copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AL-2004.038 -- Internet Explorer IFRAME Buffer Overflow Vulnerability Allows Remote Compromise

Date: 03 November 2004
References: AU-2004.0015  ESB-2004.0720  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2004.038 -- AUSCERT ALERT
          Internet Explorer IFRAME Buffer Overflow Vulnerability
                         Allows Remote Compromise
                              3 November 2004

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:           Microsoft Internet Explorer
Operating System:  Windows
Impact:            Execute Arbitrary Code/Commands
Access:            Remote/Unauthenticated


PROBLEM:  

	A critical vulnerability in Microsoft Internet Explorer allows an 
	attacker to remotely compromise Windows systems.

	Internet Explorer is vulnerable to buffer overflows in the SRC and 
	NAME attributes of an IFRAME HTML element.

	AusCERT advises that a working proof of concept exploit has now been 
	made public that allows remote compromise of systems running 
	Windows XP service pack 1 and Windows 2000.


VERSIONS: 

	AusCERT has verified the following:

	Internet Explorer 6 on Windows XP with service pack 1 is vulnerable.

	Internet Explorer 6 on Windows 2000 is vulnerable.

	Internet Explorer 6 on Windows XP with service pack 2 is confirmed not 
	vulnerable to the current proof of concept exploit. However, more
	sophisticated future exploits may allow exploitation of the 
	vulnerability on this platform.


IMPACT:   

	A vulnerable computer will be compromised if Internet Explorer is used 
	to view a specially crafted web page. This compromise may occur without
	any additional user interaction.
	
	Because Microsoft Outlook relies on Internet Explorer to render HTML it
	is possible that viewing a malicious email in Outlook may also trigger
	the vulnerability. This has not yet been confirmed.

	AusCERT has observed an increase in vulnerabilities such as this 
	being used to install malicious software designed for the purposes 
	of identity theft and financial fraud.


MITIGATION: 

	There are currently no patches available to fix this vulnerability.

	AusCERT advises users and sites running Internet Explorer to evaluate
	their exposure to these vulnerabilities and to apply the following
	mitigation to reduce the risk of exploitation:

	For Windows XP:

	  o Ensure that Service Pack 2 is installed.

	  o Disable Active Scripting and ActiveX in the "Internet" and 
	    "My Computer" domains, as detailed below.
	
	    Note that disabling scripting will stop the current proof of concept
	    exploit code, but the vulnerability may still be exploitable even if
	    all scripting has been disabled.

	  o Use a different web browser.

	For Windows 2000:

	  o Disable Active Scripting and ActiveX in the "Internet" and 
	    "My Computer" domains, as detailed below.

	    Note that disabling scripting will stop the current proof of concept
	    exploit code, but the vulnerability may still be exploitable even if
	    all scripting has been disabled.

	  o Use a different web browser.

	Further details regarding the vulnerability may be obtained from 
	Secunia's bulletin. [1]

	Instructions for disabling active content in Internet Explorer can be
	obtained from Microsoft's website. [2]

	The "My Computer" zone is usually not visible in the Internet Options 
	dialog. To enable it, refer to the instructions on Microsoft's 
	website. [3]

	AusCERT also cautions users against clicking on URLs in untrusted 
	email, especially spam. Additional useful information may also be 
	found in the AusCERT paper entitled "Protecting your computer from 
	malicious code". [4]

	AusCERT will continue to monitor this vulnerability and any changes in
	exploit activity. AusCERT members will be updated as information becomes
	available.


REFERENCES:

	[1] Internet Explorer IFRAME Buffer Overflow Vulnerability
	    http://secunia.com/advisories/12959/

	[2] How to Disable Active Content in Internet Explorer
	    http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036

	[3] How to Enable the My Computer Security Zone in Internet Options
	    http://support.microsoft.com/?kbid=315933

	[4] Protecting your computer from malicious code
	    http://www.auscert.org.au/render.html?it=3352


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQYhwQyh9+71yA2DNAQITogQAjKEMK2SI0hAJOezFOMIi6S4Ejo+Fnrmc
urF2qgv3wn9RvK+XZAhbdb4zJj1OHxSRmYwcqffmrc7VysuVqLnKvP0P3HXaEXgX
TTG4ca53s/lPSDPnRvNc/WkQYIepTQpWeJUKlqYhodpH8GEo3MmaoYZ5mtr1vKVW
eAEImuwf1eI=
=23yj
-----END PGP SIGNATURE-----