Signature Detail

HTTP: Internet Explorer Arbitrary Code Execution

This signature detects an HTTP redirect response that contains a maliciously crafted location header. Attackers can trigger the malicious header when attempting to exploit a known vulnerability in Microsoft Internet Explorer 6.

Extended Description

Microsoft Internet Explorer is prone to a vulnerability that may permit cross-zone access, allowing an attacker to execute malicious script code in the context of the Local Zone. It is possible to exploit this issue by passing a dynamically created IFrame to a modal dialog. This vulnerability could be exploited in combination with a number of other security issues, such as the weakness described in BID 10472. The end result of successful exploitation is execution of arbitrary code in the context of the client user. It may also be possible to exploit this vulnerability to access properties of a foreign domain, allowing for other types of attacks that compromise sensitive or private information associated with a domain of the attacker's choosing.

Affected Products

• Microsoft Internet Explorer 5.0.1
• Microsoft Internet Explorer 5.0.1 SP1
• Microsoft Internet Explorer 5.0.1 SP2
• Microsoft Internet Explorer 5.0.1 SP3
• Microsoft Internet Explorer 5.0.1 SP4
• Microsoft Internet Explorer 5.5
• Microsoft Internet Explorer 5.5 SP1
• Microsoft Internet Explorer 5.5 SP2
• Microsoft Internet Explorer 6.0
• Microsoft Internet Explorer 6.0 SP1

References

• BugTraq: 10473
• CVE: CVE-2004-0549
• URL: http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx
• URL: http://www.kb.cert.org/vuls/id/713878