Browser Security Test

Internet Explorer createTextRange arbitrary code execution (CVE-2006-1359)

Description

Microsoft Internet Explorer has a vulnerability in handling JavaScript code calling createTextRange() function on some HTML objects . A web page containing specially crafted JavaScript code can cause Internet Explorer to execute arbitrary code.

This is an arbitrary code execution vulnerability. It means that it can be used to place a backdoor, a virus or spyware on a vulnerable computer.

Recommendations

If you are using Microsoft Windows we recommend using Windows Update to correct this problem. See also Microsoft Security Bulletin MS06-013 for information about the patch for this problem.

If you are not using Microsoft Windows, this result is most probably a false positive. Try running the test for this vulnerability again. If your browser does not crash during the test for this vulnerability, it is not vulnerable.

References

• Microsoft Security Bulletin MS06-013
• CVE ID CVE-2006-1359
• Stelian Ene. IE Crash. Full-disclosure mailing list.