| By Chris Mosby |
As I mentioned in my last column, the Metasploit project has been holding a Month of Browser Bugs. Every day, a new vulnerability is published, the majority affecting Internet Explorer.
Releasing these flaws may be fun for Metasploit, but it certainly isn’t for the rest of us, who are forced to wait while Microsoft catches up on its patches.
IE graphics control can cause DoS
H.D. Moore identified a flaw in IE 6 that causes the browser to crash, allowing a denial-of-service (DoS) attack. This is due to a NULL pointer dereference error in the Microsoft DirectAnimation Structured Graphics control ("daxctle.ocx") while loading a specially formatted "SourceURL" parameter.
This can be exploited by a hacker who gets a user to visit an infected Web page. Administrator rights are not required for this exploit to work, but a hacker does have to make the user load the infected page.
What to do: Since this vulnerability is caused by an ActiveX control, then I suggest disabling IE’s setting known as Run ActiveX controls and plug-ins. If you’re still using IE and you’ve followed Brian’s "Protect IE without SP2" article from the Nov. 18, 2004, newsletter, then you’ve already taken care of this.
More information: CVE-2006-3427, SecurityFocus, OSVDB, FrSIRT
Framesets within tables cause IE crash
Similar to the vulnerability in the last section, IE 6 has another flaw — discovered by Metasploit — that can also cause a DoS condition by making the browser crash. This flaw is not based on ActiveX but is due to a flaw in the browser’s code. It is caused by a NULL pointer dereference error — similar to the flaw in the previous section — when a frameset is added to a table object by the appendChild() method.
This flaw can be exploited by a hacker if a user visits an infected Web page that’s constructed in the way described above. Administrator rights are not required for the exploit to function, but user interaction is.