-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2006.0054 -- AUSCERT ALERT
                                   [Win]
   Microsoft Internet Explorer fails to properly handle CLSID extensions
                               30 June 2006

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Microsoft Internet Explorer
Publisher:            US-CERT
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-3281

Original Bulletin:    http://www.kb.cert.org/vuls/id/655100

Comment: No security update is yet available for IE to address this issue.
         
         Users should avoid clicking on links within untrusted web site
         content, especially public bulletin board discussion postings,
         and also any links within emails unless the email was already
         expected.
         
         Blocking outbound access to the ports listed below offers
         protection against the current proof of concept code, but
         may not prevent other attack vectors.

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#655100
Microsoft Internet Explorer fails to properly handle CLSID extensions

Overview

	Microsoft Internet Explorer fails to properly handle directories with
	CLSID extensions. This may allow an attacker to bypass the warning dialog 
	that Internet Explorer should display before executing downloaded code.

I. Description

	CLSID

	According to Microsoft MSDN, A CLSID is a "globally unique identifier
	(GUID) associated with an OLE class object."

	CLSID extensions

	Prior to the update in Microsoft Security Bulletin MS04-024, a file
	could use a CLSID as a file extension and Windows Explorer would obey
	the CLSID when determining how to open the file. This can mislead the
	user into opening a dangerous file. After installing the update for
	MS04-024, Windows Explorer no longer obeys a CLSID as a file extension.

	The problem

	The MS04-024 update does not completely address the vulnerability.
	Directories can have a CLSID extension. Even with the MS04-024 update
	installed, Windows Explorer will treat a directory with a CLSID
	extension as a file of the type specified by the CLSID. Within the
	context of Windows Explorer, this can mislead the user with respect
	to what is on the local filesystem. However, within the context of
	Internet Explorer, this technique can be used to bypass the warning
	dialog that Internet Explorer should display before executing downloaded
	code. Publicly available proof-of-concept code uses an SMB share and
	requires the user to double-click within the browser window.

II. Impact

	By convincing a user to access a specially crafted web page with
	Internet Explorer, an attacker may be able to execute arbitrary code
	with the privileges of the user.

III. Solution

	We are currently unaware of a practical solution to this problem.

	Do not follow unsolicited links

	In order to convince users to visit their sites, attackers often use
	URL encoding, IP address variations, long URLs, intentional
	misspellings, and other techniques to create misleading links. Do not
	click on unsolicited links received in email, instant messages, web
	forums, or internet relay chat (IRC) channels. Type URLs directly
	into the browser to avoid these misleading links. While these are
	generally good security practices, following these behaviors will not
	prevent exploitation of this vulnerability in all cases, particularly
	if a trusted site has been compromised or allows cross-site scripting.

	Block or restrict access

	Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and
	445/udp at your network perimeter. Doing so will prevent machines on
	the local network from connecting to SMB servers on the internet.
	While this does not remove the vulnerability, it does block a commonly
	known attack vector.

Systems Affected

	Vendor                Status     Date Updated
	Microsoft Corporation Vulnerable 29-Jun-2006

References

	http://www.kb.cert.org/vuls/id/106324
	http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/ PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj
	http://secunia.com/advisories/20825/
	http://isc.sans.org/diary.php?storyid=1448&rss
	http://windowssdk.msdn.microsoft.com/en-us/library/ms691424.aspx
	http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx

Credit

	This vulnerability was publicly disclosed by Plebo Aesdi Nael.

	This document was written by Will Dormann.
	Other Information
	Date Public	06/27/2006
	Date First Published	06/29/2006 06:03:11 PM
	Date Last Updated	06/29/2006
	CERT Advisory	 
	CVE Name	CVE-2006-3281
	Metric	10.80
	Document Revision	9

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRKRrIih9+71yA2DNAQIWYgP+MlEBFC3i9uTltKqpjswHIlbWXPAau+Eu
8V08B+g/1ijdc2BCWCbKWIkP0K+M0p14IJ3biw2rBg6JVuj87e54HF2h17mimiKb
ee9KN2JpA++O8SPcl72apqCMOOIGhHGtPsFlFRfqRZYsqTfnkF6tFyl2iZhQ7ke+
cI1kr9w0QOU=
=wADP
-----END PGP SIGNATURE-----