March 27, 2006 Determina Fix for CVE-2006-1359 (Zero Day MS Internet Explorer Remote "CreateTextRange()" Code Execution) Overview & Instructions On Downloading The Free Determina Shield For CVE-2006-1359 Based on the same technology used in the VPS LiveShield product, Determina has engineered a standalone fix that provides free and immediate protection to users worldwide that need to protect systems from related attacks until such time as Microsoft issues its own patch. Note that current Determina VPS customers do not have to apply this patch as they have been protected against this attack without the need for any update. The source code of the Shield is included in the download for review by any independent security expert. This free, standalone fix from Determina can be downloaded from the following link: DETCVE-2006-1359.msi (www.determina.com/security_center/download/DETCVE-2006-1359.msi) MD5: 85b8bfc1c30c6b4451a3ab803f49708b SHA1: 308ae9a79e48adecf769fd50ac29ddc37a07d33c Threat Severity Critical; There is currently no known vendor patch released for this vulnerability. Determina is aware of multiple exploits circulating on the Internet that can compromise vulnerable systems. This fix can be applied to: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 6.0 Overview This is a runtime fix for the IE createTextRange() vulnerability. It can be applied to Windows 2000, XP and 2003 systems running Internet Explorer 5.01 and 6.0. The vulnerability lies in the MSHTML.DLL rendering engine which is loaded into many applications for HTML rendering, including but not limited to Internet Explorer and Microsoft Office. The installation of the fix consists of adding the fix DLL to the AppInit_DLLs registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows The MSI installer will do this automatically. This will enable loading this fix DLL into all the vulnerable applications. The fix does not modify any file or application on the disk. It will only modify the vulnerable applications and DLLs in memory. The fix will not be applied to any processes that are running at the time of the installation. To enable the patch, you have to restart IE, Outlook and any other process that need to be protected. After the installation, run status.exe to verify that your system is protected. If you have a version of MSHTML.DLL that the patch does not support, status.exe will report that the protection is not active. Once Microsoft releases an official patch and it is installed by the user, the Determina Shield will not be applied any more. Determina recommends uninstalling this fix even though keeping it active will not affect the system. To uninstall the fix, use "Add Remove Programs" in the Control Panel. To uninstall it manually, remove the DLL from the AppInit_DLLs key and restart your machine. You can then safely delete the DLL. This tool requires administrative privileges on the vulnerable machines in order to install the fix. References http://www.determina.com/security_center/default.asp http://secunia.com/advisories/18680/ http://www.frsirt.com/english/advisories/2006/1050 http://www.microsoft.com/technet/security/advisory/917077.mspx CVE-2006-1359 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2006-1359 About Determina DeterminaT represents the next generation of intrusion prevention software that goes beyond mere detection and current "best-effort" prevention to fully eliminate the threat of the most critical software attacks. Based on years of research at M.I.T., Determina utilizes unique patent-pending Memory FirewallT technology which blocks attacks at the most fundamental level, by dynamically building a protective shield around programs while they run in computer memory. This groundbreaking approach has proven to be 100% effective against all memory-based attacks - such as Code Red, Blaster, Slammer and Sasser - without false positives or ongoing overhead Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Determina) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
