Multiple vendor Web browser JavaScript window object code execution

javascript-window-code-execution (20783)

High Risk

Description:

Multiple vendor Web browsers, including Microsoft Internet Explorer, could allow a remote attacker to cause a denial of service or execute arbitrary code on a victim's system, caused by a vulnerability in the JavaScript window() object. A remote attacker could exploit this vulnerability by creating a malicious Web page that uses an onload event to initialize a window() object, and convincing an unsuspecting victim to visit the page. When the victim browses to the malicious Web page, the attacker could crash the affected browser or execute arbitrary code to gain complete control over the victim's system.

It is reported that this vulnerability could be exploited to cause a denial of service on Firefox , Apple Safari, and Opera Web browsers, but remote code execution is not possible.

Platforms Affected:

• Apple, Safari 2.0.2
• Microsoft, Internet Explorer 5.01 SP4
• Microsoft, Internet Explorer 5.5 SP2
• Microsoft, Internet Explorer 6
• Microsoft, Internet Explorer 6 SP1
• Microsoft, Windows 2000 SP4
• Microsoft, Windows 2003 Server x64
• Microsoft, Windows 2003 Server SP1 Itanium
• Microsoft, Windows 2003 Server SP1
• Microsoft, Windows 2003 Server Itanium
• Microsoft, Windows XP Professional x64
• Microsoft, Windows XP SP2
• Microsoft, Windows XP SP1
• Mozilla, Firefox
• Opera, Opera

Remedy:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superceded.

As a workaround, disable Active Scripting for untrusted sites. For other suggested workarounds, refer to Microsoft Security Advisory (911302). See References.

Consequences:

Gain Access

References:

• BugTraq Mailing List, 2005-11-23 5:23:05, Re: IE BUG, Mozilla DOS? at http://marc.theaimsgroup.com/?l=bugtraq&m=113278010907401&w=2 .
• Internet Security Systems Protection Alert, November 22, 2005, Internet Explorer Javascript Window() Remote Code Execution at http://xforce.iss.net/xforce/alerts/id/209.
• Microsoft Internet Explorer Web page, Internet Explorer Home at http://www.microsoft.com/windows/ie/default.mspx.
• Microsoft Security Advisory (911302), Vulnerability in the way Internet Explorer Handles onLoad Events Could Allow Remote Code Execution at http://www.microsoft.com/technet/security/advisory/911302.mspx.
• Microsoft Security Bulletin MS05-054, Cumulative Security Update for Internet Explorer (905915) at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx.
• Microsoft Security Bulletin MS06-004, Cumulative Security Update for Internet Explorer (910620) at http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx.
• Microsoft Security Bulletin MS06-013, Cumulative Security Update for Internet Explorer (912812) at http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx.
• Microsoft Security Bulletin MS06-021, Cumulative Security Update for Internet Explorer (916281) at http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx.
• Microsoft Security Bulletin MS06-042, Cumulative Security Update for Internet Explorer (918899) at http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx.
• Microsoft Security Bulletin MS06-067, Cumulative Security Update for Internet Explorer (922760) at http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx.
• Microsoft Security Bulletin MS06-072, Cumulative Security Update for Internet Explorer (925454) at http://www.microsoft.com/technet/security/Bulletin/MS06-072.mspx.
• Microsoft Security Bulletin MS07-016, Cumulative Security Update for Internet Explorer (928090) at http://www.microsoft.com/technet/security/Bulletin/ms07-016.mspx.
• Microsoft Security Bulletin MS07-027, Cumulative Security Update for Internet Explorer (931768) at http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx.
• Microsoft Security Bulletin MS07-033, Cumulative Security Update for Internet Explorer (933566) at http://www.microsoft.com/technet/security/bulletin/ms07-033.mspx.
• Microsoft Security Bulletin MS07-045, Cumulative Security Update for Internet Explorer (937143) at http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx.
• Microsoft Security Bulletin MS07-057, Cumulative Security Update for Internet Explorer (939653) at http://www.microsoft.com/technet/security/Bulletin/MS07-057.mspx.
• Microsoft Security Bulletin MS07-069, Cumulative Security Update for Internet Explorer (942615) at http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx.
• Microsoft Security Bulletin MS08-010, Cumulative Security Update for Internet Explorer (944533) at http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx.
• Microsoft Security Bulletin MS08-024, Cumulative Security Update for Internet Explorer (947864) at http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx.
• BID-13799: Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability
• CVE-2005-1790: Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka Mismatched Document Object Model Objects Memory Corruption Vulnerability.
• CVE-2005-3896: Mozilla allows remote attackers to cause a denial of service (CPU consumption) via a Javascript BODY onload event that calls the window function.
• CVE-2005-3897: Apple Safari 2.0.2 allows remote attackers to cause a denial of service (system slowdown) via a Javascript BODY onload event that calls the window function.
• FrSIRT/ADV-2005-2509: Microsoft Internet Explorer window() Code Execution Vulnerability
• FrSIRT/ADV-2005-2867: Microsoft Internet Explorer Command Execution Vulnerabilities (MS05-054)
• FrSIRT/ADV-2005-2909: Avaya Various Products Microsoft Windows Multiple Vulnerabilities
• SA15368: Microsoft Internet Explorer Multiple Vulnerabilities
• SA15546: Microsoft Internet Explorer "window()" Arbitrary Code Execution Vulnerability
• SA18064: Avaya Products Microsoft Windows Multiple Vulnerabilities
• SA18311: Nortel Centrex IP Client Manager Multiple Vulnerabilities
• SECTRACK ID: 1015251: Microsoft Internet Explorer Bug in Processing Mismatched Document Object Model Objects May Let Remote Users Execute Arbitrary Code
• US-CERT VU#887861: Microsoft Internet Explorer vulnerable to code execution via mismatched DOM objects

Reported:

May 31, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page