Microsoft JVIEW Profiler Vulnerability & Public Exploit  

infectionvectors.com

July 2005

Off of the normal release cycle for such warnings, Microsoft issued a pretty serious alert for a problem with Internet Explorer, a condition that allows remote code execution. The flaw, a heap instantiation vulnerability found in “javaprxy.dll” (the JVIEW profiler) could be exploited via malicious email (pointing a user to a web site with the code described below). Being released outside of the normal process, already having public concept code, and being fairly easy to incorporate into a worm make this a pretty good candidate for additional malware. Microsoft made a number of recommendations for mitigating the threat posed by this flaw, including disabling automatic ActiveX execution. No patch currently exists.

The Microsoft Bulletin:

http://www.microsoft.com/technet/security/advisory/903144.mspx 

The exploitation strategy is similar to many other types of IE-injected attacks; the user must open an affected web site, likely a URL sent via email. Note that previous attackers have also used banner ad links, requiring no action on the user’s part.

FrSIRT published a proof-of-concept for anyone interested in the code.

http://www.frsirt.com/exploits/20050702.iejavaprxyexploit.pl.php 

Also check out an initial report showing the DoS of IE here:

http://www.sec-consult.com/184.html