Date: 15 June 2004
References:
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0407 -- US-CERT Technical Cyber Security Alert TA04-163A
Cross-Domain Redirect Vulnerability in Internet Explorer
15 June 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Internet Explorer 6 and prior
Outlook and Outlook Express
Impact: Execute Arbitrary Code/Commands
Access Required: Remote
CVE Names: CAN-2004-0549
Ref: AL-2004.16
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-163A
Cross-Domain Redirect Vulnerability in Internet Explorer
Original release date: June 11, 2004
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows systems
Overview
A cross-domain vulnerability in Internet Explorer (IE) could allow an
attacker to execute arbitrary code with the privileges of the user
running IE.
I. Description
There is a cross-domain vulnerability in the way IE determines the
security zone of a browser frame that is opened in one domain then
redirected by a web server to a different domain. A complex set of
conditions is involved, including a delayed HTTP response (3xx status
code) to change the content of the frame to the new domain.
Vulnerability Note VU#713878 describes this vulnerability in more
technical detail and will be updated as further information becomes
available.
Other programs that host the WebBrowser ActiveX control or use the
MSHTML rendering engine, such as Outlook and Outlook Express, may also
be affected.
This issue has been assigned CVE CAN-2004-0549.
II. Impact
By convincing a victim to view an HTML document (web page, HTML
email), an attacker could execute script in a different security
domain than the one containing the attacker's document. By causing
script to be run in the Local Machine Zone, the attacker could execute
arbitrary code with the privileges of the user running IE.
Publicly available exploit code exists for this vulnerability, and
US-CERT has monitored incident reports that indicate that this
vulnerability is being actively exploited.
III. Solution
Until a complete solution is available from Microsoft, consider the
following workarounds.
Disable Active scripting and ActiveX controls
Disabling Active scripting and ActiveX controls in the Internet Zone
(or any zone used by an attacker) appears to prevent exploitation of
this vulnerability. Disabling Active scripting and ActiveX controls in
the Local Machine Zone will prevent widely used payload delivery
techniques from functioning. Instructions for disabling Active
scripting in the Internet Zone can be found in the Malicious Web
Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
information about securing the Local Machine Zone. Also, Service Pack
2 for Windows XP (currently at RC1) includes these and other security
enhancements for IE.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages,
web forums, or internet relay chat (IRC) channels. While this is
generally good security practice, following this behavior will not
prevent exploitation of this vulnerability in all cases.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely solely on anti-virus software
to defend against this vulnerability. More information about viruses
and anti-virus vendors is available on the US-CERT Computer Virus
Resources page.
Appendix B. References
* Vulnerability Note VU#713878-
<http://www.kb.cert.org/vuls/id/713878>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>
* Computer Virus Resources -
<http://www.us-cert.gov/other_sources/viruses.html>
* CVE CAN-2004-0549 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>
* Microsoft Knowledge Base Article 833633 -
<http://support.microsoft.com/default.aspx?scid=833633>
* Windows XP Service Pack 2 RC1 -
<http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wi
nxpsp2.mspx>
* Increase Your Browsing and E-Mail Safety -
<http://www.microsoft.com/security/incident/settings.mspx>
* Working with Internet Explorer 6 Security Settings -
<http://www.microsoft.com/windows/ie/using/howto/security/settings
.mspx>
_________________________________________________________________
Public incidents related to this vulnerability were reported by Rafel
Ivgi. Thanks to Jelmer for further research and analysis.
_________________________________________________________________
Feedback can be directed to the author: Art Manion.
Send mail to <mailto:cert@cert.org>.
Please include the Subject line "TA04-163A Feedback VU#713878".
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
_________________________________________________________________
Revision History
June 11, 2004: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAyhdcXlvNRxAkFWARAt2eAKCRDeqWLNgG+xXJtd0PyRGeN+S69ACfcXoi
GDMew8rDUjleel9OLMqs9W4=
=ZAyn
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQM6AUih9+71yA2DNAQLR8wP/ZEF2xRCTr5A5r55+7HIkotCvtf+8ocBH
GKzu9+c3d55alo7FBuFkqYHxinrd9KfBsuQWcpNM6tjn4rP6+s6MvVbqVfIr/Ntz
S4J9NbWVElNzEPieSj4uMiy9qrwWtn/uGjjM5n2iJ1Mg4fLJmm2Fs5ERprWPW0qp
mW2nx1BRJSE=
=cSWW
-----END PGP SIGNATURE-----
|