The exploit code, made public Monday, aims to take advantage of the “extremely critical” vulnerabilities in IE 5.5 and IE 6 running on XP Service Pack 2 (SP2), and IE 6 running on Windows 2000 SP4, security researcher Secunia said in advisory.

Once a PC user is tricked into visiting a malicious Web site, the exploit can be triggered automatically, without the user doing anything.

“An attacker could use the exploit to run any code they want to on a person’s system,” said Thomas Kristensen, Secunia’s chief technology officer. “It could be they want to launch some really nasty code on a user’s system.”

The flaw lies in a Javascript component of IE used for loading Web pages onto a computer, according to an advisory from SANS Internet Storm Center.

Microsoft has not released a patch for the hole exploited by the code. People can attempt to work around the problem by either shutting off Javascript or using another type of browser, security companies advised.

Security researchers said the IE vulnerability has been known for the past six months, but had previously been seen as a conduit for denial-of-service attacks rather than the remote execution of code. DOS attacks, which attempt to crash a system by flooding it with data, are typically considered less-severe security risks.

“The vulnerability itself has been known about for a while, but it was only a problem for a denial-of-service attack that would sometimes cause IE to crash,” said Johannes Ullrich, chief research officer for the Sans Institute. “Up until now, no one knew how to mark the code and find it in memory to execute a remote code attack.”

The exploit code was published by an organization called Computer Terrorism.

Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem, Ullrich said. He added it is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.

A Microsoft representative was not able to comment early Monday on the flaw or the exploit, but did say that the company is investigating reports of the possible vulnerability for customers using Internet Explorer while running Windows 2000 SP4 and Windows XP SP2.

“We have also been made aware of proof-of-concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time,” the representative said.

Microsoft, upon completion of its investigation, will take appropriate action to protect its customers by providing a patch as part of its monthly security bulletin program or in a separate security advisory, the representative added.

Windows has a buffer overflow vulnerability in the processing of embedded ICC Profiles
inside images (jpeg, tiff, etc…)

To test – create a jpeg in adobe photoshop and save it with the ICC checkbox enabled,
make sure you set it to RGB (that does not really matter, just so you can find which
bytes to change for the test).

Open in a hex editor and search for “RGB XYZ ” (no quotes, case sensitive)

You are now inside the header of the ICC Profile which is 128 bytes.
104 bytes away is a 4 byte number which is the Tag Count of the ICC Profile.
Change this to “FF FF FF FF” (it will be followed by a 4 byte string which is
part of a 12 byte tag. there are several such tags, it should help you identify
which bytes to change).

Save, open in internet explorer, and see the crash.

and this is the crash:

CODE
.text:73B323BC loc_73B323BC: ; CODE XREF: GetColorProfileElement+D6j
.text:73B323BC cmp [ebx], eax
.text:73B323BE jz short loc_73B323DD
.text:73B323C0 add ebx, 0Ch
.text:73B323C3 inc edx
.text:73B323C4 cmp edx, ecx
.text:73B323C6 jb short loc_73B323BC
.text:73B323C8
.text:73B323C8 loc_73B323C8: ; CODE XREF: GetColorProfileElement+CAj
.text:73B323C8 push 7DCh ; dwErrCode
.text:73B323CD call ds:SetLastError

ebx is controlable. but gets a read access violation.

….be kool and create a PoC and change your sig to the exploit.jpg

Forum Discussion: Internet Explorer / MSN ICC Profiles Crash PoC Exploit

Microsoft has issued a security advisory for Internet Explorer, after a research firm published a working exploit to demonstrate how attackers could take advantage of the flaw.

The vulnerability, discovered by SEC Consult, mean that attackers could cause the browser to unexpectedly exit and execute arbitrary code. Versions of IE affected by the flaw include IE 6.0 on Windows 2000 with Service Pack 1, 3 and 4, and on Windows XP with Service Pack 1 and 2.

“Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time,” Microsoft said Thursday in its advisory. “But we are aggressively investigating the public report.”

A patch for the flaw is not available. As an interim measure, the software giant advises people to set their Internet and local intranet security zone settings to “high” before running ActiveX controls.

The alert is part of a recently launched Microsoft program to confirm reports of security problems and provide a workaround until a fix is delivered.

The discovery of this latest IE flaw comes two weeks after Microsoft released several “critical” security patches, including one for IE.Those patches addressed vulnerabilities that allowed for remote execution of code.

Versions affected include:

RealPlayer 10.5 (6.0.12.1040-1069)
RealPlayer 10
RealOne Player v2
RealOne Player v1

RealPlayer 10.5 (6.0.12.1212) is NOT affected.

The flaw permits the overwriting of a local file or execution of an ActiveX
control via a malformed MP3 file.

The patch can be downloaded from

http://service.real.com/help/faq/security/050623_player/EN/

NGSSoftware are going to withhold details of this flaw for three
months. Full details will be published on the 27th of September 2005. This
three month window will allow users of RealPlayer the time needed to apply
the patch before the details are released to the general public. This
reflects NGSSoftware’s approach to responsible disclosure.