Microsoft Internet Explorer

[Guest LilBambi]

Microsoft Internet Explorer is prone to a boundary condition error. If the 'Align' attribute of the 'HR' tag is given an excessively large value, a buffer within IE will be overrun, causing it to fail.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

Microsoft Internet Explorer HR Align Buffer Overflow VulnerabilityAs far as which versions are vulnerable, it would be easier to say which ones are NOT vulnerable and that answer would be none.

A malicious HTML page provided by a website, email message or other source can cause a stack-based buffer overflow in Internet Explorer allowing for the execution of arbitrary code.The overflow can be triggered by specially crafted script that attempts to manipulate a horizontal rule tag with an overlong "align" attribute. An example demonstrating the overflow has been posted, but writing a code execution exploit is believed challenging because the shellcode must contain only printable ASCII characters.

Please note that SANS also says this is a challenging type of Exploit because it is a stack-based buffer overflow that would be otherwise straightforward to exploit except that the shellcode must be written entirely in ASCII printable characters.