Date: 20 December 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2004.043 -- AUSCERT ALERT
Microsoft Internet Explorer DHTML Edit Control Cross-site
Scripting Vulnerability
20 December 2004
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Internet Explorer
Operating System: Windows
Impact: Provide Misleading Information
Access Privileged Data
Access: Remote/Unauthenticated
- --------------------------BEGIN INCLUDED TEXT--------------------
PROBLEM:
A vulnerability in Internet Explorer allows an attacker to open a
window to a trusted web site, and then execute arbitrary scripted
content in the security context of the trusted site.
The vulnerability is located in Internet Explorer's DHTML Edit ActiveX
control, which is enabled by default.
Secunia has constructed a demonstration of this vulnerability. [1]
PRODUCTS:
Microsoft Internet Explorer 6.0 on Windows XP and XP Service Pack 2 are
confirmed vulnerable.
Internet Explorer 5 and other Windows versions are also suspected to be
vulnerable, but this has not yet been confirmed.
IMPACT:
When a trusted web site is opened from a malicious web page, an attacker
can execute arbitrary scripts in the context of the trusted site.
This vulnerability can be used for example to replace the trusted web
page contents with content of the attackers' choice, while still
displaying the SSL golden padlock, original domain name and valid
authentication credentials.
This may convince a user to provide a password or other sensitive
information to the attacker, instead of to the trusted site.
AusCERT advises that proof of concept code has been published for this
vulnerability. It is anticipated that the vulnerability may be used in
conjunction with fake emails appearing to come from financial
institutions in order to facilitate financial fraud.
MITIGATION:
No updates are currently available to address this vulnerability.
AusCERT advises users and sites running Internet Explorer to evaluate
their exposure to these vulnerabilities and to apply the following
mitigation to reduce the risk of exploitation:
o Disable ActiveX controls in the "Internet" and "My Computer" domains,
as detailed below.
o Before visiting a trusted web site, first shut down the web browser
by closing all browser windows.
o It is advisable not to click on any links provided in email messages.
If a user wishes to follow a link in an email it is best to type the
address into the web browser by hand.
o Network administrators can consider blocking ActiveX controls at the
gateway using an application level firewall or proxy.
Instructions for disabling active content in Internet Explorer can be
obtained from Microsoft's website. [2]
The "My Computer" zone is usually not visible in the Internet Options
dialog. To enable it, refer to the instructions on Microsoft's
website. [3]
REFERENCES:
[1] Secunia proof of concept demonstration
http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/
[2] How to Disable Active Content in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036
[3] How to Enable the My Computer Security Zone in Internet Options
http://support.microsoft.com/?kbid=315933
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQcZ8aih9+71yA2DNAQLIggP+OHYtfVgXCs+NskDStnaUeLWQI0RxP7Kv
R2xmPUWF4Ooq69WaODtRlETs5j56frVqr74WhHwisw1SYwlVmyTPyzxEalKpzh9x
U7IFBUJucmr4ICbKJvngLnVb0RjSdAfLlvKUbCzKmDz2WzvnGcEbrC/cjEFhTU0b
88xgBMIbJ28=
=RN2g
-----END PGP SIGNATURE-----
|