1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP MSIE COM Object Memory Corruption

HTTP MSIE COM Object Memory Corruption

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to instantiate COM objects that are considered unsafe by the vendor.

Additional Information

Microsoft Internet Explorer is prone to a buffer overflow vulnerability that is related to instantiation of COM objects. The source of the vulnerability is insufficient bounds checking when certain COM objects are instantiated from Internet Explorer and then content is delivered to the objects.

In the case of the affected Microsoft Design Tools PolyLine Control 2 COM object, which is present in MDT2DD.DLL, the issue manifests as a heap memory corruption vulnerability. Destructor code for the object instance may potentially deference an attacker-supplied pointer, allowing the attacker to influence execution flow.

Successful exploitation could let remote attackers execute arbitrary code in the context of the currently logged in user on the affected computer.

The affected objects are not intended to be instantiated from Internet Explorer. Microsoft has addressed this issue by setting the kill bit on the affected COM objects, so that they may no longer be instantiated from Internet Explorer.

This is a variant of the vulnerability described in BID 14511 Microsoft Internet Explorer COM Object Instantiation Buffer Overflow Vulnerability. The difference between this issue and BID 14511 is that a different set of COM objects are affected that were not addressed in the previous BID.

Reports indicate that Microsoft BlnMgr Proxy COM (blnmgrps.dll) object is also affected. This object provides the IDispatch interface.

Affected

  • Avaya DefinityOne Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya IP600 Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers R10, R11, R12, R6, R7, R8, R9
  • Avaya Unified Communication Center
  • Microsoft Internet Explorer 5.0, 5.0.1, 5.0.1 SP1, 5.0.1 SP2, 5.0.1 SP3, 5.0.1 SP4, 5.5, 5.5 SP1, 5.5 SP2, 6.0, 6.0 SP1, 6.0 SP2
  • Microsoft Windows 98SE
  • Microsoft Windows ME
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP Home
  • Microsoft Windows XP Professional
  • Nortel Networks CallPilot 3.0, 4.0
  • Nortel Networks Centrex IP Client Manager 2.5, 7.0, 8.0
  • Nortel Networks Centrex IP Element Manager 2.5, 7.0, 8.0

Response

Microsoft has released fixes to address supported version of the software. Fixes for Internet Explorer on Windows 98/98SE/ME may be obtained through Windows Update.

Avaya has released advisory ASA-2005-214 to state which Avaya products are affected by The October 2005 release of Microsoft Windows security updates. Please see the referenced advisory for further information.

Nortel Networks has released a technical support bulletin (2005006318) regarding this and other issues for their Centrex IP Client Manager (CICM). They report the vulnerabilities will be fixed in the upcoming 2.5, 7.0 and 8.0 maintenance releases. Please see the referenced bulletin for further information.

Nortel Networks has released a technical support bulletin (2005006317) regarding this issue for CallPilot. Users are advised to contact Nortel for further information.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube