Alert

Microsoft Internet Explorer "createTextRange" Remote Execution vulnerability (Updated)

03/23/06

Overview

A vulnerability has been found in Microsoft Internet Explorer which could be exploited by an attacker to run arbitrary code on target systems. This vulnerability has been rated a high-risk and the exploit code has been found on over 200 unique web sites at the moment. As Secure Elements had expected with the release of publicly available proof-of-concept code, new vectors of exploitation have been detected today. This includes trojan horses, email viruses, and various malware.
C5 Bar

Severity

C5 Severity Logo

This vulnerability is locally and remotely exploitable.
The exploit has been released.

C5 Bar

Affected Systems

Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition

Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4

Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1

Internet Explorer 6 for Microsoft Windows XP Service Pack 2

Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition

Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition

C5 Bar

Recommendations

The Secure Elements Security Lab engineers are not aware of any official patches released by the vendor.
As a workaround, we recommend to disable Active Scripting in Internet Explorer. Also make sure that antivirus software is up to date, as many antivirus vendors have updated definitions that will detect the exploit code.

C5 EVM Users

• Use the remediation SE-0005218 - Disable Active Scripting in Internet Explorer.

Non C5 EVM users
•    Disable Active Scripting in the Internet Explorer:
            1. Open Internet Explorer
            2. Click on Tools
            3. Select Internet Options
            4. Select Security tab in Internet Options windows
            5. Choose Custom level
            6. Scroll down to Active Scripting
            7. Choose disable

C5 Bar

Technical Details

The vulnerability has been found in Microsoft Internet Explorer and could be exploited by attacker to run arbitrary code on target systems. The flaw is due to an error when processing a "createTextRange()" call related with control objects (radio, checkbox).

This vulnerability could not be executed automatically on a user's system by viewing email with Outlook or Outlook Express reading panes. The user would have to click a link which would direct them to the malicious web site or open an infected attachment with malicious code.

In a web-based attack scenario, the attacker would have to persuade the victim into clicking a link to the malicious web site where the exploit code would be triggered. It is also possible for attackers to place links to exploit code in banner ads or similar web advertising content systems.

If the vulnerability is exploited, the attacker would assume the same rights as the local user. Therefore it is recommended to use accounts that have fewer rights on the local system than operating the system with administrative privileges.

Please refer to these US-CERT and Microsoft documents for further information on safe web browsing and email usage.
Using Caution with Email Attachments -US-CERT
Evaluating Your Web Browser's Security Settings -US-CERT
Browsing Safely: Understanding Active Content and Cookies - US-CERT
Improve the safety of your browsing and email activities - MS

C5 Bar

Sources

http://www.microsoft.com/technet/security/advisory/917077.mspx
http://www.securityfocus.com/bid/17196/info
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1359
http://secunia.com/advisories/18680/
http://www.frsirt.com/english/advisories/2006/1050
http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx
http://www.computerterrorism.com/research/ct22-03-2006
http://www.milw0rm.com/exploits/1606

Dragos Prisaca
SEC Labs Engineer, Secure Elements Security Labs
seclabs@secure-elements.com