[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 286/04 - Exploit Code Publicly Available for Microsoft Internet Explorer Cross



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 286/04 dated 11.06.04  Time: 12:10  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Exploit Code Publicly Available for Microsoft Internet Explorer Cross


Detail
====== 


The exploit by-passes security controls of IE to execute code in the "Local Machine" 
zone instead of the "Internet" zone. Exploitation can result in the execution of 
arbitrary code with the privileges of the current user if they view a malicious web 
page or HTML email.





- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                                      
                        AL-2004.16 -- AUSCERT ALERT
   Exploit Code Publicly Available for Microsoft Internet Explorer Cross
                     Domain Scripting Vulnerabilities.
                               11 June 2004

===========================================================================

Product:                Microsoft Internet Explorer 6 and prior
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

AusCERT advises that working proof of concept exploit code has now been published for all 
recent versions of Microsoft Internet Explorer. There are reports of activity using this 
exploit. AusCERT expects this exploit code to be utilised in the installation of trojan 
horse software which may capture sensitive account details.

The exploit by-passes security controls of IE to execute code in the "Local Machine" zone 
instead of the "Internet" zone. Exploitation can result in the execution of arbitrary code 
with the privileges of the current user if they view a malicious web page or HTML email. 
This exploit is similar to that detailed in AusCERT Update AU-2004.007.

All versions of Microsoft Internet Explorer are vulnerable and there are currently no 
patches available.

AusCERT advises users and sites running Internet Explorer, to evaluate their exposure to 
these vulnerabilities and to apply the following mitigation to reduce the risk of exploitation 
of these vulnerabilities:

  o Disable Active Scripting and ActiveX in the "Internet" and "Local 
    Machine" domains.

  o Apply the Outlook Email Security Update in order to open email messages
    in the Restricted Sites Zone

  o Disable the ITS protocol handlers in the registry.

  o Use a different web browser.

There are five security zones used by IE and Outlook: Local Machine, Intranet, Trusted, 
Internet and Restricted.  You can modify the Active Scripting settings and other options 
in all zones (1 through 4) except Local Machine with the Internet Options Control Panel.

Active Scripting can be manually disabled in the by modifying several registry entries:

[<KEY ROOT>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] Change 
the value of "1004" (DWORD) to 3.

Additional technical information on Security Zones may be obtained from Microsoft's websites:

http://support.microsoft.com/?kbid=315933
http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp

Further technical details regarding this proof of concept and vulnerabilities 
may be obtained from:

http://www.kb.cert.org/vuls/id/713878
http://secunia.com/advisories/11793/
http://lists.netsys.com/pipermail/full-disclosure/2004-June/022331.html
http://62.131.86.111/analysis.htm

AusCERT will continue to monitor these vulnerabilities and any changes in exploit activity. 
AusCERT members will be updated as information becomes available.

- - ---------------------------------------------------------------------------


iQCVAwUBQMj7JSh9+71yA2DNAQLq5gP/f60RhXJQrkUwXtxTwIzZRHwbYy6qcIhF
nN6p/60ZKuXDl19PiVLr306tftFBnGWN4r0ybqzVcZZInMcOjT+cQNSNq1zSjtCu
amVAScWNQj6BIyVrqxAvMRo4FuOaBe029jwtWDEyE9KuRTgYw24f8wsugHnii9qs
Vj6Yy25x9fk=
=hMUP
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Auscert for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQMmTPIpao72zK539AQERIQP9F/x8xAn/tYS6amSqwXMRL+94j7fda9ZC
Waup12Hm8qOmQGbAofS4V55guZGJj/r3exdPUOoevNY54OHmzsO2E9bCuRIjuaMp
30i9Axcud1lMa/HIeQzSiNVNrERxNm25FRg6JgxVopkcekRV54MGzzGhd8mIWLvN
iD74AAX9CQo=
=NuZ4
-----END PGP SIGNATURE-----