Multiple Vulnerabilities in Microsoft Internet Explorer

From: JM Tella Llop [MVP Windows] (jmtella_at_XXXmvps.org)
Date: 11/06/04

Next message: jhan313: "Re: run time error"
Previous message: JM Tella Llop [MVP Windows]: "Multiple vulnerabilities in Mozilla products"
Messages sorted by: [ date ] [ thread ]

Date: Sat, 6 Nov 2004 19:38:01 +0100

Multiple Vulnerabilities in Microsoft Internet Explorer
Original release date: October 19, 2004
Last revised: --
Source: US-CERT

Systems Affected

Microsoft Windows systems running

* Internet Explorer versions 5.01 and later; previous, unsupported
versions of Internet Explorer may also be affected
* Programs that use the WebBrowser ActiveX control (WebOC) or
MSHTML rendering engine

Overview

Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
the most severe of which could allow a remote attacker to execute
arbitrary code with the privileges of the user running IE.

I. Description

Microsoft Security Bulletin MS04-038 describes a number of IE
vulnerabilities, including buffer overflows, cross-domain scripting,
spoofing, and "drag and drop." Further details are available in the
following vulnerability notes:

VU#291304 - Microsoft Internet Explorer contains a buffer overflow in
CSS parsing

A buffer overflow vulnerability exists in the way that IE processes
Cascading Style Sheets (CSS). This could allow an attacker to execute
arbitrary code or cause a denial of service.
(CAN-2004-0842)

VU#637760 - Microsoft Internet Explorer Install Engine contains a
buffer overflow vulnerability

The IE Active Setup Install Engine (inseng.dll), which is used to
decompress ActiveX controls stored in CAB files, contains a buffer
overflow vulnerability. This could allow an attacker to execute
arbitrary code.
(CAN-2004-0216)

VU#207264 - Microsoft Internet Explorer does not properly handle
function redirection (Similar Method Name Redirection Cross Domain
Vulnerability)

IE does not properly validate redirected functions. The impact is
similar to that of a cross-site scripting vulnerability, allowing an
attacker to access data and execute script in other domains, including
the Local Machine Zone.
(CAN-2004-0727)

VU#526089 - Microsoft Internet Explorer treats arbitrary files as
images for drag and drop operations (Drag and Drop Vulnerability)

IE treats arbitrary files as images during "drag and drop" mouse
operations. This could allow an attacker to trick a user into copying
a file to a location where it could be executed, such as the user's
Startup folder.
(CAN-2004-0839)

VU#413886 - Microsoft Internet Explorer allows mouse events to
manipulate window objects and perform "drag and drop" operations
(Script in Image Tag File Download Vulnerability, HijackClick 3)

IE dynamic HTML (DHTML) mouse events can manipulate windows to copy
objects from one domain to another, including the Local Machine Zone.
This could allow an attacker to write an arbitrary file to the local
file system in a location where it could be executed, such as the
user's Startup folder.
(CAN-2004-0841)

In addition, MS04-038 describes two address bar spoofing
vulnerabilities (VU#625616, VU#431576) that could allow an attacker to
deceive a user about the location of a web site; a vulnerability
involving cached HTTPS files (VU#795720) that could allow an attacker
to read from or inject data into an HTTPS web site; and a
vulnerability in which IE6 on Windows XP ignores the "Drag and drop
and copy and paste files" setting (VU#630720).

Any program that uses the WebBrowser ActiveX control (WebOC) or MSHTML
rendering engine could be affected by these vulnerabilities.

II. Impact

The impacts of these vulnerabilities vary, but an attacker may be able
to execute arbitrary code with the privileges of the user running IE.
An attacker could also exploit these vulnerabilities to perform social
engineering attacks such as spoofing or phishing attacks. In most
cases, an attacker would need to convince a user to view an HTML
document (web page, HTML email message) with IE or another program
that uses the WebBrowser ActiveX control or MSHTML rendering engine.

In some cases, an attacker could combine two or more vulnerabilities
to write an arbitrary file to the local file system in a sensitive
location, such as the user's Startup folder. US-CERT has monitored
reports of attacks against some of these vulnerabilities.

III. Solution
Apply a patch

Apply the appropriate patch as specified by Microsoft Security
Bulletin MS04-038.

Disable Active scripting and ActiveX controls

To protect from attacks against several of these vulnerabilities,
disable Active scripting and ActiveX controls in any zone used to
render untrusted HTML content (typically the Internet Zone and
Restricted Sites Zone). Instructions for disabling Active scripting in
the Internet Zone can be found in the Malicious Web Scripts FAQ.

Upgrade to Windows XP Service Pack 2

Service Pack 2 for Windows XP contains security improvements for IE
that reduce the impact of some of these vulnerabilities.

Appendix A. References

Information used in this document came from Microsoft Security
Bulletin MS04-038. Microsoft credits Greg Jones, Peter Winter-Smith,
Mitja Kolsek, and John Heasman for reporting several vulnerabilities.
Will Dormann reported the IE6 Windows XP drag and drop setting
vulnerability.

Feedback can be directed to the authors: Art Manion and Will Dormann.

Revision History

October 19, 2004: Initial release

Last updated October 20, 2004

-- 
Jose Manuel Tella Llop
MVP - Windows
jmtella@XXXcompuserve.com (quitar XXX)
http://www.multingles.net/jmt.htm
Este mensaje se proporciona "como está" sin garantías de ninguna
clase, y no otorga ningún derecho.
This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.

Next message: jhan313: "Re: run time error"
Previous message: JM Tella Llop [MVP Windows]: "Multiple vulnerabilities in Mozilla products"
Messages sorted by: [ date ] [ thread ]