This bulletin addresses four vulnerabilities for Internet Explorer. Two allow for remote code execution and two allow for information disclosure. According to Microsoft, this does not affect Internet Explorer version 7. Since many organizations are still running version 6, it is very critical that you patch this ASAP if you haven't upgraded yet. This bulletin replaces MS06-067. There is also a link provided by Microsoft on possible issues that may arise as a result of this patch: http://support.microsoft.com/kb/925454
Script Error Handling Memory Corruption Vulnerability - CVE-2006-5579
Previously freed memory space is accessed when encountering certain script errors which may cause the system's memory to become corrupt and allow for code execution.
DHTML Script Function Memory Corruption Vulnerability - CVE-2006-5581
When Internet Explorer interprets certain DHTML script function calls to incorrectly created elements it may corrupt system memory in such a way that an attacker could execute arbitrary code.
TIF Folder Information Disclosure Vulnerability - CVE-2006-5578
The issue lies in how Internet Explorer handles drag and drop operations and would allow for files to be accessed on the user's system in the Temporary Internet Files Folder.
TIF Folder Information Disclosure Vulnerability - CVE-2006-5577
This one is similar to the previous vulnerability discussed, however the vulnerability reveals the path to the Temporary Internet Files Folder and allows it to be accessed and files to be retrieved. According to Microsoft, this requires actions on the user's part for this to occur.
Dec 12th 2006
1 decade ago