01 Service Pack 3 Microsoft Internet Explorer 5.01 Service Pack 4 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 6.0 Service Pack 1 Threat Severity Critical, Vulnerability can be exploited to compromise a remote system. Overview UPDATE: Additional content about the vulnerability and risk mitigation was added on September 29, 2006. There is new zero-day integer buffer overflow vulnerability in the Microsoft Windows WebViewFolderIcon ActiveX control. The vulnerability is due to an integer overflow error in the "setSlice()" method in the "WebViewFolderIcon" ActiveX control. An attacker could exploit this vulnerability through Microsoft Internet Explorer (IE) or any other application that hosts the WebViewFolderIcon control Exploit code for this vulnerability is publicly available. Risk Mitigation Determina VPS Desktop by default protects users against code execution that may result from exploitation of the memory corruption based vulnerability reported in this advisory. Determina has also released a free, downloadable Shield to the general public. This standalone Shield for Internet Explorer will prevent this critical vulnerabilty from being exploited until Microsoft is able to issue a patch. Desktop users without proactive protection against vulnerability exploits may consider installing this Shield if they believe they might have exposure to web-based attacks. The Shield can be downloaded from Determina's Security Research website at http://www.determina.com/security.research/. The Shield applies to all currently known affected versions of Windows. The Shield fixes the flawed code in memory when a vulnerable version of the ActiveX control in Internet Explorer is running, without affecting the installation of the web browser on disk or disabling any browser functionality. It will also protect other applications that may load the WebViewFolderIcon ActiveX control. It should not interfere with the installation of a Microsoft patch when one becomes available. Currently no known vendor patch is available for this vulnerability. Some information from the vendor can be obtained at: http://www.microsoft.com/technet/security/advisory/926043.mspx References http://www.kb.cert.org/vuls/id/753044 http://www.us-cert.gov/cas/techalerts/TA06-270A.html http://www.microsoft.com/technet/security/advisory/926043.mspx http://support.microsoft.com/kb/240797 CVE-2006-3730 http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Determina) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
© 2007 Determina® \| Copyright Statement