Date: 03 November 2004
References: AU-2004.0015 ESB-2004.0720
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2004.038 -- AUSCERT ALERT
Internet Explorer IFRAME Buffer Overflow Vulnerability
Allows Remote Compromise
3 November 2004
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Internet Explorer
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
PROBLEM:
A critical vulnerability in Microsoft Internet Explorer allows an
attacker to remotely compromise Windows systems.
Internet Explorer is vulnerable to buffer overflows in the SRC and
NAME attributes of an IFRAME HTML element.
AusCERT advises that a working proof of concept exploit has now been
made public that allows remote compromise of systems running
Windows XP service pack 1 and Windows 2000.
VERSIONS:
AusCERT has verified the following:
Internet Explorer 6 on Windows XP with service pack 1 is vulnerable.
Internet Explorer 6 on Windows 2000 is vulnerable.
Internet Explorer 6 on Windows XP with service pack 2 is confirmed not
vulnerable to the current proof of concept exploit. However, more
sophisticated future exploits may allow exploitation of the
vulnerability on this platform.
IMPACT:
A vulnerable computer will be compromised if Internet Explorer is used
to view a specially crafted web page. This compromise may occur without
any additional user interaction.
Because Microsoft Outlook relies on Internet Explorer to render HTML it
is possible that viewing a malicious email in Outlook may also trigger
the vulnerability. This has not yet been confirmed.
AusCERT has observed an increase in vulnerabilities such as this
being used to install malicious software designed for the purposes
of identity theft and financial fraud.
MITIGATION:
There are currently no patches available to fix this vulnerability.
AusCERT advises users and sites running Internet Explorer to evaluate
their exposure to these vulnerabilities and to apply the following
mitigation to reduce the risk of exploitation:
For Windows XP:
o Ensure that Service Pack 2 is installed.
o Disable Active Scripting and ActiveX in the "Internet" and
"My Computer" domains, as detailed below.
Note that disabling scripting will stop the current proof of concept
exploit code, but the vulnerability may still be exploitable even if
all scripting has been disabled.
o Use a different web browser.
For Windows 2000:
o Disable Active Scripting and ActiveX in the "Internet" and
"My Computer" domains, as detailed below.
Note that disabling scripting will stop the current proof of concept
exploit code, but the vulnerability may still be exploitable even if
all scripting has been disabled.
o Use a different web browser.
Further details regarding the vulnerability may be obtained from
Secunia's bulletin. [1]
Instructions for disabling active content in Internet Explorer can be
obtained from Microsoft's website. [2]
The "My Computer" zone is usually not visible in the Internet Options
dialog. To enable it, refer to the instructions on Microsoft's
website. [3]
AusCERT also cautions users against clicking on URLs in untrusted
email, especially spam. Additional useful information may also be
found in the AusCERT paper entitled "Protecting your computer from
malicious code". [4]
AusCERT will continue to monitor this vulnerability and any changes in
exploit activity. AusCERT members will be updated as information becomes
available.
REFERENCES:
[1] Internet Explorer IFRAME Buffer Overflow Vulnerability
http://secunia.com/advisories/12959/
[2] How to Disable Active Content in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036
[3] How to Enable the My Computer Security Zone in Internet Options
http://support.microsoft.com/?kbid=315933
[4] Protecting your computer from malicious code
http://www.auscert.org.au/render.html?it=3352
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQYhwQyh9+71yA2DNAQITogQAjKEMK2SI0hAJOezFOMIi6S4Ejo+Fnrmc
urF2qgv3wn9RvK+XZAhbdb4zJj1OHxSRmYwcqffmrc7VysuVqLnKvP0P3HXaEXgX
TTG4ca53s/lPSDPnRvNc/WkQYIepTQpWeJUKlqYhodpH8GEo3MmaoYZ5mtr1vKVW
eAEImuwf1eI=
=23yj
-----END PGP SIGNATURE-----
|