1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP DirectAnimation KeyFrame Heap BO

HTTP DirectAnimation KeyFrame Heap BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts to exploit an heap buffer-overflow vulnerability in Microsoft Internet Explorer.

Additional Information

Microsoft Internet Explorer is prone to a heap buffer-overflow vulnerability.

The vulnerability arises because of the way Internet Explorer tries to instantiate certain COM objects ActiveX controls. In particular, when the first parameter of the 'KeyFrame' method of the 'DirectAnimation.PathControl' COM object is overly large, an invalid memory write occurs. The issue affects the 'DirectAnimation.PathControl' control of the 'daxctle.ocx' COM object with class ID CLSID:{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

This issue is similar, but separate to the one described in BID 19738 (Microsoft Internet Explorer Daxctle.OCX Spline Method Heap Buffer Overflow Vulnerability)

Affected

  • Microsoft Internet Explorer 5.0.1, 5.0.1 SP1, 5.0.1 SP2, 5.0.1 SP3, 5.0.1 SP4, 6.0, 6.0 SP1

Response

Workaround:
To help administrators prevent attacks, Microsoft has outlined various workarounds for this and similar issues, including:

- Configuring Internet Explorer to prompt before running ActiveX controls.
- Setting Internet and Local intranet security zone settings to 'High'.
- Restricting websites to only your trusted sites.
- Preventing COM objects from running in Internet Explorer by setting the kill bit for the control in the registry.

The following registry entry will set the kill bit for the affected control in 32-bit computers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
"Compatibility Flags"=dword:00000400

The following registry entry will set the kill bit for the affected control in 64-bit computers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432\Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
"Compatibility Flags"=dword:00000400

Please see the referenced Microsoft advisory for more information on workarounds for this issue.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube