Key Vulnerability Information Vulnerability Name: MS06-042 Related Internet Explorer 'Crash' is Exploitable Date: August 22, 2006 Severity: High Affected Systems: - Windows 2000 with IE6 SP1 and MS06-042 hotfix installed - Windows XP SP1 with IE6 SP1 and MS06-042 hotfix installed CVSS Score: 7.5/10 CVE ID: CVE-2006-3869 CWE ID: CWE-Other Risk Level: High Local Exploitation: No Remote Exploitation: Yes Impact Score: 6.4/10 Attack Complexity: Low Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial Exploitability Score: 10/10 Authentication Required: No required Vulnerability Overview On August 8, 2006, Microsoft released MS06-042, a cumulative update for Internet Explorer. Shortly after the patch was released, Internet Explorer users began experiencing browser crashes when visiting certain websites. Microsoft published a knowledge base article discussing issues related to the MS06-042 patch, including how Internet Explorer crashes when viewing web pages that use compression. Security researchers, including eEye, investigated the issue and discovered that many of these crashes could be exploited. Researchers confirmed that certain websites using compression triggered non-malicious buffer overflows within Internet Explorer. After confirming the exploitability, researchers issued an alert to the public, highlighting the true severity of these "crash" issues. Mitigation Measures Windows 2000 IE6 SP1 systems: - Microsoft created and released a non-public patch, available through the Microsoft PSS process. - As a temporary workaround, refer to Microsoft’s guidance in KB923762 to disable HTTP1.1 functionality. Windows XP SP1 IE6 SP1 systems: - The best protection is to upgrade XP systems to Windows XP SP2. - If upgrading is not possible, obtain the patch referenced in KB923762 via the Microsoft PSS process. Reference Links MS06-042 Bulletin: http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx SANS: http://isc.sans.org Microsoft KB Article: http://support.microsoft.com/?kbid=923762 SANS Thread: http://isc.sans.org/diary.php?storyid=1588