Microsoft Patches 10 Critical IE Flaws

Published: April 12, 2006

by Alex Woodie

Ten critical flaws in Microsoft's Internet Explorer were patched with a cumulative security update issued by the vendor yesterday, and users of all versions of Windows are being asked to load the updates immediately, as attacks for some of the flaws are currently underway. In addition to the multifaceted IE update, the software giant issued four other patches for a variety of flaws, which ranged in severity from moderate to critical.

It was a banner day for Microsoft's patch manufacturing and distribution business Tuesday, as the software giant issued five new patches to fix a range of flaws and vulnerabilities that were compromising the security of its products. The bulk of yesterday's patches targeted IE, which is the most-attacked Microsoft product these days, but they also fixed problems in Windows Explorer, Outlook Express, Microsoft Front Page Server Extensions, and the Remote Data Service (RDS) feature of ActiveX Data Objects. In most cases, the flaws damage the underlying security of the operating systems themselves, and not just the components, which merely provide the passage-ways for attacks over the Internet.

The biggest, most important patch issued yesterday was Microsoft Security Bulletin MS06-013, a sprawling affair that tackles no less than 10 flaws in IE. The most critical sub-patch contained in this mega-patch (perhaps Microsoft should start skipping number 13?) is the one fixing the recently disclosed DHTML Method Call Memory Corruption Vulnerability, also called the CreateTextRange flaw, which targets IE version 5 through 6, and affects all recent versions of Windows, from Windows 98 through Windows Server 2003 R2.

This flaw, which was first discovered by Andreas Sandblad of Secunia, has been making headlines over the last two weeks, as exploit code that criminals can use to craft malicious attacks using this flaw has been available on the Internet. In fact, this is one of the dreaded "zero-day" exploits, so called because knowledge of the flaw and the availability of exploit code both occurred simultaneously. Windows users should download and apply MS06-013 if for no other reason than to gain immunity from this active exploit.

In lieu of yesterday's patch from Microsoft, one security vendor, eEye Digital Security, even went so far as to create its own temporary patch that it freely distributed to users. The Southern California security company, which researches security flaws and makes intrusion detection systems, says there were 156,000 downloads of its temporary patch since it issued it March 27. While security experts generally frown on using third-party security patches, eEye says its patch worked flawlessly, and provided much-needed protection for a range of organizations, including a branch of the U.S. Geological Survey and a national banking chain.

MS06-013 also fixed, or updated a previously available fix, for a range of other problems in IE versions 5 and 6, including:

• The Multiple Event Handler Memory Corruption Vulnerability, a publicly disclosed flaw that carries the risk of remote code execution (full system vulnerability) for which Microsoft had seen proof of concept exploit code, but for which it says there were no attacks underway.
• The HTML Execution Vulnerability, a recently found flaw disclosed to Microsoft privately by Jeffrey van der Stad that allows HTML apps to start without displaying the normal security dialog box. No attacks have been reported for this remote code execution vulnerability.
• The HTML Parsing Vulnerability, a flaw privately reported to Microsoft by Jan Monsch of Compass Security Network Computing that could allow attackers to take complete control of a Windows system by corrupting its memory with specially crafted HTML. Microsoft says it's not aware of attacks using this vuln.
• New vulnerabilities in the old COM Object Instantiation Memory Corruption Vulnerability, which was first addressed last year with the patch MS05-054, and for which Microsoft has updated the patch with new class identifiers fixing problems spotted (and privately reported to Microsoft--again, it says no current attacks) by Richard Smith of Boston Software Forensics.
• The HTML Tag Memory Corruption Vulnerability, which could allow an attacker to take complete control of an affected system. This vulnerability was publicly disclosed by Thomas Waldegger, a German security researcher and blogger. Again, Microsoft says it's not aware of any attacks underway using this avenue of corruption.
• The Double Byte Character Parsing Memory Corruption Vulnerability, which could allow an attacker to take total control of a PC or a server when a specially crafted double byte character is inserted into the URL string in IE. This flaw was privately reported to Microsoft by Sowhat of Nevis Labs. No attacks have been reported, Microsoft says.
• The Script Execution Vulnerability, which could allow an attacker to take control of an affected system. This problem, for which Microsoft says it's not aware of any attack code making the rounds, was privately reported to Microsoft by Heiko Schultze of SAP.
• The Cross-Domain Information Disclosure Vulnerability, which was made possible by a flaw in the way IE displays domains from which a browser windows originated, and the closely related Address Bar Spoofing Vulnerability. Microsoft says these flaws were privately reported, and it's not aware of attackers using these vectors in the wild.

As a cumulative patch, MS06-013 is intended to replace patch cumulative updates for IE, including MS05-054 and MS06-004. What's more, because of changes MS06-013 makes to the way IE handles ActiveX controls, Microsoft was forced to issue a temporary "Compatibility Patch" yesterday. Microsoft says users should keep the Compatibility Patch on their systems for two months, until the company can issue a permanent change to the ActiveX control in June, which will arrive on "Patch Tuesday," the second Tuesday of the month when Microsoft issues its patches.

MS06-013 was just the beginning, as Microsoft issued four other patches yesterday. These included MS06-014, which fixes a critical flaw in one of the ActiveX controls that make up the Microsoft Data Access Components (MDAC) offering. This is a remote code execution vulnerability, and it affects Windows XP Service Pack 1 (SP1) and SP2, XP Pro X64 Edition, and all versions of Windows Server 2003. This vulnerability was first reported to Microsoft by Finjan's Malicious Code Research Center and Yarix; no exploit code is available for this vulnerability, Microsoft says.

The critical Windows Shell Vulnerability, which affects all versions of Windows, is fixed with MS06-015. This privately reported flaw is actually a variant of a previously disclosed flaw that was discovered by Britain's National Infrastructure Security Co-ordination Centre, and could enable an attacker to trick Windows Explorer into allowing COM objects to execute arbitrary code.

MS06-016 is a cumulative security update for Outlook Express that fixes a newly discovered problem in the Windows Address Book File that could allow an attacker to take control of an affected system (any version of Windows could be affected). Microsoft says the risk of this flaw is important, and that it isn't aware of any exploit code currently on the market. Helping Microsoft track this little bugger down were Stuart Pearson, TippingPoint, Zero Day Initiative, and ATmaCA.

Last but not least is MS06-017, which fixes a cross-site scripting (XSS) vulnerability in Microsoft FrontPage Server Extensions 2002 running on a variety of server and client operating systems. Microsoft gave this flaw, which carries a risk of remote code execution, a moderate rating (one step below important), and it gave Esteban Martínez Fayó credit for helping to find it.