This advisory is a wrapper for 3 different Internet Explorer vulnerabilities:
CVE-2006-4446: DirectAnimation ActiveX Control
CVE-2006-4777: DirectAnimation ActiveX Control (not clear how it is different)
CVE-2006-4687: HTML Rednering Memory Corruption Vulnerability.
First off: All of these are exploited by exposing Internet Explorer to malicious HTML code. The "must have" precaution is to not run IE as "Administrator".
IMPORTANT: An exploit is in use against the DirectAnimation ActiveX Vulnerability!
DirectAnimation is a pre-cursor to what is not DirectX. In order to exploit the vulnerability, another deprecated library, HTML+TIME 1.0, has to be available.
The HTML render vulnerability is in particular tricky as it could be triggered by HTML e-mail.
This is a "Must Patch Now" issue for clients. Servers may want to hold off on this for a bit.
Like with all Internet Explorer patches: Don't forget to test internal critical web based applications. We had it happen in the past where such applications used older ActiveX techniques which where no longer available after a patch was applied.
I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020
Nov 14th 2006
1 decade ago