CVE-2006-3730
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected systems through an integer overflow in Internet Explorer's WebViewFolderIcon ActiveX object. Attackers can exploit this by tricking users into visiting malicious websites, leading to potential system compromise. Users running Internet Explorer 6 on Windows XP SP2 are primarily affected.
💻 Affected Systems
- Microsoft Internet Explorer
📦 What is this software?
Ie by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with remote code execution, allowing attackers to install malware, steal data, or create persistent backdoors.
Likely Case
System crash (denial of service) followed by potential malware installation if combined with social engineering to lure users to malicious sites.
If Mitigated
Limited impact with proper network segmentation, application whitelisting, and user education about suspicious websites.
🎯 Exploit Status
Exploit code is publicly available and requires minimal user interaction (visiting malicious webpage).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MS06-042 security update
Vendor Advisory: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-042
Restart Required: Yes
Instructions:
1. Apply Microsoft Security Bulletin MS06-042 patch. 2. Restart system. 3. Verify IE version is updated.
🔧 Temporary Workarounds
Disable ActiveX for Internet Zone
windowsPrevents WebViewFolderIcon ActiveX object from executing in Internet zone
Open Internet Options > Security tab > Internet zone > Custom Level > Set 'Initialize and script ActiveX controls not marked as safe' to Disable
Set Kill Bit for WebViewFolderIcon
windowsPrevents vulnerable ActiveX control from loading
Create registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849} with DWORD 'Compatibility Flags' = 0x400
🧯 If You Can't Patch
- Upgrade to newer Windows/IE versions (Windows 7+ with IE8+ or modern browser)
- Implement network segmentation to isolate vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check IE version (Help > About Internet Explorer) and verify if MS06-042 patch is installed via Windows Update historyCheck Version:
reg query "HKLM\SOFTWARE\Microsoft\Internet Explorer" /v VersionVerify Fix Applied:
Verify MS06-042 appears in installed updates list and IE version shows post-patch build📡 Detection & Monitoring
Log Indicators:
- IE crash logs with exception codes related to memory access violations
- Windows Event Logs showing application crashes from iexplore.exe
Network Indicators:
- HTTP traffic to suspicious domains with ActiveX object loading patterns
- Unusual outbound connections following IE crashes
SIEM Query:
source="windows" AND (process="iexplore.exe" AND exception_code="0xC0000005") OR (event_id="1000" AND application_name="iexplore.exe")🔗 References
- http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html
- http://isc.sans.org/diary.php?storyid=1742
- http://riosec.com/msie-setslice-vuln
- http://secunia.com/advisories/22159
- http://securitytracker.com/id?1016941
- http://www.kb.cert.org/vuls/id/753044
- http://www.osvdb.org/27110
- http://www.securityfocus.com/archive/1/447174/100/0/threaded
- http://www.securityfocus.com/archive/1/447383/100/100/threaded
- http://www.securityfocus.com/archive/1/447426/100/0/threaded
- http://www.securityfocus.com/archive/1/447490/100/0/threaded
- http://www.securityfocus.com/archive/1/449179/100/0/threaded
- http://www.securityfocus.com/bid/19030
- http://www.us-cert.gov/cas/techalerts/TA06-270A.html
- http://www.us-cert.gov/cas/techalerts/TA06-283A.html
- http://www.vupen.com/english/advisories/2006/2882
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-057
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27804
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A339
- https://www.exploit-db.com/exploits/2440
- http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html
- http://isc.sans.org/diary.php?storyid=1742
- http://riosec.com/msie-setslice-vuln
- http://secunia.com/advisories/22159
- http://securitytracker.com/id?1016941
- http://www.kb.cert.org/vuls/id/753044
- http://www.osvdb.org/27110
- http://www.securityfocus.com/archive/1/447174/100/0/threaded
- http://www.securityfocus.com/archive/1/447383/100/100/threaded
- http://www.securityfocus.com/archive/1/447426/100/0/threaded
- http://www.securityfocus.com/archive/1/447490/100/0/threaded
- http://www.securityfocus.com/archive/1/449179/100/0/threaded
- http://www.securityfocus.com/bid/19030
- http://www.us-cert.gov/cas/techalerts/TA06-270A.html
- http://www.us-cert.gov/cas/techalerts/TA06-283A.html
- http://www.vupen.com/english/advisories/2006/2882
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-057
- https://exchange.xforce.ibmcloud.com/vulnerabilities/27804
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A339
- https://www.exploit-db.com/exploits/2440
