-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Multiple Vulnerabilities in MS IE 6.0 SP2

Recently, I discovered three vulnerabilities in Microsoft Internet
Explorer 6 SP2 with all patches applied. All of these bugs are located
in `mshtml.dll' and are caused by incorrect handling of specially
crafted HTML documents. The severity of the first security issue
(<mshtml.dll>#7d6d2db4) is low because it is a non-exploitable Null
Pointer Dereference vulnerability and leads to DoS. The second
(<mshtml.dll>#7d519030) and third (<mshtml.dll>#7d529d35) vulnerability
are similar and the Microsoft Security Response Center rated them as
critical because, on the face of it, they could produce an exploitable
memory corruption (see HTML Tag Memory Corruption Vulnerability -
CVE-2006-1188) with a variant of my PoC.

To satisfy the request of the Microsoft Security Response Center I'm
going to support further details at a later date..

o Description:
=============

Internet Explorer, abbreviated IE or MSIE, is a proprietary web browser
made by Microsoft and currently available as part of Microsoft Windows.

Visit http://www.microsoft.com/windows/ie/default.mspx or
http://en.wikipedia.org/wiki/Internet_Explorer for detailed information.

o Disclosure Timeline:
=====================

xx Feb 06 - Vulnerabilities discovered.
08 Mar 06 - Vendor contacted.
22 Mar 06 - Vendor confirmed vulnerabilities.
11 Apr 06 - Vendor released security update.
12 Apr 06 - First advisory released.

o Solution:
==========

Two of the mentioned vulnerabilities are addressed in the latest
security update for Internet Explorer [2]. I think - this is not an
official statement from the Microsoft Security Response Center - the
third security issue will be fixed in an upcoming service pack release.

o Credits:
=========

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online: http://morph3us.org/advisories/20060412-msie6-sp2.txt

[1] http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEPVbIkCo6/ctnOpYRA3XdAJ9C18OLBug0Gbfhcy2QhAXaQNkP6ACfdM1s
QIUo3pT6NBXkBnFtwGcYCWU=
=yG/7
-----END PGP SIGNATURE-----