Date: 04 January 2005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2005.001 -- AUSCERT ALERT
Three vulnerabilities in Microsoft Windows and Internet Explorer
4 January 2005
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Internet Explorer
Microsoft Outlook
Microsoft Outlook Express
Microsoft Windows
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2004-1305 CAN-2004-1306
SUMMARY:
This alert describes three vulnerabilities in Microsoft Internet
Explorer and other Windows components that may allow the remote
execution of arbitrary code and denial of service.
PROBLEMS:
1. A heap buffer overflow in the LoadImage code that handles .bmp, .ico,
.ani and .cur files in Microsoft Internet Explorer, Outlook and
Outlook Express allows an attacker to remotely compromise Windows
systems.
A vulnerable computer may be compromised if Internet Explorer is
used to view a malicious web page, or if Outlook is used to view or
preview a malicious email. This compromise can occur without any
additional user interaction.
Windows XP with Service Pack 2 installed is not vulnerable.
All other Windows versions are vulnerable.
2. winhlp32.exe, the component of Windows that displays .hlp help files,
contains a buffer overflow vulnerability allowing an attacker to
execute arbitrary code if a malicious .hlp file is opened.
All known Windows versions are vulnerable.
3. The Windows kernel incorrectly parses .ani files, allowing an
attacker to cause a denial of service by referencing a malformed
.ani file in a web page or email.
A vulnerable computer can be crashed causing a denial of service if
Internet Explorer or Outlook are used to view a malicious web page
or email. This can occur without any additional user interaction.
Windows XP with Service Pack 2 installed is not vulnerable.
All other Windows versions are vulnerable.
AusCERT advises that working proof of concept exploits for these
vulnerabilities have been made public that allow remote compromise of
systems running Windows.
MITIGATION:
There are currently no patches available to fix these vulnerabilities.
AusCERT advises users and sites running Windows to evaluate their
exposure to the vulnerabilities and to apply the following mitigation
to reduce the risk of exploitation:
For Windows XP:
o Ensure that Service Pack 2 is installed.
o Disable Active Scripting and ActiveX in the "Internet" and
"My Computer" domains, as detailed below.
Note that disabling scripting will stop the current proof of concept
exploit code, but the LoadImage vulnerability may still be exploitable
even if all scripting has been disabled.
o Use a different web browser.
For Windows 2000:
o Disable Active Scripting and ActiveX in the "Internet" and
"My Computer" domains, as detailed below.
Note that disabling scripting will stop the current proof of concept
exploit code, but the LoadImage vulnerability may still be exploitable
even if all scripting has been disabled.
o Use a different web browser.
Instructions for disabling active content in Internet Explorer can be
obtained from Microsoft's website. [1]
The "My Computer" zone is usually not visible in the Internet Options
dialog. To enable it, refer to the instructions on Microsoft's
website. [2]
It is advisable not to click on any links provided in email messages.
If a user wishes to follow a link in an email it is best to type the
address into the web browser by hand.
Additional useful information may also be found in the AusCERT paper
entitled "Protecting your computer from malicious code". [3]
AusCERT will continue to monitor this vulnerability and any changes in
exploit activity. AusCERT members will be updated as information becomes
available.
REFERENCES:
[1] How to Disable Active Content in Internet Explorer
http://support.microsoft.com/?kbid=154036
[2] How to Enable the My Computer Security Zone in Internet Options
http://support.microsoft.com/?kbid=315933
[3] Protecting your computer from malicious code
http://www.auscert.org.au/3352
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQdoq1ih9+71yA2DNAQKCmQP/eCOWetjLRnpQk8tiZIEe8KHzS43ZDWsh
k8XYbi11ZJqkHtHohXNvjAw08oi1sP83xOPyBAVvhpKG3oZmronmQTvIp345B57U
u7nmynXY17PN+NBRZuu4qEjY6pR0t1cJU38G51GwyFuoR0lB3CSspjP4XggX6mla
w/NU/RR72AU=
=Ih7m
-----END PGP SIGNATURE-----
|