Executive Summary

Summary
Title A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit
Informations
Name KB906267 First vendor Publication 2005-08-18
Vendor Microsoft Last vendor Modification 2006-02-21
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft has completed the investigation into a public report of a vulnerability affecting Internet Explorer. We have issued a security bulletin to address this issue. For more information about this issue, including download links for an available security update, please review the security bulletin.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/906267.mspx

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:1155
 
Oval ID: oval:org.mitre.oval:def:1155
Title: WinXP,SP1 (64-bit) DDS Library Shape Control Buffer Overflow
Description: Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2005-2127
Version: 4
Platform(s): Microsoft Windows XP
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1454
 
Oval ID: oval:org.mitre.oval:def:1454
Title: Server 2003 DDS Library Shape Control Buffer Overflow
Description: Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2005-2127
Version: 5
Platform(s): Microsoft Windows Server 2003
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1464
 
Oval ID: oval:org.mitre.oval:def:1464
Title: Server 2003,SP1 DDS Library Shape Control Buffer Overflow
Description: Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2005-2127
Version: 4
Platform(s): Microsoft Windows Server 2003
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1468
 
Oval ID: oval:org.mitre.oval:def:1468
Title: WinXP,SP2 DDS Library Shape Control Buffer Overflow
Description: Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2005-2127
Version: 5
Platform(s): Microsoft Windows XP
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1535
 
Oval ID: oval:org.mitre.oval:def:1535
Title: Win2k,SP4 DDS Library Shape Control Buffer Overflow
Description: Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2005-2127
Version: 5
Platform(s): Microsoft Windows 2000
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1538
 
Oval ID: oval:org.mitre.oval:def:1538
Title: Win2K/XP,SP1 DDS Library Shape Control Buffer Overflow
Description: Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2005-2127
Version: 4
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Product(s): Microsoft Internet Explorer
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 4
Application 11
Application 6
Application 11
Application 8

Open Source Vulnerability Database (OSVDB)

Id Description
19093 Microsoft Design Tools msdds.dll COM Object Arbitrary Code Execution

A flaw exists in the Microsoft DDS Library Shape Control COM object component that allows arbitrary code execution when opening a specially crafted HTML file.
2692 Microsoft Windows Design Tools MDT2DD.DLL COM Object Memory Corruption Comman...

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Internet Explorer WMI ASDI Extension ActiveX object access
RuleID : 4236 - Revision : 16 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Helper Object for Java ActiveX object access
RuleID : 4235 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer MSVTDGridCtrl7 ActiveX object access
RuleID : 4234 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Visual Database Tools Query Designer v7.0 ActiveX...
RuleID : 4233 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer SysTray Invoker ActiveX object access
RuleID : 4232 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer SysTray ActiveX object access
RuleID : 4231 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Search Assistant UI ActiveX object access
RuleID : 4230 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer MSAPP Export Support for Office Access ActiveX ob...
RuleID : 4229 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Windows Start Menu ActiveX object access
RuleID : 4228 - Revision : 14 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Network Connections ActiveX object access
RuleID : 4227 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer DocHost User Interface Handler ActiveX object access
RuleID : 4226 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Repository ActiveX object access
RuleID : 4225 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer VideoPort ActiveX object access
RuleID : 4224 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer OpenCable Class ActiveX object access
RuleID : 4223 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Outllib.dll ActiveX object access
RuleID : 4222 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer ProxyStub Dispatch ActiveX object access
RuleID : 4221 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Windows Network and Dial-Up Connections ActiveX object access
RuleID : 4220 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Windows Network Connections Tray ActiveX object access
RuleID : 4219 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Microsoft Windows Visual Basic WebClass ActiveX object access
RuleID : 4218 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Office Services on the Web Free/Busy ActiveX object access
RuleID : 4217 - Revision : 14 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer CLSID_CComAcctImport ActiveX object access
RuleID : 4216 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer HTML Popup Window ActiveX object access
RuleID : 4215 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer TipGW Init ActiveX object access
RuleID : 4214 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer DDS Picture Shape Control ActiveX object access
RuleID : 4213 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer DDS Generic Class ActiveX object access
RuleID : 4212 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer DDS Library Shape Control ActiveX object access
RuleID : 4211 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Msb1geen.dll ActiveX object access
RuleID : 4210 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer LexRefStFrObject Class ActiveX object access
RuleID : 4209 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer LexRefStEsObject Class ActiveX object access
RuleID : 4208 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Audio Decompressor Control Property Page ActiveX ...
RuleID : 4207 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer MPEG-4 Video Decompressor Property Page ActiveX o...
RuleID : 4206 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Visual Database Tools Database Designer v7.0 Acti...
RuleID : 4205 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer DT PolyLine Control 2 ActiveX object access
RuleID : 4204 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Marquee Control ActiveX object access
RuleID : 4203 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Windows DirectAnimation ActiveX object access
RuleID : 4202 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Queued Components Recorder ActiveX object access
RuleID : 4201 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Index Server Scope Administration ActiveX object ...
RuleID : 4200 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Blnmgrps.dll ActiveX object access
RuleID : 4199 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer Blnmgrps.dll ActiveX object access
RuleID : 4198 - Revision : 15 - Type : BROWSER-PLUGINS
2014-01-10 Microsoft Internet Explorer msdds clsid access attempt
RuleID : 4132 - Revision : 16 - Type : BROWSER-IE
2014-02-08 Microsoft Internet Explorer msdds clsid access attempt
RuleID : 29223 - Revision : 3 - Type : BROWSER-IE
2014-01-10 Symantec Norton Antivirus ActiveX function call access
RuleID : 21561 - Revision : 7 - Type : BROWSER-PLUGINS
2014-01-10 Symantec Norton Antivirus ActiveX clsid access
RuleID : 21560 - Revision : 7 - Type : BROWSER-PLUGINS
2014-01-10 Symantec Norton Antivirus ActiveX clsid access
RuleID : 21559 - Revision : 6 - Type : BROWSER-PLUGINS
2014-01-10 Symantec Norton Antivirus ActiveX clsid access
RuleID : 21558 - Revision : 6 - Type : BROWSER-PLUGINS

Nessus® Vulnerability Scanner

Date Description
2005-10-11 Name : Arbitrary code can be executed on the remote host through the web client.
File : smb_nt_ms05-052.nasl - Type : ACT_GATHER_INFO