Date: 11 November 2004
References: AL-2004.038 AU-2004.0015
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0720 -- US-CERT Technical Cyber Security Alert TA04-315A
Buffer Overflow in Microsoft Internet Explorer
11 November 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Internet Explorer
Publisher: US-CERT
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Ref: AL-2004.038
AU-2004.0015
Original Bulletin: http://www.us-cert.gov/cas/techalerts/TA04-315A.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-315A
Buffer Overflow in Microsoft Internet Explorer
Original release date: November 10, 2004
Last revised: --
Source: US-CERT
Systems Affected
Microsoft Windows systems running
* Internet Explorer versions 6.0 and later; previous versions of
Internet Explorer may also be affected
* Other programs that host the WebBrowser ActiveX control
Overview
Microsoft Internet Explorer (IE) contains a buffer overflow
vulnerability that could allow a remote attacker to execute
arbitrary code with the privileges of the user running IE.
I. Description
A buffer overflow vulnerability exists in the way IE handles the
SRC and NAME attributes of various elements, including FRAME,
IFRAME, and EMBED. Because IE fails to properly check the size of
the NAME and SRC attributes, a specially crafted HTML document can
cause a buffer overflow in heap memory. Due to the dynamic nature
of the heap, it is usually difficult for attackers to execute
arbitrary code using this type of vulnerability.
However, if heap memory is prepared in a special manner, an
attacker could execute arbitrary code more easily. Publicly
observed exploits use scripting to prepare the heap, though this
may be accomplished without scripting. Without the ability to
prepare the heap, the impact is most likely limited to denial of
service.
This vulnerability is described in further detail in VU#842160.
II. Impact
By convincing a user to view a specially crafted HTML document
(e.g., a web page or an HTML email message), an attacker could
execute arbitrary code with the privileges of the user. The
attacker could also cause IE (or any program that hosts the
WebBrowser ActiveX control) to crash.
Reports indicate that this vulnerability is being exploited by
malicious code propagated via email. When a user clicks on a URL in
a malicious email message, IE opens and displays an HTML document
that exploits the vulnerability. This malicious code may be
referred to as MyDoom.{AG,AH,AI} or Bofra.
III. Solution
Until a complete solution is available from Microsoft, consider the
following workarounds:
Install Windows XP SP2
Microsoft Windows XP SP2 does not appear to be affected by this
vulnerability. If you are using Windows XP, please update to SP2.
Disable Active scripting
To help protect against attacks that use scripting to prepare the
heap, disable Active scripting in any zone used to render untrusted
HTML content (typically the Internet Zone and Restricted Sites
Zone). Instructions for disabling Active scripting in the Internet
Zone can be found in the Malicious Web Scripts FAQ.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant
messages, web forums, or Internet relay chat (IRC) channels. While
this is generally good security practice, following this behavior
will not prevent exploitation of this vulnerability in all
cases. For example, a trusted web site could be compromised and
modified to deliver exploit script to unsuspecting clients.
Read and send email in plain text format
Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured
to view email messages in text format. Consider the security of
fellow Internet users and send email in plain text format when
possible. Note that reading and sending email in plain text will
not necessarily prevent exploitation of this vulnerability.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely solely on anti-virus software
to defend against this vulnerability. More information about viruses
and anti-virus vendors is available on the US-CERT Computer Virus
Resources page.
Appendix A. References
* Vulnerability Note VU#842160 -
<http://www.kb.cert.org/vuls/id/842160>
* Windows XP SP2 -
<http://www.us-cert.gov/cas/alerts/SA04-243A.html>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html>
* US-CERT Computer Virus Resources Page -
<http://www.us-cert.gov/other_sources/viruses.html>
* About the Browser (Internet Explorer - WebBrowser) -
<http://msdn.microsoft.com/workshop/browser/overview/Overview.asp>
_________________________________________________________________
Feedback can be directed to the authors: Will Dormann and Art Manion.
Send mail to <cert@cert.org>.
Please include the Subject line "TA04-315A Feedback VU#842160".
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-315A.html>
_________________________________________________________________
Revision History
November 10, 2004: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQZJ1mBhoSezw4YfQAQI3iAf+LS3++j7u55GXcK2sKED6gi8ZHTXY/85t
0Z2bsLVkvQYq7FmDMRZR1Id9gGadzbj+FvaCoilAqcfxjNG8MrDwuuZ/w2/F2zLn
ybOsQK5qdIcU7InbVWiWwi4oNSmTkWqtbM4YtYISPRVpvfvgAFKjhGJFGtniu4qa
rGdyqyxmMZnUY47MVyqy1umYPcMeMDExoeLEOCnKfxzxbTdYLz1pKA8Oru/tOGdP
FaLj8S1i041dquKYtNb1dedUL6WlP2sy8hyk4Q+S5R0g0pfsETByNx4IsXJ+3fy3
a6uOqIn0q+ptqZ0Mv2f2XTCAi+tKeCHml1IaowDEBNzEPFi/yP3vOw==
=LS8m
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQZLLmCh9+71yA2DNAQJ8dwP/azeyrfUi8dWnOWdi48T+3ofIooHW0/Jn
9EY3UZ/cqWGoSQbNECZwooFXfv5CWu8C57kAuzdcxh1RMEgdL/iTfFOGCCbFs8fC
vlcpmQk73A9pKLUZsv2uGdKP9hPXEwN4saY7moAJJUY8/5wK5mtB71bLrERiFm0r
0uRGVLUykFs=
=AOtC
-----END PGP SIGNATURE-----
|