August 20, 2003
High (Remote Code Execution)
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 for Windows Server 2003
eEye Digital Security has discovered a security vulnerability in Microsoft's Internet Explorer that would allow executable code to run automatically upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object tag, which is used to embed basically all ActiveX into HTML pages. The parameter that specifies the remote location of data for objects is not checked to validate the nature of the file being loaded, and therefore trojan executables may be run from within a webpage as silently and as easily as Internet Explorer parses image files or any other "safe" HTML content.
This attack may be utilized wherever IE parses HTML, including websites, email, newsgroups, and within applications utilizing web-browsing functionality.
Due to the popularity and prevalence of ActiveX on the Internet, users running Windows 2003 "Enhanced Security Configuration" Mode may have chosen to reactivate the ability to view active content. These users should be aware that they are at critical risk for this vulnerability and should apply the necessary patch.
As a final note, Microsoft attributes credit to eEye for this vulnerability, but incorrectly refers to it as the "Object Type" bug. The "Object Type" bug is in fact eEye's previously discovered object tag vulnerability. That issue involved a stack-based overflow in the "Type" property, and this current issue involves incorrect handling of the data specified by the "Data" tag.