<<< Date Index >>>     <<< Thread Index >>>

Determina Fix for CVE-2006-1359 (Zero Day MS Internet Explorer Remote "CreateTextRange()" Code Execution)



March 27, 2006

Determina Fix for CVE-2006-1359
(Zero Day MS Internet Explorer Remote "CreateTextRange()" Code Execution)



Overview & Instructions On Downloading The Free Determina Shield For 
CVE-2006-1359


Based on the same technology used in the VPS LiveShield product, Determina 
has engineered
a standalone fix that provides free and immediate protection to users 
worldwide that need
to protect systems from related attacks until such time as Microsoft issues 
its own patch.
Note that current Determina VPS customers do not have to apply this patch as 
they have been
protected against this attack without the need for any update.

The source code of the Shield is included in the download for review by any 
independent security expert.

This free, standalone fix from Determina can be downloaded from the 
following link:

DETCVE-2006-1359.msi
(www.determina.com/security_center/download/DETCVE-2006-1359.msi)
MD5: 85b8bfc1c30c6b4451a3ab803f49708b
SHA1: 308ae9a79e48adecf769fd50ac29ddc37a07d33c

Threat Severity
Critical;
There is currently no known vendor patch released for this vulnerability. 
Determina is aware
of multiple exploits circulating on the Internet that can compromise 
vulnerable systems.

This fix can be applied to:

Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 6.0
Overview
This is a runtime fix for the IE createTextRange() vulnerability. It can be 
applied to Windows
2000, XP and 2003 systems running Internet Explorer 5.01 and 6.0. The 
vulnerability lies in the
MSHTML.DLL rendering engine which is loaded into many applications for HTML 
rendering, including
but not limited to Internet Explorer and Microsoft Office.

The installation of the fix consists of adding the fix DLL to the 
AppInit_DLLs registry key in

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

The MSI installer will do this automatically. This will enable loading this 
fix DLL into all the
vulnerable applications. The fix does not modify any file or application on 
the disk. It will only
modify the vulnerable applications and DLLs in memory. The fix will not be 
applied to any processes
that are running at the time of the installation. To enable the patch, you 
have to restart IE, Outlook
and any other process that need to be protected. After the installation, run 
status.exe to verify that
your system is protected. If you have a version of MSHTML.DLL that the patch 
does not support,
status.exe will report that the protection is not active.

Once Microsoft releases an official patch and it is installed by the user, 
the Determina Shield will
not be applied any more. Determina recommends uninstalling this fix even 
though keeping it active will
not affect the system. To uninstall the fix, use "Add Remove Programs" in 
the Control Panel. To uninstall
it manually, remove the DLL from the AppInit_DLLs key and restart your 
machine. You can then safely delete
the DLL.

This tool requires administrative privileges on the vulnerable machines in 
order to install the fix.

References
http://www.determina.com/security_center/default.asp
http://secunia.com/advisories/18680/
http://www.frsirt.com/english/advisories/2006/1050
http://www.microsoft.com/technet/security/advisory/917077.mspx
CVE-2006-1359
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-1359

About Determina
DeterminaT represents the next generation of intrusion prevention software 
that goes beyond mere
detection and current "best-effort" prevention to fully eliminate the threat 
of the most critical
software attacks. Based on years of research at M.I.T., Determina utilizes 
unique patent-pending
Memory FirewallT technology which blocks attacks at the most fundamental 
level, by dynamically
building a protective shield around programs while they run in computer 
memory. This groundbreaking
approach has proven to be 100% effective against all memory-based attacks - 
such as Code Red, Blaster,
Slammer and Sasser - without false positives or ongoing overhead

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes
acceptance for use in an AS IS condition. There are NO warranties, implied 
or otherwise, with regard
to this information or its use. Any use of this information is at the user's 
risk. In no event shall
the author/distributor (Determina) be held liable for any damages whatsoever 
arising out of or in
connection with the use or spread of this information.