CVE-2006-1303

Name of the Vulnerable Software and Affected Versions Microsoft Internet Explorer versions 5.01 SP4 and 6 SP1 and earlier

Description The issue allows remote attackers to execute arbitrary code by instantiating certain COM objects as ActiveX controls, including DXImageTransform.Microsoft.MMSpecialEffect1Input, DXImageTransform.Microsoft.MMSpecialEffect1Input.1, DXImageTransform.Microsoft.MMSpecialEffect2Inputs, DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, causing memory corruption during garbage collection. A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited the specially crafted Web site.

Recommendations For Microsoft Internet Explorer versions 5.01 SP4 and 6 SP1 and earlier, consider disabling the instantiation of COM objects as ActiveX controls, specifically those related to DXImageTransform.Microsoft.MMSpecialEffect1Input, DXImageTransform.Microsoft.MMSpecialEffect1Input.1, DXImageTransform.Microsoft.MMSpecialEffect2Inputs, DXImageTransform.Microsoft.MMSpecialEffect2Inputs.1, DXImageTransform.Microsoft.MMSpecialEffectInplace1Input, and DXImageTransform.Microsoft.MMSpecialEffectInplace1Input.1, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.