======================================================================

                     Secunia Research 09/02/2005

 Microsoft Internet Explorer "createControlRange()" Memory Corruption

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

Microsoft Internet Explorer 5.01, 5.5 and 6

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
Where:  From remote

======================================================================
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Internet Explorer, 
which can be exploited by malicious people to compromise a user's 
system.

The vulnerability is caused due to an input validation error in the 
javascript function "createControlRange()". This can be exploited by 
e.g. a malicious website to cause a heap memory corruption situation 
where the program flow is redirected to the heap.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched system 
(without MS05-014) with Internet Explorer 6.0 and 
Microsoft Windows XP SP2.

======================================================================
4) Solution

Microsoft has released patches (see MS05-014 for details).

======================================================================
5) Time Table

29/10/2004 - Vulnerability discovered.
04/11/2004 - Vendor notified.
30/11/2004 - Vendor confirms the vulnerability.
09/02/2005 - Public disclosure.

======================================================================
6) Credits

Discovered by Andreas Sandblad, Secunia Research.

====================================================================== 
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
candidate number CAN-2005-0055 for the vulnerability.

MS05-014 (KB867282):
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx

US-CERT VU#843771:
http://www.kb.cert.org/vuls/id/843771

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2004-12/advisory/

======================================================================