Vulnerability Description
Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ati | Catalyst Driver | All versions |
| Microsoft | .Net Framework | 1.1 |
| Microsoft | Office | All versions |
| Microsoft | Project | 98 |
| Microsoft | Visio | 2000 |
| Microsoft | Visual Studio .Net | 2002 |
Related Weaknesses (CWE)
References
- http://isc.sans.org/diary.php?date=2005-08-18Third Party Advisory
- http://secunia.com/advisories/16480PatchVendor Advisory
- http://secunia.com/advisories/17172Permissions RequiredThird Party Advisory
- http://secunia.com/advisories/17223Permissions RequiredThird Party Advisory
- http://secunia.com/advisories/17509Permissions RequiredThird Party Advisory
- http://securityreason.com/securityalert/72Third Party Advisory
- http://securitytracker.com/id?1014727ExploitPatchThird Party Advisory
- http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfThird Party Advisory
- http://www.kb.cert.org/vuls/id/740372Third Party AdvisoryUS Government Resource
- http://www.kb.cert.org/vuls/id/898241Third Party AdvisoryUS Government Resource
- http://www.kb.cert.org/vuls/id/959049Third Party AdvisoryUS Government Resource
- http://www.microsoft.com/technet/security/advisory/906267.mspxMitigationPatchVendor Advisory
- http://www.securityfocus.com/archive/1/470690/100/0/threaded
- http://www.securityfocus.com/bid/14594ExploitPatchThird Party Advisory
- http://www.securityfocus.com/bid/15061Third Party AdvisoryVDB Entry
FAQ
What is CVE-2005-2127?
CVE-2005-2127 is a vulnerability with a CVSS score of 7.5 (HIGH). Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that refer...
How severe is CVE-2005-2127?
CVE-2005-2127 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2005-2127?
Check the references section above for vendor advisories and patch information. Affected products include: Ati Catalyst Driver, Microsoft .Net Framework, Microsoft Office, Microsoft Project, Microsoft Visio.