[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS ALERT - 27/04 - Microsoft - Vulnerabilities in Microsoft Internet Explorer



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
      UNIRAS (UK Govt CERT) ALERT - 28/04 dated 29.06.04  Time: 15:24  
 UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Vulnerabilities in Microsoft Internet Explorer


Detail
====== 
Departmental and organisational security officers should be aware of the 
existence and exploitation of currently unpatched vulnerabilities in Microsoft 
Internet Explorer. Although these issues were referred to indirectly in UNIRAS 
Briefing 308/04 and discussed in US CERT Technical Cyber Security Alert TA04-163A 
(see UNIRAS Briefing 288/04), the potential impact of the vulnerabilities needs 
to be stressed, ie an attacker could execute code remotely on the computer of a 
web user who has visited a web site with malicious content (which may be a 
legitimate web site that has been compromised) or who has downloaded and viewed 
an HTML email in the context of the user. A current exploit is called Scob or 
Download.Ject (see the base of this email for URLs).
 
The essence of the exploit is that malicious code written in JavaScript is injected 
into an embedded frame (IFRAME) that is returned after a time out by web server 
redirection to an error page contained on the web user's computer. Because the error 
page is in the My Computer zone the malicious code is executed in that context, which 
provides access to the resources of the local computer, including the ADODB Stream, 
Shell Application and XMLHTTP Active X objects that are used to download and execute 
files. This exploit uses two unpatched vulnerabilities, which have Bugtraq IDs 10472 
and 10473, see:
 
http://www.securityfocus.com/bid/10472
http://www.securityfocus.com/bid/10473
 
The following mitigation steps are recommended:
 
- - Set the kill bit on Active X objects that you do not need in Internet Explorer, 
  including ADODB Stream, Shell Application and XMLHTTP, see 
  http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q240797&ID=KB;EN-US;Q240797 
  for details
- - Disable the use of unsigned Active X controls and active scripting in the Internet 
  Explorer Internet zone, see the guidance in NISCC Technical Note 05/03
- - Consider using another web browser
- - Apply patches to web browsers and email clients when they become available
- - Use a desktop anti-virus product and keep signatures up to date
- - Use anti-spam measures at the organisational boundary, see NISCC Technical 
  Note 02/04
- - Block high risk file types via email content filters or email servers, see NISCC 
  Technical Note 03/04
- - Implement a whitelist on an email server any web proxy servers to exclude HTML tags 
  including IFRAME and OBJECT
 
Details about Scob/Download.Ject can be found at:
 
http://www.microsoft.com/security/incident/download_ject.mspx
http://securityresponse.symantec.com/avcenter/venc/data/download.ject.html
http://www.f-secure.com/v-descs/scob.shtml
http://vil.nai.com/vil/content/v_126241.htm
http://www.sophos.com/virusinfo/analyses/jsscoba.html 
 

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQOGET4pao72zK539AQGS9wP+K+h2P6H5Up6hnGRRtQ9T9/iRHTxn2JOw
UQAufy76GMkcDYbLXIzzHEavAq8/eYK5y2yhAjKE50sXxtXZkeFBJzDbmstCoSVX
jNr9Vq/yysBLOcvNQNzTTzcGKRsjJOShu4YY/eejsH0BWIaPjKemiHNTnmJ+sz9L
y/6PTnmpUxo=
=CEtx
-----END PGP SIGNATURE-----