Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12171
HistoryApr 12, 2006 - 12:00 a.m.

US-CERT Technical Cyber Security Alert TA06-101A -- Microsoft Windows and Internet Explorer Vulnerabilities

2006-04-1200:00:00
vulners.com
12
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    National Cyber Alert System

            Technical Cyber Security Alert TA06-101A

Microsoft Windows and Internet Explorer Vulnerabilities

Original release date: April 11, 2006
Last revised: –
Source: US-CERT

Systems Affected

 * Microsoft Windows
 * Microsoft Internet Explorer

For more complete information, refer to the Microsoft Security
Bulletin Summary for April 2006.

Overview

Microsoft has released updates that address critical vulnerabilities
in Microsoft Windows and Internet Explorer. Exploitation of these
vulnerabilities could allow a remote, unauthenticated attacker to
execute arbitrary code or cause a denial of service on a vulnerable
system.

I. Description

Microsoft Security Bulletin Summary for April 2006 addresses
vulnerabilities in Microsoft Windows and Internet Explorer. Further
information is available in the following US-CERT Vulnerability Notes:

VU#876678 - Microsoft Internet Explorer createTextRange()
vulnerability

Microsoft Internet Explorer fails to properly handle the
createTextRange() DHTML method, possibly allowing a remote,
unauthenticated attacker to execute arbitrary code.
(CVE-2006-1359)

VU#984473 - Microsoft Internet Explorer contains overflow in
processing script action handlers

A vulnerability in the Microsoft Internet Explorer web browser could
allow a remote attacker to crash the browser or possibly execute
arbitrary code on a vulnerable system.
(CVE-2006-1245)

VU#434641 - Microsoft Internet Explorer may automatically execute HTA
files

Microsoft Internet Explorer fails to properly handle HTA files. This
vulnerability may allow a remote attacker to execute arbitrary code.
(CVE-2006-1388)

VU#503124 - Microsoft Internet Explorer fails to handle specially
crafted, malformed HTML

Microsoft Internet Explorer fails to properly handle malformed HTML.
This vulnerability may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-1185)

VU#959049 - Multiple COM objects cause memory corruption in Microsoft
Internet Explorer

Microsoft Internet Explorer allows instantiation of COM objects not
designed for use in the browser, which may allow a remote attacker to
execute arbitrary code or crash IE.
(CVE-2006-1186)

VU#824324 - Microsoft Internet Explorer fails to properly handle HTML
elements with a specially crafted tag

Microsoft Internet Explorer fails to properly handle HTML element
tags, which may allow a remote, unauthenticated attacker to execute
arbitrary code.
(CVE-2006-1188)

VU#341028 - Microsoft Internet Explorer fails to properly handle
double-byte characters in specially crafted URLs

Microsoft Internet Explorer fails to properly handle double-byte
characters in URLs, which may allow a remote, unauthenticated attacker
to execute arbitrary code.
(CVE-2006-1189)

VU#234812 - Microsoft Windows contains a vulnerability in the
RDS.Dataspace ActiveX control in MDAC

Microsoft Windows fails to properly handle the RDS.Dataspace ActiveX
control possibly allowing a remote attacker to execute arbitrary code.
(CVE-2006-0003)

VU#641460 - Microsoft Windows Explorer fails to properly handle COM
objects

Microsoft Windows fails to properly handle COM Objects. This
vulnerability may allow a remote unauthenticated attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-0012)

II. Impact

A remote, unauthenticated attacker could execute arbitrary code with
the privileges of the user. If the user is logged on with
administrative privileges, the attacker could take complete control of
an affected system. An attacker may also be able to cause a denial of
service.

III. Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the
Security Bulletins and on the Microsoft Update site.

Workarounds

Please see the US-CERT Vulnerability Notes for workarounds. Many of
these vulnerabilities can be mitigated by following the instructions
listed in the Securing Your Web Browser document.

Appendix A. References

 * Microsoft Security Bulletin Summary for April 2006 -
   <http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx>

 * US-CERT Vulnerability Note VU#876678 -
   <http://www.kb.cert.org/vuls/id/876678>

 * US-CERT Vulnerability Note VU#984473 -
   <http://www.kb.cert.org/vuls/id/984473>

 * US-CERT Vulnerability Note VU#434641 -
   <http://www.kb.cert.org/vuls/id/434641>

 * US-CERT Vulnerability Note VU#503124 -
   <http://www.kb.cert.org/vuls/id/503124>

 * US-CERT Vulnerability Note VU#959049 -
   <http://www.kb.cert.org/vuls/id/959049>

 * US-CERT Vulnerability Note VU#824324 -
   <http://www.kb.cert.org/vuls/id/824324>

 * US-CERT Vulnerability Note VU#341028 -
   <http://www.kb.cert.org/vuls/id/341028>

 * US-CERT Vulnerability Note VU#234812 -
   <http://www.kb.cert.org/vuls/id/234812>

 * US-CERT Vulnerability Note VU#641460 -
   <http://www.kb.cert.org/vuls/id/641460>

 * CVE-2006-1359 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1359>

 * CVE-2006-1245 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1245>

 * CVE-2006-1388 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1388>

 * CVE-2006-1185 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1185>

 * CVE-2006-1186 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1186>

 * CVE-2006-1188 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1188>

 * CVE-2006-1189 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1189>

 * CVE-2006-0003 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003>

 * CVE-2006-0012 -
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0012>

 * Microsoft Update - <https://update.microsoft.com/microsoftupdate>

 * Securing Your Web Browser -
   <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Ex
   plorer>

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA06-101A.html>

Feedback can be directed to US-CERT Technical Staff. Please send
email to <[email protected]> with "TA06-101A Feedback VU#876678" in the
subject.

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html&gt;.

Produced 2006 by US-CERT, a government organization.

Terms of use:

 &lt;http://www.us-cert.gov/legal.html&gt;

Revision History

Apr 11, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRDwj9n0pj593lg50AQInJggAoOBNa20SU8JukBoK5elr5vWOLcAjycHt
Cg0+064ncCpQXoWiYPrLGVzg4/MCTVUygbYl85cePp5cHSHqpfuYXoBuZwSKu36+
olQdkbU1ejViA8A0XPsQ3EgtIRlDZSgL1ncYlRM8QxK8CF7QV616ta8q6H/3EDMM
i+tXy6gzQMqJeUthopzGcfpf6U5Qu9PCk/+Pj66GfFhHpARanLef2H28WFRazC+I
R+vLGLFLV0gp1Iy7t267l1BhN1w1z+fXD0WwYkiTwb0mzeize8Amdqlb5c4Vn4wh
HAF/XGiCe5qkMhM7kRLA70JsNfSkI38JPHWSo9/a04wFBKENCAwNpA==
=w6IC
-----END PGP SIGNATURE-----

Related

securityvulns 8
nessus 3
mskb 1
cert 9
checkpoint_advisories 8
saint 8
packetstorm 1
prion 9
cve 9
canvas 1
threatpost 1
thn 1
securityvulns
securityvulns
Microsoft Security Bulletin MS06-013 Cumulative Security Update for Internet Explorer &#40;912812&#41;
2006-04-11 00:00:00
Determina Fix for CVE-2006-1359 &#40;Zero Day MS Internet Explorer Remote &quot;CreateTextRange&#40;&#41;&quot; Code Execution&#41;
2006-03-29 00:00:00
Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerability
2006-04-12 00:00:00
nessus
nessus
MS06-013: Cumulative Security Update for Internet Explorer (912812)
2006-04-11 00:00:00
MS06-015: Vulnerabilities in Windows Explorer Could Allow Remote Code Execution (908531)
2006-04-11 00:00:00
MS06-014: Vulnerability in MDAC Could Allow Code Execution (911562)
2006-04-11 00:00:00
mskb
mskb
MS06-013: Cumulative security update for Internet Explorer
2017-03-30 05:55:09
cert
cert
Microsoft Windows fails to properly handle COM objects
2006-04-11 00:00:00
Microsoft Internet Explorer createTextRange() vulnerability
2006-03-23 00:00:00
Microsoft Internet Explorer fails to properly handle double-byte characters in specially crafted URLs
2006-04-11 00:00:00
checkpoint_advisories
checkpoint_advisories
Internet Explorer createTextRange Remote Code Execution (MS06-013) - Ver2 (CVE-2006-1359)
2014-03-03 00:00:00
Microsoft Internet Explorer createTextRange Denial of Service - Ver2 (CVE-2006-1359)
2014-03-03 00:00:00
Update Protection against Microsoft Internet Explorer createTextRange () Vulnerability (MS06-013)
2006-03-27 00:00:00
saint
saint
Internet Explorer createTextRange memory corruption
2006-03-28 00:00:00
Internet Explorer createTextRange memory corruption
2006-03-28 00:00:00
Internet Explorer createTextRange memory corruption
2006-03-28 00:00:00
packetstorm
packetstorm
Internet Explorer createTextRange() Code Execution
2009-11-26 00:00:00
prion
prion
Null pointer dereference
2006-03-23 00:06:00
Design/Logic Flaw
2006-04-12 00:02:00
Memory corruption
2006-04-11 23:02:00
cve
cve
CVE-2006-1359
2006-03-23 00:06:00
CVE-2006-0012
2006-04-12 00:02:00
CVE-2006-1245
2006-03-17 01:02:00
canvas
canvas
Immunity Canvas: MS06_014
2006-04-12 00:02:00
threatpost
threatpost
Popular Sports Site Goal.com Serves Malware
2011-05-03 19:05:02
thn
thn
Phoenix Exploit's Kit 2.8 mini version
2011-10-12 17:41:00
JSON
Related for SECURITYVULNS:DOC:12171
securityvulns8nessus3mskb1cert9checkpoint_advisories8saint8packetstorm1prion9cve9canvas1threatpost1thn1