Home sick today and go figure there’s a new exploit. There is a new “0-day” exploit making the rounds. Theis latest alert was raised by FrSIRT. The vulnerability has a CVE ID 2006-4777. Here is the information from the Secunia site as it pertains to this vulnerability. There is currently no patch for this problem.
“Description:
nop has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to a memory corruption error in the Microsoft Multimedia Controls ActiveX control (daxctle.ocx) in the “CPathCtl::KeyFrame()” function. This can be exploited by e.g. tricking a user into viewing a malicious HTML document passing specially crafted arguments to the ActiveX control’s “KeyFrame()” method.
Successful exploitation allows execution of arbitrary code.
NOTE: A somewhat working exploit is publicly available for partially patched versions of Windows 2000. However, Secunia has successfully created a fully working exploit for Windows XP SP2 (fully patched).
It is also possible to crash the browser via the “Spline()” method.
Solution:
Only allow trusted websites to run ActiveX controls.
Provided and/or discovered by:
nop”
Tags: Internet Explorer 0-day, Exploit, Vulnerability, Microsoft, Secunia
