This is a tweak on the original exploit referenced in Microsoft Security Advisory 917077 ( If successful, the arbitrary code embedded into the exploit (refered to as the "payload") is executed on the targetted user machine.

The vulnerability is due to an error in the processing of the "createTextRange()" method call applied on a radio button control within a web page. The vulnerability can then be exploited pointing to the attackers code of his/her choice (e.g. arbitrary code). As of the time of this writing, all known versions of Internet Explorer with fully patched XP (+SP2) are vulnerable, beginning with v5.01 and through v7.

In this version of the exploit, the time to wait before the execution of the payload (aka hacker's code and potentially damaging payload) is minimized.

Microsoft is aware of the vulnerability and projects a patch availability date of April 11 2006, although allegedly disabling "Active Scripting" in the web browser would circumvent the attack method.

When viewing a page containing the malicious Javascript in Microsoft Internet Explorer (see affected versions below), the memory heap is filled by code transfer patterns (typically, NOP instructions) pre-pending a shellcode (the "payload"). Then the vulnerable CreateTextRange() DHTML method is called on a "Checkbox" object, which transfers control to the heap. After sliding through the NOPs, control is therefore transfered to the shellcode.

Vulnerable Configurations (according to Microsoft advisory)

  • Internet Explorer 5.01 SP 4 on MS Win2000 SP 4
  • Internet Explorer 6 SP1 on MS Win2000 SP 4
  • Internet Explorer 6 SP1 on MS WinXP SP 1
  • Internet Explorer 6 for MS WinXP SP 2
  • Internet Explorer 6 for MS Windows Server 2003 and Microsoft Windows Server 2003 SP 1
  • Internet Explorer 6 for MS Windows Server 2003 for Itanium-based Systems, MS Windows Server 2003 with SP1 for Itanium-based Systems
  • Internet Explorer 6 for MS Windows Server 2003 x64 Edition, and MS Windows XP Pro x64 Edition
  • Internet Explorer 6 SP 1 on MS Win98, on MS Win98SE, or on MS WinME

Additional Resources


Recommended Action

    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
    FortiClient systems:
  • Quarantine/Delete infected files detected
  • This vulnerability is corrected if using MS06-013 MS Security Update.