Microsoft Internet Explorer is one of the most popular web browsers on the Internet. Internet Explorer is capable of rendering both static and dynamic web contents, such as DHTML. It can also be used to download files, play multi-media contents and open different file formats using various plug-ins.

Dynamic HTML, or DHTML, is an umbrella term for a collection of technologies used together to create interactive and animated web sites by using a combination of a static markup language (such as HTML), a client-side scripting language (such as JavaScript), a presentation definition language (such as CSS), and the Document Object Model.

“DHTML behaviors” is one of the DHTML features, which is supported by Internet Explorer. It enhances an HTML element’s default behavior, for example, shows different icons when the mouse hovers over the element. DHTML behaviors can be applied to an HTML element via scripting or via Cascading Style Sheets (CSS). For example,

h3 { behavior: url(#default#userData); } obj.style.behavior = "url('#default#userData')"; object.addBehavior("#default#userData");

userData behavior showed above is one of the DHTML behaviors. This behavior persists information across sessions by writing to a UserData store. The store provides a data structure that is more dynamic and has a greater capacity than cookies. With the userData behavior attached to an object, the default DHTML setAttribute and getAttribute methods are overridden by the class CPersistUserData to provide access to the userData store on a client machine. These methods provide storage and retrieval of persisted data.

A remote code execution vulnerability exists in Microsoft Internet Explorer. The flaw is due to an error in the PersistUserData::setAttribute() method. When an HTML object is assigned the #default#userData behavior, the vulnerable code overrides the default setAttribute method with CPersistUserData::setAttribute(). When the setAttribute method is invoked with a specific parameter, the vulnerable code stores the result and clears the object from memory. When Internet Explorer reloads the page or navigates into another page, it calls a method on the freed object which may enable remote attackers to inject and execute arbitrary code.

SonicWALL UTM team has researched this vulnerability and created two IPS signature to detect the attack attempts addressing this issue as bellow:

• 4836 MS IE Invalid Pointer Remote Code Execution Attempt 1
• 4837 MS IE Invalid Pointer Remote Code Execution Attempt 2

SonicWALL UTM team has also released the WAF signatures on SSLVPN devices as bellow:

• 1208 MS IE Invalid Pointer Remote Code Execution Attempt 1
• 1209 MS IE Invalid Pointer Remote Code Execution Attempt 2

This vulnerability is referred by the Common Vulnerabilities and Exposures (CVE) as CVE-2010-0806. The vendor Microsoft has also released Microsoft Security Advisory (981374).