Date: 27 August 2003
References: ESB-2003.0588
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0601 -- CERT Advisory CA-2003-22
Multiple Vulnerabilities in Microsoft Internet Explorer
27 August 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Internet Explorer 6.01
Internet Explorer 5.50
Internet Explorer 5.01
Publisher: CERT/CC
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access Required: Remote
CVE Names: CAN-2003-0344
Ref: AA-2003.03
ESB-2003.0588
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft
Internet Explorer
Original issue date: August 26, 2003
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
Microsoft Windows systems running
* Internet Explorer 5.01
* Internet Explorer 5.50
* Internet Explorer 6.01
Previous, unsupported versions of Internet Explorer may also be
affected.
Overview
Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
the most serious of which could allow a remote attacker to execute
arbitrary code with the privileges of the user running IE.
I. Description
Microsoft Security Bulletin MS03-032 describes five vulnerabilities
in Internet Explorer. These vulnerabilities are listed below.
More detailed information is available in the individual
vulnerability notes. Note that in addition to IE, any applications
that use the IE HTML rendering engine to interpret HTML documents
may present additional attack vectors for these vulnerabilities.
VU#205148 - Microsoft Internet Explorer does not properly evaluate
Content-Type and Content-Disposition headers
A cross-domain scripting vulnerability exists in the way IE
evaluates Content-Type and Content-Disposition headers and checks
for files in the local browser cache. This vulnerability could
allow a remote attacker to execute arbitrary script in a
different domain, including the Local Machine Zone.
(Other resources: SNS Advisory No.67, CAN-2003-0531)
VU#865940 - Microsoft Internet Explorer does not properly evaluate
"application/hta" MIME type referenced by DATA attribute of OBJECT
element
IE will execute an HTML Application (HTA) referenced by the DATA
attribute of an OBJECT element if the Content-Type header
returned by the web server is set to "application/hta". An
attacker could exploit this vulnerability to execute arbitrary
code with the privileges of the user running IE.
(Other resources: eEye Digital Security Advisory AD20030820,
CAN-2003-0532)
VU#548964 - Microsoft Windows BR549.DLL ActiveX control contains
vulnerability
The Microsoft Windows BR549.DLL ActiveX control, which provides
support for the Windows Reporting Tool, contains an unknown
vulnerability. The impact of this vulnerability is not known.
VU#813208 - Internet Explorer does not properly render an input
type tag
IE does not properly render an input type tag, allowing a remote
attacker to cause a denial of service.
VU#334928 - Microsoft Internet Explorer contains buffer overflow in
Type attribute of OBJECT element on double-byte character set
systems
Certain versions of IE that support double-byte character sets
(DBCS) contain a buffer overflow vulnerability in the Type
attribute of the OBJECT element. A remote attacker could execute
arbitrary code with the privileges of the user running IE.
(Other resources: SNS Advisory No.68, Microsoft Security Bulletin
MS03-020, CAN-2003-0344)
II. Impact
These vulnerabilities have different impacts, ranging from denial
of service to execution of arbitrary commands or code. Please see
the individual vulnerability notes for specific information. The
most serious of these vulnerabilities (VU#865940) could allow a
remote attacker to execute arbitrary code with the privileges of
the user running IE. The attacker could exploit this vulnerability
by convincing the user to access a specially crafted HTML document,
such as a web page or HTML email message. No user intervention is
required beyond viewing the attacker's HTML document with IE.
III. Solution
Apply a patch
Apply the appropriate patch as specified by Microsoft Security
Bulletin MS03-032.
In addition to addressing these vulnerabilities, the patch also
changes the behavior of the HTML Help system (see VU#25249):
As with the previous Internet Explorer cumulative patches
released with bulletins MS03-004, MS03-015, and MS03-020 this
cumulative patch will cause window.showHelp() to cease to
function if you have not applied the HTML Help update. If you
have installed the updated HTML Help control from Knowledge Base
article 811630, you will still be able to use HTML Help
functionality after applying this patch.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When
vendors report new information, this section is updated and the
changes are noted in the revision history. If a vendor is not
listed below, we have not received their comments.
Microsoft
Please see Microsoft Security Bulletin MS03-032.
Appendix B. References
* CERT/CC Vulnerability Note VU#205148 -
<http://www.kb.cert.org/vuls/id/205148>
* CERT/CC Vulnerability Note VU#865940 -
<http://www.kb.cert.org/vuls/id/865940>
* CERT/CC Vulnerability Note VU#548964 -
<http://www.kb.cert.org/vuls/id/548964>
* CERT/CC Vulnerability Note VU#813208 -
<http://www.kb.cert.org/vuls/id/813208>
* CERT/CC Vulnerability Note VU#334928 -
<http://www.kb.cert.org/vuls/id/334928>
* CERT/CC Vulnerability Note VU#25249 -
<http://www.kb.cert.org/vuls/id/25249>
* eEye Digital Security Advisory AD20030820 -
<http://www.eeye.com/html/Research/Advisories/AD20030820.html>
* SNS Advisory No. 67 -
<http://www.lac.co.jp/security/english/snsadv_e/67_e.html>
* SNS Advisory No. 68 -
<http://www.lac.co.jp/security/english/snsadv_e/68_e.html>
* Microsoft Security Bulletin MS03-032 -
<http://microsoft.com/technet/security/bulletin/MS03-032.asp>
* Microsoft KB Article 822925 -
<http://support.microsoft.com/default.aspx?scid=kb;en-us;822925>
_________________________________________________________________
Microsoft credits eEye Digital Security, LAC, and KPMG UK for
reporting these vulnerabilities. Information from eEye, LAC, and
Microsoft was used in this document.
_________________________________________________________________
Feedback can be directed to the author, Art Manion.
______________________________________________________________________
This document is available from:
<http://www.cert.org/advisories/CA-2003-22.html>
______________________________________________________________________
CERT/CC Contact Information
Email: <cert@cert.org>
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
<http://www.cert.org/CERT_PGP.key>
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
<http://www.cert.org/>
To subscribe to the CERT mailing list for advisories and bulletins,
send email to <majordomo@cert.org>. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
August 26, 2003: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBP0u+smjtSoHZUTs5AQF7FwQAl/9veQraef6h9lFcN+5dtxDz2xAecek/
NUPTSzatHC+E1pc+f2IcqJh01YMsM1BXpr6sPmA5FK+2fvfuvj875NnIXIztxYWe
yV5howmUOCSPpDuV6Nasdebqq4mlBygO4R8gx1MeUBj4BEvG7mLs7k7z24kkDodv
cf0X647ejlM=
=UWNE
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP0w9Ayh9+71yA2DNAQEdawP/X0dyZs0+KJxiENp0xih2CW96jOECHjx9
6msbKlczJu3mCCdusT8sBrtt3r4hGpjc3JOHBkKay2hvGFr/kGubdnlsyHZah3/t
2tZFvra6KwUDw/iCEa8vlsTfE6K8mOWkbjj69XVC7R+ko8RSyEX+u7VysiIGUqOW
nwhBBFD7n9A=
=1HAm
-----END PGP SIGNATURE-----
|