SECUNIA ADVISORY ID: SA25627

VERIFY ADVISORY: http://secunia.com/advisories/25627/

CRITICAL: Highly critical

IMPACT: Cross Site Scripting, Spoofing, System access

WHERE: >From remote

SOFTWARE:
Microsoft Internet Explorer 5.01 - http://secunia.com/product/9/
Microsoft Internet Explorer 6.x - http://secunia.com/product/11/
Microsoft Internet Explorer 7.x - http://secunia.com/product/12366/

DESCRIPTION: Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks or compromise a user's system.

1) An error within the instantiation of Urlmon.dll COM objects not intended to be instantiated in Internet Explorer can be exploited to corrupt memory.

2) An error in the handling of CSS (Cascading Style Sheet) tags can be exploited to corrupt memory via a specially crafted web page.

3) A race condition when attempting to install multiple language packs can be exploited to corrupt memory via a specially crafted web page.

4) An error in the handling of uninitialised objects can be exploited to corrupt memory via a specially crafted web page.

5) An error within the Navigation cancel page can be exploited to e.g. spoof the contents of an arbitrary site.

This may be related to: SA24535

6) An error within a component of Microsoft Speech API 4 can be exploited to execute arbitrary code via a specially crafted web page.

SOLUTION: Apply patches.

Internet Explorer 5.01 SP4 on Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3B49F1ED-ABE3-4DBD-A91D-973415658F6B

Internet Explorer 6 SP1 on Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=5C958650-28D2-4DD0-96A8-DBFE79CE3F68

Internet Explorer 6 for Windows XP SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=60FB294E-A8E1-405E-A289-2D2723EDF7EE

Internet Explorer 6 for Windows XP Professional x64 Edition (optionally SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=086D6D6E-4703-4C6C-A7AF-B6DAFEEEDE5D

Internet Explorer 6 for Windows Server 2003 SP1/SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7ED19127-5C2D-48E4-A8D1-090DC69FD68B

Internet Explorer 6 for Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=1449EB5D-6E4C-4332-8CB6-AB9EE59C9A95

Internet Explorer 6 for Windows Server 2003 for Itanium-based systems SP1/SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=B628A3CC-A70C-478A-A10C-EEE254EE34AB

Internet Explorer 7 for Windows XP SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=C2191703-8CBD-4959-9F84-E13F21173926

Internet Explorer 7 for Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=69C526B8-8B07-42BC-9BED-E18DEAE21C8E

Internet Explorer 7 for Windows Server 2003 SP1/SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A074D9C0-1FED-4753-845E-073CFCE99F45

Internet Explorer 7 for Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=744ACB43-64DA-48CC-AE69-9386B597EABC

Internet Explorer 7 for Windows Server 2003 for Itanium-based systems SP1/SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=069C1560-B5E5-4DFE-A18D-E0507D406028

Internet Explorer 7 for Windows Vista:
http://www.microsoft.com/downloads/details.aspx?FamilyId=77287386-48EB-4AA9-9537-626A3093AAF7

Internet Explorer 7 for Windows Vista x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=77287386-48EB-4AA9-9537-626A3093AAF7

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) An anonymous researcher, reported via iDefense Labs.
3) An anonymous researcher, reported via ZDI.
4) Sam Thomas, reported via ZDI.
6) Independently discovered by:
* Will Dormann, CERT/CC
* cocoruder, Fortinet Security Research

ORIGINAL ADVISORY: MS07-033 (KB933566): http://www.microsoft.com/technet/security/Bulletin/MS07-033.mspx

OTHER REFERENCES: SA24535: http://secunia.com/advisories/24535/