[Vulnerable] Microsoft Internet Explorer (File Download Error Message Denial of Service Weakness)

Internet Explorer File Download Error Message Denial of Service
Weakness
http://secunia.com/advisories/11868/


Critical: Not critical
Impact: DoS
Where: From remote

Software: Microsoft Internet Explorer 6


Description:
Rafel Ivgi has discovered a weakness in Internet Explorer (IE),
allowing malicious people to crash a user's browser.

Analysis indicates that the issue is caused due to an error during the
construction of a file download error message dialog box like the
following:

"Internet Explorer cannot download [file] from [server]"

It is possible to trigger the issue via a specially crafted link like:
<a href=::%7>Link</a>

This causes an incorrect pointer to be passed as argument in a call to
"_snwprintf()" instead of the correct pointer to the string: "[file]
from [server]". This may result in an access violation, if the pointer
refers to an inaccessible memory location, which varies depending on
the supplied value after the "%" character.

The problem has been confirmed on a fully patched system with IE 6.0.
Other versions may also be affected.

Successful exploitation crashes the browser, if a user is tricked into
right clicking the link and choosing "Save Target As...". It is
currently not believed that this issue can be exploited for code
execution purposes.

NOTE: Secunia would normally not classify a browser crash as a
vulnerability nor issue an advisory about it. However, the potential
risc of this issue being more severe than currently believed justified
for an advisory being issued.

Solution:
Don't follow untrusted links nor use the "Save Target As..." feature
on them.



Meritorios de Filtrado (Kill-File Global):
tella llop, jm (N.B. 2003.10.25)


«Primero te ignoran, después se ríen de tí, para después luchar contra tí. En ese momento, has ganado. (Ghandi)»