Date: 20 October 2004
References: ESB-2004.0650
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0660 -- US-CERT Technical Cyber Security Alert TA04-293A
Multiple Vulnerabilities in Microsoft Internet Explorer
20 October 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Internet Explorer
Publisher: US-CERT
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access Privileged Data
Create Arbitrary Files
Increased Privileges
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CAN-2004-0842 CAN-2004-0841 CAN-2004-0839
CAN-2004-0727 CAN-2004-0216
Ref: ESB-2004.0650
Original Bulletin URL: http://www.us-cert.gov/cas/techalerts/TA04-293A.html
Comment: Please note that in default installs of Windows XP Home and
Professional Edition, as well as Windows 2000, users usually belong
to the Administrators group. In such cases, an impact of 'Execute
Arbitrary Code/Commands' is essentially an Administrator Compromise.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA04-293A
Multiple Vulnerabilities in Microsoft Internet Explorer
Original release date: October 19, 2004
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows systems running
* Internet Explorer versions 5.01 and later; previous,
unsupported versions of Internet Explorer may also be affected
* Programs that use the WebBrowser ActiveX control (WebOC) or
MSHTML rendering engine
Overview
Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
the most severe of which could allow a remote attacker to execute
arbitrary code with the privileges of the user running IE.
I. Description
Microsoft Security Bulletin MS04-038 describes a number of IE
vulnerabilities, including buffer overflows, cross-domain
scripting, spoofing, and "drag and drop." Further details are
available in the following vulnerability notes:
* VU#291304 - Microsoft Internet Explorer contains a buffer overflow
in CSS parsing
A buffer overflow vulnerability exists in the way that IE
processes Cascading Style Sheets (CSS). This could allow an
attacker to execute arbitrary code or cause a denial of service.
(CAN-2004-0842)
* VU#637760 - Microsoft Internet Explorer Install Engine contains a
buffer overflow vulnerability
The IE Active Setup Install Engine (inseng.dll), which is used to
decompress ActiveX controls stored in CAB files, contains a buffer
overflow vulnerability. This could allow an attacker to execute
arbitrary code. (CAN-2004-0216)
* VU#207264 - Microsoft Internet Explorer does not properly handle
function redirection (Similar Method Name Redirection Cross Domain
Vulnerability)
IE does not properly validate redirected functions. The impact is
similar to that of a cross-site scripting vulnerability, allowing
an attacker to access data and execute script in other domains,
including the Local Machine Zone. (CAN-2004-0727)
* VU#526089 - Microsoft Internet Explorer treats arbitrary files as
images for drag and drop operations (Drag and Drop Vulnerability)
IE treats arbitrary files as images during "drag and drop" mouse
operations. This could allow an attacker to trick a user into
copying a file to a location where it could be executed, such as
the user's Startup folder. (CAN-2004-0839)
* VU#413886 - Microsoft Internet Explorer allows mouse events to
manipulate window objects and perform "drag and drop" operations
(Script in Image Tag File Download Vulnerability, HijackClick 3)
IE dynamic HTML (DHTML) mouse events can manipulate windows to
copy objects from one domain to another, including the Local
Machine Zone. This could allow an attacker to write an arbitrary
file to the local file system in a location where it could be
executed, such as the user's Startup folder. (CAN-2004-0841)
In addition, MS04-038 describes two address bar spoofing
vulnerabilities (VU#625616, VU#431576) that could allow an attacker
to deceive a user about the location of a web site; a vulnerability
involving cached HTTPS files (VU#795720) that could allow an
attacker to read from or inject data into an HTTPS web site; and a
vulnerability in which IE6 on Windows XP ignores the "Drag and drop
and copy and paste files" setting (VU#630720).
Any program that uses the WebBrowser ActiveX control (WebOC) or
MSHTML rendering engine could be affected by these vulnerabilities.
II. Impact
The impacts of these vulnerabilities vary, but an attacker may be
able to execute arbitrary code with the privileges of the user
running IE. An attacker could also exploit these vulnerabilities
to perform social engineering attacks such as spoofing or phishing
attacks. In most cases, an attacker would need to convince a user
to view an HTML document (web page, HTML email message) with IE or
another program that uses the WebBrowser ActiveX control or MSHTML
rendering engine.
In some cases, an attacker could combine two or more
vulnerabilities to write an arbitrary file to the local file system
in a sensitive location, such as the user's Startup folder. US-CERT
has monitored reports of attacks against some of these
vulnerabilities.
III. Solution
Apply a patch
Apply the appropriate patch as specified by Microsoft Security
Bulletin MS04-038.
Disable Active scripting and ActiveX controls
To protect from attacks against several of these vulnerabilities,
disable Active scripting and ActiveX controls in any zone used to
render untrusted HTML content (typically the Internet Zone and
Restricted Sites Zone). Instructions for disabling Active scripting in
the Internet Zone can be found in the Malicious Web Scripts FAQ.
Upgrade to Windows XP Service Pack 2
Service Pack 2 for Windows XP contains security improvements for IE
that reduce the impact of some of these vulnerabilities.
Appendix A. References
* Vulnerability Note VU#291304 -
<http://www.kb.cert.org/vuls/id/291304>
* Vulnerability Note VU#637760 -
<http://www.kb.cert.org/vuls/id/637760>
* Vulnerability Note VU#207264 -
<http://www.kb.cert.org/vuls/id/207264>
* Vulnerability Note VU#526089 -
<http://www.kb.cert.org/vuls/id/526089>
* Vulnerability Note VU#413886 -
<http://www.kb.cert.org/vuls/id/413886>
* Vulnerability Note VU#625616 -
<http://www.kb.cert.org/vuls/id/625616>
* Vulnerability Note VU#431576 -
<http://www.kb.cert.org/vuls/id/431576>
* Vulnerability Note VU#795720 -
<http://www.kb.cert.org/vuls/id/795720>
* Vulnerability Note VU#630720 -
<http://www.kb.cert.org/vuls/id/630720>
* Vulnerability Note VU#673134 -
<http://www.kb.cert.org/vuls/id/673134>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html>
* Microsoft Security Bulletin MS04-038 -
<http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx>
_________________________________________________________________
Information used in this document came from Microsoft Security
Bulletin MS04-038. Microsoft credits Greg Jones, Peter Winter-Smith,
Mitja Kolsek, and John Heasman for reporting several vulnerabilities.
Will Dormann reported the IE6 Windows XP drag and drop setting
vulnerability.
_________________________________________________________________
Feedback can be directed to the authors: Art Manion and Will Dormann.
_________________________________________________________________
This document is available from:
<http://www.us-cert.gov/cas/techalerts/TA04-293A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
October 19, 2004: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQXWoaRhoSezw4YfQAQKZfwgAgV5v+A2qGlqq1jlo1OSpbSY6NqRpw001
0+QCbr8eJpdl6JV6m+wcZwGKj0Hhm0CfF0ysMKw7cHB0m0XSVVma0EGKRoztIrIh
i8yrHRF6zopsatf+qXciG1o4uB9TOZGz/1oUvdyH8d4s3PaqJH2+zAEJyV6mz6WD
uudFcHuTEpQcmgLMJF8G8/s/gsMF565fv+Uox6rizQgYoGDAApVh5U3Rh5fnI20c
aKoUofqiZn39cNjZRpxiCD2n72/oDr12aZQwjOnOZjHbWIqv92NmaTupUkmsnyk7
mnxKs3LwCKgTVKBjlEwOZSL0ryY9bzJaimUDWit/h24YMCBh8y4xiQ==
=6qiJ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQXW2bCh9+71yA2DNAQIPKwP+OJhO6rY/VLRKIcrquBCyrXClw4EuuMcC
rDZ/3S582Hz5HDu871he4qFwHKIgHG5QPSJkuSlAe8WNsc4QbN1mjtPl3OPyW4w4
lV5Qk7Ax9DiATcQkUmJVqCwaCjSybvnchPuEPeHswUtwGjTiCRu2+Sbzt9Yjjf2c
ZwkYDtaiGpo=
=CwA9
-----END PGP SIGNATURE-----
|