copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > Certifications
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Alert » AL-2004.16 -- Exploit Code Publicly Available for M...
 

AL-2004.16 -- Exploit Code Publicly Available for Microsoft Internet Explorer Cross Domain Scripting Vulnerabilities.
Date: 08 July 2004
References: ESB-2004.0407  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2004.16 -- AUSCERT ALERT
   Exploit Code Publicly Available for Microsoft Internet Explorer Cross
                     Domain Scripting Vulnerabilities.
                               11 June 2004

===========================================================================

Product:                Microsoft Internet Explorer 6 and prior
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

AusCERT advises that working proof of concept exploit code has now been
published for all recent versions of Microsoft Internet Explorer. There
are reports of activity using this exploit. AusCERT expects this exploit
code to be utilised in the installation of trojan horse software which may
capture sensitive account details.

The exploit by-passes security controls of IE to execute code in the "Local
Machine" zone instead of the "Internet" zone. Exploitation can result in
the execution of arbitrary code with the privileges of the current user
if they view a malicious web page or HTML email. This exploit is similar
to that detailed in AusCERT Update AU-2004.007.

All versions of Microsoft Internet Explorer are vulnerable and there are
currently no patches available.

AusCERT advises users and sites running Internet Explorer, to evaluate
their exposure to these vulnerabilities and to apply the following
mitigation to reduce the risk of exploitation of these vulnerabilities:

  o Disable Active Scripting and ActiveX in the "Internet" and "Local 
    Machine" domains.

  o Apply the Outlook Email Security Update in order to open email messages
    in the Restricted Sites Zone

  o Disable the ITS protocol handlers in the registry.

  o Use a different web browser.

There are five security zones used by IE and Outlook: Local Machine,
Intranet, Trusted, Internet and Restricted.  You can modify the Active
Scripting settings and other options in all zones (1 through 4) except
Local Machine with the Internet Options Control Panel.

Active Scripting can be manually disabled in the by modifying several
registry entries:

[<KEY ROOT>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
Change the value of "1004" (DWORD) to 3.

Additional technical information on Security Zones may be obtained from
Microsoft's websites:

http://support.microsoft.com/?kbid=315933
http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp

Further technical details regarding this proof of concept and vulnerabilities 
may be obtained from:

http://www.kb.cert.org/vuls/id/713878
http://secunia.com/advisories/11793/
http://lists.netsys.com/pipermail/full-disclosure/2004-June/022331.html
http://62.131.86.111/analysis.htm

AusCERT will continue to monitor these vulnerabilities and any changes in
exploit activity. AusCERT members will be updated as information becomes
available.
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication. 
However, the decision to follow or act on information or advice contained in 
this security bulletin is the responsibility of each user or organisation, and 
should be considered in accordance with your organisation\'s site policies and 
procedures. AusCERT takes no responsibility for consequences which may arise 
from following or acting on information or advice contained in this security 
bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.
	
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQMj7JSh9+71yA2DNAQLq5gP/f60RhXJQrkUwXtxTwIzZRHwbYy6qcIhF
nN6p/60ZKuXDl19PiVLr306tftFBnGWN4r0ybqzVcZZInMcOjT+cQNSNq1zSjtCu
amVAScWNQj6BIyVrqxAvMRo4FuOaBe029jwtWDEyE9KuRTgYw24f8wsugHnii9qs
Vj6Yy25x9fk=
=hMUP
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/4173