copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > Report Incident
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > Certifications
 > News & Media
 > Services
 > National Home
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Alert » AL-2004.024 -- Critical Vulnerability in Internet Ex...
 

AL-2004.024 -- Critical Vulnerability in Internet Explorer Allows Remote Compromise
Date: 24 August 2004
References: ESB-2003.0775  AL-2004.032  AL-2004.036  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2004.024 -- AUSCERT ALERT
   Critical Vulnerability in Internet Explorer Allows Remote Compromise
                              24 August 2004

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:                Microsoft Internet Explorer 6 and prior
Publisher:              AusCERT
Operating System:       Windows
Impact:                 Create Arbitrary Files
                        Execute Arbitrary Code/Commands
Access:                 Remote/Unauthenticated

Ref:                    ESB-2003.0775


PROBLEM:  

	A critical vulnerability in all current versions of Microsoft Internet
	Explorer allows a remote attacker to plant executable files anywhere on
	the user's filesystem.

	This can be used by attackers to remotely compromise the system.

	"http-equiv" has discovered that Internet Explorer does not adequately
	validate drag and drop events from the "Internet" zone to the local 
	computer zone.


VERSIONS: 

	All current versions of Internet Explorer are vulnerable, up to and
	including Windows XP systems with Service Pack 2 installed. 


IMPACT:   

	An attacker can plant executable files anywhere on the user's 
	filesystem. This then allows remote execution of arbitrary code.

	AusCERT advises that working proof of concept exploits have now been 
	published that plants an executable file into a user's Startup folder. 

	The current proofs of concept are triggered when a user either moves 
	the scrollbar or drags a program masqueraded as an image. However, it 
	has been suggested that it may be possible to create exploits that 
	only require a single click.[1]


MITIGATION: 

	There are currently no patches available to fix this vulnerability.

	AusCERT advises users and sites running Internet Explorer to evaluate
	their exposure to these vulnerabilities and to apply the following
	mitigation to reduce the risk of exploitation:

	  o Disable Active Scripting and ActiveX in the "Internet" and "Local 
	    Machine" domains.

	  o Use a different web browser.

	Additional mitigation steps can also be found in the AusCERT paper 
	titled "Protecting your computer from malicious code".[2]

	Further details regarding the vulnerability may be obtained from 
	Secunia's bulletin.[1]

	Instructions for disabling active content in Internet Explorer can be
	obtained from Microsoft's website.[3]

	Additional technical information on Security Zones may be obtained from
	Microsoft's website.[4],[5]

	AusCERT will continue to monitor this vulnerability and any changes in
	exploit activity. AusCERT members will be updated as information becomes
	available.


REFERENCES:

	[1] Microsoft Internet Explorer Drag and Drop Vulnerability
	    http://secunia.com/advisories/12321/

	[2] Protecting your computer from malicious code
	    http://www.auscert.org.au/render.html?it=3352

	[3] How to Disable Active Content in Internet Explorer
	    http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036

	[4] Introduction to URL Security Zones
	    http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp

	[5] How to Enable the My Computer Security Zone in Internet Options
	    http://support.microsoft.com/?kbid=315933


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQSrmjCh9+71yA2DNAQK/JgP+KcCTDCTzt5uiKFnJ0Z8v7fjBIuG/CvEo
gdNfvclZqfEiiyMlpw/mXhD4QH/2SZJvrP+8uoaU3N4naTgdJ7iJit5rDXeYU8WJ
IYpxu7IaoE5APsek+HCA67mH1WN5YqSd5/a2f7UIT/He7Jq9bevhVWCeAVpWMkRg
fvghvMfpukQ=
=+sHN
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/4328