cbcvebase.
CVE-2005-1790
published 2005-06-01

CVE-2005-1790: Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and…

PriorityP359low2.6CVSS 2.0
AVNACHAuNCNINAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.47%
99.6th percentile
Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

commandmigrate -f
  • Detect exploit delivery by matching HTTP responses containing both a JavaScript 'onLoad' handler invoking 'window()' and multiple iframe elements used for heap spray via prompt() calls.
  • Flag HTTP responses with 'Pragma: no-cache' and 'Content-Type: text/html' that also contain obfuscated JavaScript heap spray patterns (repeated unescape() calls with NOP sleds) targeting Internet Explorer 6.
  • Inspect User-Agent strings for 'MSIE 6.0' combined with 'Windows NT 5.1' or 'Windows NT 5.0' as the exploit auto-targets these combinations and will only proceed against them.
  • Monitor for iexplore.exe spawning child processes shortly after page load, consistent with the Metasploit post-exploitation 'migrate -f' auto-run script executing after successful shellcode delivery.
  • Detect heap spray pattern: JavaScript using unescape() to build large NOP sled blocks with a headersize of 20 bytes prepended, characteristic of this exploit's two-stage heap spray technique.
  • Alert on pages that open popup windows containing multiple hidden iframes (4 for XP targets, 8 for Windows 2000 targets) used to place shellcode return addresses via prompt() calls.

CVSS provenance

nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:N/A:P
vulncheck2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.