[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 644/03 - Microsoft - AusCERT Advisory Exploit Code Publicly Available for Microsoft Internet Explorer Cross Domain Scripting Vulnerabilities

To: <uniras@xxxxxxxxxxxx>
Subject: UNIRAS Brief - 644/03 - Microsoft - AusCERT Advisory Exploit Code Publicly Available for Microsoft Internet Explorer Cross Domain Scripting Vulnerabilities
From: "UNIRAS \(UK Govt CERT\)" <uniras@xxxxxxxxxxxx>
Date: Wed, 26 Nov 2003 12:22:46 -0000
Cc: <interim@xxxxxxxxxxxxxxxxxx>
Delivered-to: mailing list interim@xxxxxxxxxxxxxxxxxx
Delivered-to: moderator for interim@xxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 26 Nov 2003 13:26:07 +0100
Envelope-to: UNIRAS@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Importance: Normal
List-help: <mailto:interim-help@lists.niscc.gov.uk>
List-post: <mailto:interim@lists.niscc.gov.uk>
List-subscribe: <mailto:interim-subscribe@lists.niscc.gov.uk>
List-unsubscribe: <mailto:interim-unsubscribe@lists.niscc.gov.uk>
Mailing-list: contact interim-help@xxxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: <uniras@xxxxxxxxxxxx>

 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 644/03 dated 26.11.03  Time: 12:18
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
AusCERT Update AU-2003.019 - Exploit Code Publicly Available for
Microsoft Internet Explorer Cross Domain Scripting Vulnerabilities.
26 November 2003


UNIRAS Comment
==============
UNIRAS has verified AusCERT's conclusions in their advisory reproduced
below with the caveat that the code runs in the "My Computer" zone of
Internet Explorer rather than "Local intranet" as stated. (It is
possible to display the "My Computer" zone and set its security to High
to prevent the problem, see http://support.microsoft.com/?kbid=315933,
but as this involves editing the registry it is not recommended.)

The recommendations given in the AusCERT advisory should be followed.
They are consistent with the security advice in NISCC Technical Note 05/03 
on web browser security, which recommends disabling active scripting and 
download of ActiveX controls for untrusted web sites (see 
http://www.uniras.gov.uk/l1/l2/l3/tech_reports/NTN0503_Web_Browsers.pdf). 
Untrusted web sites can be treated as subject to the security policy of 
the Internet Explorer Internet security zone, which should be set to High 
or customised as suggested in the Technical Note, while trusted sites 
should be explicitly added to the Trusted sites zone which should be 
subject to an appropriate security policy.

Detail
====== 


- -----BEGIN PGP SIGNED MESSAGE-----

AusCERT Update AU-2003.019 - Exploit Code Publicly Available for
Microsoft Internet Explorer Cross Domain Scripting Vulnerabilities.
26 November 2003

AusCERT advises that working proof of concept exploit code has now been
published for several versions of Microsoft Internet Explorer. The exploit
by-passes security controls of IE to execute code in the "Local Intranet"
zone instead of the "Internet" zone. Exploitation can result in the execution
of arbitrary code with the privileges of the current user if they view a
malicious web page or HTML email.

The following products are vulnerable, even after the application of the patch
described in Microsoft Security Bulletin MS03-048:

Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6

AusCERT advises users and sites running Internet Explorer, to evaluate
their exposure to these vulnerabilities and to apply the following mitigation
to reduce the risk of exploitation of these vulnerabilities:

  o Disable Active Scripting and ActiveX controls.

  o Disable the interpretation of mhtml documents by renaming the
    HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mhtml registry key.

Additional technical information on Security Zones may be obtained from
Microsoft's Developer Network:

http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp

Further technical details regarding this proof of concept and vulnerabilities
may be obtained from:

http://lists.netsys.com/pipermail/full-disclosure/2003-November/014141.html
http://www.secunia.com/advisories/10289/

More information on Microsoft Security Bulletin MS03-048 may be obtained from:

http://www.auscert.org.au/3597
http://www.microsoft.com/technet/security/bulletin/MS03-048.asp

AusCERT will continue to monitor these vulnerabilities and any changes in
exploit activity. AusCERT members will be updated as information becomes
available.

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of AusCERT for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP8SbFYpao72zK539AQERwgP8CkXE7sDcPRSs/9/AGI+gs5I+Dfb3LUhU
3fseV0g2XjIVBuDMeOrPWeoY8r996FRMqeHijEjWij7x+cRtREFqUY/oVE0l4ePz
vdlUoUGsOPH6uvOH1aLVZpsLajqeC3PK6hjgGAyRcldojgR8+VRYqtHleK8Qfrrb
uoluTR2HMCs=
=HIx2
-----END PGP SIGNATURE-----

Prev by Date: UNIRAS Brief - 643/03 - Hewlett Packard - ProCurve 5300 series and RPC worms
Next by Date: UNIRAS Brief - 645/03 - Microsoft security issue affecting Exchange Server 2003 and Outlook Web Access (OWA).
Previous by thread: UNIRAS Brief - 643/03 - Hewlett Packard - ProCurve 5300 series and RPC worms
Next by thread: UNIRAS Brief - 645/03 - Microsoft security issue affecting Exchange Server 2003 and Outlook Web Access (OWA).
Index(es):
- Date
- Thread