26444 : Microsoft IE DXImageTransform.Microsoft.Light ActiveX Arbitrary Code Execution
Printer | http://osvdb.org/26444 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
2	356	over 3 years ago	over 2 years ago	0 times	100%

Timeline

Disclosure Date
2006-06-13

Description

Microsoft IE contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered due to an error in the parameter validation in the DXImageTransform.Microsoft.Light ActiveX control. It is possible that the flaw may allow arbitrary code execution when a user e.g. visits a malicious web site resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Disclosure: OSVDB Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

Products

Microsoft Corporation	Internet Explorer	5.01 SP4 on Windows 2000 SP4
		6 SP1 on Windows 2000 SP4
		6 Windows XP SP1
		6 for Windows XP SP2
		6 for Windows Server 2003
		6 for Windows Server 2003 SP1
		6 for Windows Server 2003 for Itanium-based systems (with or without SP1)
		6 for Windows Server 2003 x64 Edition:
		6 for Windows XP Professional x64 Edition
		6 SP1 on Windows 98
		6 SP1 on Windows 98 SE
		6 SP1 on Windows Me

References

Bugtraq ID: 18303
CVE ID: 2006-2383 (see also: NVD)
Secunia Advisory ID: 20595
Related OSVDB ID: 26442 26443 26445 26446
CERT VU: 417585
Microsoft Knowledge Base Article: 916281
VUPEN Advisory: ADV-2006-2319
Microsoft Security Bulletin: MS06-021

Tools & Filters

	21685
Snort	6516 6517 6518 6519

Credit

Will Dormann - -
Dan Plakosh -

CVSSv2 Score

CVSSv2 Base Score = 9.3
Source: nvd.nist.gov | Generated: 2006-06-14 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.