Microsoft Internet Explorer HTML "EMBED" directive (mshtml.dll) buffer overflow

ie-html-directive-bo (8116)

High Risk

Description:

Microsoft Internet Explorer is vulnerable to a buffer overflow caused by improper validation of the HTML 'EMBED' directive. By creating a malicious Web page that incorrectly invokes the affected HTML directive, and then posting the page to a Web site or sending it within an HTML email, a remote attacker can overflow a buffer and execute arbitrary code on a victim¿s computer once the Web page is viewed.

Platforms Affected:

• Microsoft, Internet Explorer 5.5
• Microsoft, Internet Explorer 6

Remedy:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Wed Feb 27 2002 - 07:15:32 CST, Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general) at http://archives.neohapsis.com/archives/bugtraq/2002-02/0307.html.
• CERT Advisory CA-2002-04, Buffer Overflow in Microsoft Internet Explorer at http://www.cert.org/advisories/CA-2002-04.html.
• CIAC Information Bulletin M-041, Microsoft Internet Explorer Cumulative Patch at http://www.ciac.org/ciac/bulletins/m-041.shtml.
• Internet Security Systems Security Alert #111, Buffer Overflow in Microsoft Internet Explorer at http://www.iss.net/xforce/alerts/id/advise111.
• Microsoft Knowledge Base Article 317731, MS02-005: Patch Is Available for the Buffer Overrun in HTML Directive Vulnerability (Q317731) at http://support.microsoft.com/default.aspx?scid=kb;[LN];317731.
• Microsoft Knowledge Base Article 328548, How to Obtain the Latest Service Pack for Internet Explorer 6 at http://support.microsoft.com/default.aspx?scid=kb;[LN];328548.
• Microsoft Product Support Services, List of Fixes in Microsoft Internet Explorer 6 SP1 at http://support.microsoft.com/common/canned.aspx?R=d&H=List%20of%20Fixes%20in%20Microsoft%20Internet%20Explorer%206%20SP1&LL=&Sz=kbIE600sp1fix&Fr=&DU=&SD=GN&LN=EN-US&CND=1&VR=&CAT=&VRL=&SG=&MaxResults=150.
• Microsoft Security Bulletin MS02-005, 11 February 2002 Cumulative Patch for Internet Explorer at http://www.microsoft.com/technet/security/bulletin/ms02-005.mspx.
• Microsoft Security Bulletin MS02-015, 28 March 2002 Cumulative Patch for Internet Explorer at http://www.microsoft.com/technet/security/bulletin/ms02-015.mspx.
• Microsoft Security Bulletin MS02-023, 15 May 2002 Cumulative Patch for Internet Explorer (Q321232) at http://www.microsoft.com/technet/security/bulletin/ms02-023.mspx. (Superseded by MS02-047.)
• Microsoft Security Bulletin MS02-047, Cumulative Patch for Internet Explorer (Q323759) at http://www.microsoft.com/technet/security/bulletin/ms02-047.mspx.
• Microsoft Security Bulletin MS02-047, Cumulative Patch for Internet Explorer (Q323759) at http://www.microsoft.com/technet/security/bulletin/MS02-047.mspx.
• Microsoft Security Bulletin MS02-066, Cumulative Patch for Internet Explorer (Q328970) at http://www.microsoft.com/technet/security/Bulletin/MS02-066.mspx.
• Microsoft Security Bulletin MS02-068, Cumulative Patch for Internet Explorer (324929) at http://www.microsoft.com/technet/security/Bulletin/MS02-068.mspx.
• Microsoft Security Bulletin MS03-004, Cumulative Patch for Internet Explorer (810847) at http://www.microsoft.com/technet/security/bulletin/ms03-004.mspx.
• Microsoft Security Bulletin MS03-004, Cumulative Patch for Internet Explorer (810847) at http://www.microsoft.com/technet/security/bulletin/ms03-004.mspx.
• Microsoft Security Bulletin MS03-015, Cumulative Patch for Internet Explorer (813489) at http://www.microsoft.com/technet/security/bulletin/ms03-015.mspx.
• Microsoft Security Bulletin MS03-020, Cumulative Patch for Internet Explorer (818529) at http://www.microsoft.com/technet/security/bulletin/ms03-020.mspx.
• Microsoft Security Bulletin MS03-040, Cumulative Patch for Internet Explorer (828750) at http://www.microsoft.com/technet/security/bulletin/ms03-040.mspx.
• Microsoft Security Bulletin MS03-048, Cumulative Security Update for Internet Explorer (824145) at http://www.microsoft.com/technet/security/bulletin/ms03-048.mspx.
• Microsoft Security Bulletin MS04-004, Cumulative Security Update for Internet Explorer (832894) at http://www.microsoft.com/technet/security/bulletin/ms04-004.mspx.
• Microsoft Security Bulletin MS04-025, Cumulative Security Update for Internet Explorer (867801) at http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx.
• Microsoft Security Bulletin MS04-038, Cumulative Security Update for Internet Explorer (834707) at http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx.
• Microsoft Security Bulletin MS04-040, Cumulative Security Update for Internet Explorer (889293) at http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx.
• Microsoft Security Bulletin MS05-014, Cumulative Security Update for Internet Explorer (867282) at http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx.
• Microsoft Security Bulletin MS05-020, Cumulative Security Update for Internet Explorer (890923) at http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx.
• Microsoft Security Bulletin MS05-025, Cumulative Security Update for Internet Explorer (883939) at http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx.
• Microsoft Security Bulletin MS05-038, Cumulative Security Update for Internet Explorer (896727) at http://www.microsoft.com/technet/security/bulletin/ms05-038.mspx.
• Microsoft Security Bulletin MS05-052, Cumulative Security Update for Internet Explorer (896688) at http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx.
• Microsoft Security Bulletin MS05-054, Cumulative Security Update for Internet Explorer (905915) at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx.
• Microsoft Security Bulletin MS06-004, Cumulative Security Update for Internet Explorer (910620) at http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx.
• Microsoft Security Bulletin MS06-013, Cumulative Security Update for Internet Explorer (912812) at http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx.
• Microsoft Security Bulletin MS06-021, Cumulative Security Update for Internet Explorer (916281) at http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx.
• Microsoft Security Bulletin MS06-042, Cumulative Security Update for Internet Explorer (918899) at http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx.
• Microsoft Security Bulletin MS06-067, Cumulative Security Update for Internet Explorer (922760) at http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx.
• Microsoft Security Bulletin MS06-072, Cumulative Security Update for Internet Explorer (925454) at http://www.microsoft.com/technet/security/Bulletin/MS06-072.mspx.
• Microsoft Security Bulletin MS07-016, Cumulative Security Update for Internet Explorer (928090) at http://www.microsoft.com/technet/security/Bulletin/ms07-016.mspx.
• Microsoft Security Bulletin MS07-027, Cumulative Security Update for Internet Explorer (931768) at http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx.
• Microsoft Security Bulletin MS07-033, Cumulative Security Update for Internet Explorer (933566) at http://www.microsoft.com/technet/security/bulletin/ms07-033.mspx.
• Microsoft Security Bulletin MS07-045, Cumulative Security Update for Internet Explorer (937143) at http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx.
• Microsoft Security Bulletin MS07-057, Cumulative Security Update for Internet Explorer (939653) at http://www.microsoft.com/technet/security/Bulletin/MS07-057.mspx.
• Microsoft Security Bulletin MS07-069, Cumulative Security Update for Internet Explorer (942615) at http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx.
• Microsoft Security Bulletin MS08-010, Cumulative Security Update for Internet Explorer (944533) at http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx.
• Microsoft Security Bulletin MS08-024, Cumulative Security Update for Internet Explorer (947864) at http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx.
• Microsoft Security Bulletin MS08-031, Cumulative Security Update for Internet Explorer (950759) at http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx.
• Microsoft Security Bulletin MS08-045, Cumulative Security Update for Internet Explorer (953838) at http://www.microsoft.com/technet/security/bulletin/ms08-045.mspx.
• Microsoft Security Bulletin MS08-058, Cumulative Security Update for Internet Explorer (956390) at http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx.
• SECURITY.NOV Advisory - February 13, 2002, buffer overflow in mshtml.dll at http://www.security.nnov.ru/advisories/mshtml.asp.
• BID-4080: Microsoft Internet Explorer HTML Document Directive Buffer Overflow Vulnerability
• CVE-2002-0022: Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated.
• US-CERT VU#932283: Microsoft Internet Explorer HTML rendering engine contains buffer overflow processing SRC attribute of HTML <EMBED> directive

Reported:

Feb 11, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page