Microsoft IE MSN heartbeat.ocx堆溢出漏洞-一一网

漏洞信息详情

Microsoft IE MSN heartbeat.ocx堆溢出漏洞

CNNVD编号：CNNVD-200502-026

危害等级：超危
CVE编号：
CVE-2004-0978
漏洞类型：

缓冲区溢出
发布时间：

2004-10-12
威胁类型：

远程
更新时间：

2005-10-20
厂商：
漏洞来源：
NGSSoftware Insigh…

漏洞简介

Microsoft MSN heartbeat.ocx是部分MSN游戏站点上IE调用的组件。
Microsoft MSN heartbeat.ocx对多个参数缺少充分边界缓冲区检查，远程攻击者可以利用这个漏洞可能以进程权限在系统上执行任意指令。
漏洞存在于MSN Heartbeat ActiveX组件上，此组件一般在部分MSN游戏站点上提供安装，并默认是标记为安全的脚本。当在WEB页上初始化Heartbeat控件时，必须设置多个参数，如URLS或者filenames，当提供超长的字符串给SetupData参数时，可发生基于堆的缓冲区溢出，精心构建提交数据可能以进程权限执行任意指令

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：
Microsoft Internet Explorer 5.5 SP2
Microsoft Cumulative Security Update for Internet Explorer 5.5 Service Pack 2 (KB834707) – English
For Microsft Windows Millennium Edition.
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE27F77C-3C2D -45F1-86DF-2B71799DA169&displaylang=en
Microsoft Internet Explorer 6.0 SP1
Microsoft Cumulative Security Update for Internet Explorer 6 Service Pack 1 for Windows 98, Windows NT and Wi
For Microsoft Windows 98, Windows 98 Second Edition, Windows ME, and Windows NT4 Server.
http://www.microsoft.com/downloads/details.aspx?FamilyId=DE8D94C4-7F58 -4CE7-B8BD-51CFD795B03E&displaylang=en
Microsoft Cumulative Security Update for Internet Explorer 6 Service Pack 1 for Windows XP and Windows 2000 (
For Microsoft Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP, and Windows XP Service Pack 1.
http://www.microsoft.com/downloads/details.aspx?FamilyId=7C1404E6-F5D4 -4FED-9573-DD83F2DFF074&displaylang=en
Microsoft Cumulative Security Update for Internet Explorer 6 SP1 64-bit Edition (KB834707)
For Microsoft Windows XP SP1 64-bit.
http://www.microsoft.com/downloads/details.aspx?FamilyId=C05103E8-4402 -4D54-BA03-FBBC24142E4D&displaylang=en
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB834707)
For Microsoft Windows Server 2003 Family.
http://www.microsoft.com/downloads/details.aspx?FamilyId=19E69E5F-9C98 -49AD-A61F-4F82A4014412&displaylang=en
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Edition (KB834707)
For Microsoft Windows Server 2003 Family (64-bit).
http://www.microsoft.com/downloads/details.aspx?FamilyId=566C2A05-2513 -4E30-A3EA-87D4BF7F9730&displaylang=en
Microsoft Internet Explorer 6.0 SP2 – do not use
Microsoft Cumulative Security Update for Internet Explorer for XP Service Pack 2 (KB834707)
For Microsoft Windows XP Service Pack 2.
http://www.microsoft.com/downloads/details.aspx?FamilyId=CF47B515-3F51 -43E1-9246-2C2264C49E2E&displaylang=en
Microsoft Internet Explorer 6.0
Microsoft Cumulative Security Update for Internet Explorer 6 (KB834707)
For Windows XP.
http://www.microsoft.com/downloads/details.aspx?FamilyId=A89CFBE8-C299 -415D-A9D6-7CC6429C547D&displaylang=en
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB834707)
For Microsoft Windows Server 2003 Family.
http://www.microsoft.com/downloads/details.aspx?FamilyId=19E69E5F-9C98 -49AD-A61F-4F82A4014412&displaylang=en
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Edition (KB834707)
For Microsoft Windows Server 2003 Family (64-bit).
http://www.microsoft.com/downloads/details.aspx?FamilyId=566C2A05-2513 -4E30-A3EA-87D4BF7F9730&displaylang=en
Microsoft Internet Explorer 5.0.1 SP4
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB834707)
For Windows 2000 Service Pack 4.
http://www.microsoft.com/downloads/details.aspx?FamilyId=72DBE239-AF0A -42B5-B88C-A00371F6EC81&displaylang=en
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB834707)
For Windows 2000 Service Pack 3.
http://www.microsoft.com/downloads/details.aspx?FamilyId=2D8E8E97-4946 -4994-924B-1FB1DC1881BA&displaylang=en