1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: MS IE Install Engine Ctl. Heap BO

Web Attack: MS IE Install Engine Ctl. Heap BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to overflow a buffer in the SetCifFile ActiveX function call by sending an oversized parameter.

Additional Information

A remotely exploitable buffer overflow vulnerability exists in the Microsoft Internet Explorer Install Engine ActiveX control. This vulnerability is caused by insufficient bounds checking of arguments passed to the control.

The vulnerability may be exploited to execute arbitrary code in the context of the client user.

A remotely exploitable buffer overflow vulnerability exists in the Microsoft Internet Explorer Install Engine ActiveX control. The Install Engine is part of the Active Setup Technology included in Internet Explorer, which allows an installation program to retrieve additional files from the Internet that are required for initialization.

This vulnerability is caused by insufficient bounds checking of arguments passed to the control. Specifically, the length of the arguments is not validated before being copied into an internal buffer. This control is marked Safe For Scripting, meaning that an arbitrary Web site may invoke the control and access its methods. The vulnerability may be triggered by passing malformed arguments to affected methods.

Affected

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya Modular Messaging (MSS) 1.1, 2.0
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Internet Explorer 5.0.1, 5.0.1 SP1, 5.0.1 SP2, 5.0.1 SP3, 5.0.1 SP4, 5.5, 5.5 SP1, 5.5 SP2, 6.0, 6.0 SP1

Response

Workarounds
This issue can be eliminated by disabling the vulnerable ActiveX control.

Solutions
Microsoft has released a cumulative update for supported versions of Internet Explorer to address this and other vulnerabilities.

Deny by default, do not follow links:
Web users should be wary of visiting sites of questionable integrity or following links provided by unfamiliar or untrusted sources.

Use of least privilege, run client software with the least privileges:
Perform all non-administrative activities as an unprivileged user with minimal access rights. This will limit the impact of client-side vulnerabilities.

Default config, set Web browser security:
Disable support for client-side scripting and Active Content in the Web browser Internet Zone. This may limit exposure to this and other client-side vulnerabilities.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube