• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability

Severity: HIGH

Description:

Microsoft Internet Explorer is prone to a memory corruption vulnerability that is related to the instantiation of COM objects. This issue results from a design error.

The vulnerability arises because of the way Internet Explorer attempts to instantiate certain COM objects as ActiveX controls. The COM objects may let remote attackers corrupt process memory and facilitate arbitrary code execution in the context of the currently logged in user on the affected computer.

The affected objects are not intended to be instantiated from Internet Explorer. Microsoft has addressed this issue by setting the kill bit on the affected COM objects, so that they may no longer be instantiated from Internet Explorer.

This BID is related to the issues described in BID 14511 (Microsoft Internet Explorer COM Object Instantiation Buffer Overflow Vulnerability) and BID 15061 Microsoft Internet Explorer COM Object Instantiation Variant Vulnerability), however, a different set of COM objects are affected that were not addressed in the previous BIDs.

Affected Products:

• Avaya DefinityOne Media Servers
• Avaya DefinityOne Media Servers R10
• Avaya DefinityOne Media Servers R11
• Avaya DefinityOne Media Servers R12
• Avaya DefinityOne Media Servers R6
• Avaya DefinityOne Media Servers R7
• Avaya DefinityOne Media Servers R8
• Avaya DefinityOne Media Servers R9
• Avaya IP600 Media Servers
• Avaya IP600 Media Servers R10
• Avaya IP600 Media Servers R11
• Avaya IP600 Media Servers R12
• Avaya IP600 Media Servers R6
• Avaya IP600 Media Servers R7
• Avaya IP600 Media Servers R8
• Avaya IP600 Media Servers R9
• Avaya Modular Messaging (MAS)
• Avaya S8100 Media Servers
• Avaya S8100 Media Servers R10
• Avaya S8100 Media Servers R11
• Avaya S8100 Media Servers R12
• Avaya S8100 Media Servers R6
• Avaya S8100 Media Servers R7
• Avaya S8100 Media Servers R8
• Avaya S8100 Media Servers R9
• Avaya Unified Communications Center S3400
• Microsoft Internet Explorer 5.0.1
• Microsoft Internet Explorer 5.0.1 SP1
• Microsoft Internet Explorer 5.0.1 SP2
• Microsoft Internet Explorer 5.0.1 SP3
• Microsoft Internet Explorer 5.0.1 SP4
• Microsoft Internet Explorer 5.5
• Microsoft Internet Explorer 5.5 SP1
• Microsoft Internet Explorer 5.5 SP2
• Microsoft Internet Explorer 6.0
• Microsoft Internet Explorer 6.0 SP1
• Microsoft Internet Explorer 6.0 SP2 - do not use
• Microsoft Windows 2000 Server
• Microsoft Windows ME
• Microsoft Windows NT Server 4.0 SP6a
• Microsoft Windows Server 2003 Datacenter Edition
• Microsoft Windows Server 2003 Datacenter Edition Itanium
• Microsoft Windows Server 2003 Enterprise Edition
• Microsoft Windows Server 2003 Enterprise Edition Itanium
• Microsoft Windows Server 2003 Standard Edition
• Microsoft Windows Server 2003 Web Edition
• Microsoft Windows XP Home
• Microsoft Windows XP Professional

References:

• Avaya: ASA-2005-234 - Windows Security Updates for December 2005 (MS05-054 MS05-055)
• Microsoft: Microsoft Security Bulletin MS05-054

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.