TSRT-06-09: Microsoft DirectAnimation COM Object Memory Corruption Vulnerability
August 8th, 2006
CVE ID:
CVE-2006-3638
Affected Vendor:
Microsoft
Affected Products:
Internet Explorer 6 All Versions
Internet Explorer 5 SP4
TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since August 8, 2006 by Digital Vaccine protection filter ID 4593. For further product information on the TippingPoint IPS:
http://www.tippingpoint.com
Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the
target must visit a malicious page.
The specific flaw exists in the DirectAnimation.DATuple ActiveX control
when improperly calling the Nth() method. By supplying a positive
integer we can control a data reference calculation that is later used
to control execution. The problem is due to the lack of sanity checking
on the index used during a call to TupleNthBvrImpl::GetTypeInfo() in
danim.dll.
Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details can be found at:
http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx
Disclosure Timeline:
| 2006.04.27 |
Vulnerability reported to vendor |
| 2006.08.08 |
Digital Vaccine released to TippingPoint customers |
| 2006.08.08 |
Coordinated public release of advisory |
Credit:
This vulnerability was discovered by Cody Pierce, TippingPoint Security Research Team.
