[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 579/04 - Technical Cyber Security Alert TA04-293A Multiple Vulnerabilities in Microsoft Internet Explorer



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 579/04 dated 20.10.04  Time: 15:05  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Technical Cyber Security Alert TA04-293A Multiple Vulnerabilities in Microsoft Internet Explorer

Detail
====== 

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        National Cyber Alert System

                  Technical Cyber Security Alert TA04-293A


Multiple Vulnerabilities in Microsoft Internet Explorer

   Original release date: October 19, 2004
   Last revised: --
   Source: US-CERT


Systems Affected

   Microsoft Windows systems running

     * Internet Explorer versions 5.01 and later; previous,
       unsupported versions of Internet Explorer may also be affected

     * Programs that use the WebBrowser ActiveX control (WebOC) or
       MSHTML rendering engine


Overview

   Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
   the most severe of which could allow a remote attacker to execute
   arbitrary code with the privileges of the user running IE.


I. Description

   Microsoft Security Bulletin MS04-038 describes a number of IE
   vulnerabilities, including buffer overflows, cross-domain
   scripting, spoofing, and "drag and drop." Further details are
   available in the following vulnerability notes:

 * VU#291304 - Microsoft Internet Explorer contains a buffer overflow
   in CSS parsing
 
    A buffer overflow vulnerability exists in the way that IE
    processes Cascading Style Sheets (CSS). This could allow an
    attacker to execute arbitrary code or cause a denial of service.
    (CAN-2004-0842)

 * VU#637760 - Microsoft Internet Explorer Install Engine contains a
   buffer overflow vulnerability

    The IE Active Setup Install Engine (inseng.dll), which is used to
    decompress ActiveX controls stored in CAB files, contains a buffer
    overflow vulnerability. This could allow an attacker to execute
    arbitrary code. (CAN-2004-0216)

 * VU#207264 - Microsoft Internet Explorer does not properly handle
   function redirection (Similar Method Name Redirection Cross Domain
   Vulnerability)

    IE does not properly validate redirected functions. The impact is
    similar to that of a cross-site scripting vulnerability, allowing
    an attacker to access data and execute script in other domains,
    including the Local Machine Zone. (CAN-2004-0727)

 * VU#526089 - Microsoft Internet Explorer treats arbitrary files as
   images for drag and drop operations (Drag and Drop Vulnerability)

    IE treats arbitrary files as images during "drag and drop" mouse
    operations. This could allow an attacker to trick a user into
    copying a file to a location where it could be executed, such as
    the user's Startup folder. (CAN-2004-0839)

 * VU#413886 - Microsoft Internet Explorer allows mouse events to
   manipulate window objects and perform "drag and drop" operations
   (Script in Image Tag File Download Vulnerability, HijackClick 3)

    IE dynamic HTML (DHTML) mouse events can manipulate windows to
    copy objects from one domain to another, including the Local
    Machine Zone.  This could allow an attacker to write an arbitrary
    file to the local file system in a location where it could be
    executed, such as the user's Startup folder. (CAN-2004-0841)

   In addition, MS04-038 describes two address bar spoofing
   vulnerabilities (VU#625616, VU#431576) that could allow an attacker
   to deceive a user about the location of a web site; a vulnerability
   involving cached HTTPS files (VU#795720) that could allow an
   attacker to read from or inject data into an HTTPS web site; and a
   vulnerability in which IE6 on Windows XP ignores the "Drag and drop
   and copy and paste files" setting (VU#630720).

   Any program that uses the WebBrowser ActiveX control (WebOC) or
   MSHTML rendering engine could be affected by these vulnerabilities.


II. Impact

   The impacts of these vulnerabilities vary, but an attacker may be
   able to execute arbitrary code with the privileges of the user
   running IE.  An attacker could also exploit these vulnerabilities
   to perform social engineering attacks such as spoofing or phishing
   attacks. In most cases, an attacker would need to convince a user
   to view an HTML document (web page, HTML email message) with IE or
   another program that uses the WebBrowser ActiveX control or MSHTML
   rendering engine.

   In some cases, an attacker could combine two or more
   vulnerabilities to write an arbitrary file to the local file system
   in a sensitive location, such as the user's Startup folder. US-CERT
   has monitored reports of attacks against some of these
   vulnerabilities.


III. Solution

Apply a patch

   Apply the appropriate patch as specified by Microsoft Security
   Bulletin MS04-038.

Disable Active scripting and ActiveX controls

   To protect from attacks against several of these vulnerabilities,
   disable Active scripting and ActiveX controls in any zone used to
   render untrusted HTML content (typically the Internet Zone and
   Restricted Sites Zone). Instructions for disabling Active scripting in
   the Internet Zone can be found in the Malicious Web Scripts FAQ.

Upgrade to Windows XP Service Pack 2

   Service Pack 2 for Windows XP contains security improvements for IE
   that reduce the impact of some of these vulnerabilities.


Appendix A. References

     * Vulnerability Note VU#291304 -
       <http://www.kb.cert.org/vuls/id/291304>

     * Vulnerability Note VU#637760 -
       <http://www.kb.cert.org/vuls/id/637760>

     * Vulnerability Note VU#207264 -
       <http://www.kb.cert.org/vuls/id/207264>

     * Vulnerability Note VU#526089 -
       <http://www.kb.cert.org/vuls/id/526089>

     * Vulnerability Note VU#413886 -
       <http://www.kb.cert.org/vuls/id/413886>

     * Vulnerability Note VU#625616 -
       <http://www.kb.cert.org/vuls/id/625616>

     * Vulnerability Note VU#431576 -
       <http://www.kb.cert.org/vuls/id/431576>

     * Vulnerability Note VU#795720 -
       <http://www.kb.cert.org/vuls/id/795720>

     * Vulnerability Note VU#630720 -
       <http://www.kb.cert.org/vuls/id/630720>

     * Vulnerability Note VU#673134 -
       <http://www.kb.cert.org/vuls/id/673134>

     * Malicious Web Scripts FAQ -
       <http://www.cert.org/tech_tips/malicious_code_FAQ.html>

     * Microsoft Security Bulletin MS04-038 -
       <http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx>

     _________________________________________________________________

   Information used in this document came from Microsoft Security
   Bulletin MS04-038. Microsoft credits Greg Jones, Peter Winter-Smith,
   Mitja Kolsek, and John Heasman for reporting several vulnerabilities.
   Will Dormann reported the IE6 Windows XP drag and drop setting
   vulnerability.
     _________________________________________________________________

   Feedback can be directed to the authors: Art Manion and Will Dormann.
     _________________________________________________________________


   This document is available from:

     <http://www.us-cert.gov/cas/techalerts/TA04-293A.html>

     _________________________________________________________________

   Copyright 2004 Carnegie Mellon University.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
     _________________________________________________________________


   Revision History

   October 19, 2004: Initial release

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQXWoaRhoSezw4YfQAQKZfwgAgV5v+A2qGlqq1jlo1OSpbSY6NqRpw001
0+QCbr8eJpdl6JV6m+wcZwGKj0Hhm0CfF0ysMKw7cHB0m0XSVVma0EGKRoztIrIh
i8yrHRF6zopsatf+qXciG1o4uB9TOZGz/1oUvdyH8d4s3PaqJH2+zAEJyV6mz6WD
uudFcHuTEpQcmgLMJF8G8/s/gsMF565fv+Uox6rizQgYoGDAApVh5U3Rh5fnI20c
aKoUofqiZn39cNjZRpxiCD2n72/oDr12aZQwjOnOZjHbWIqv92NmaTupUkmsnyk7
mnxKs3LwCKgTVKBjlEwOZSL0ryY9bzJaimUDWit/h24YMCBh8y4xiQ==
=6qiJ
- - -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of US-CERTfor the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQXZwYIpao72zK539AQEw6QP9Gss67Phq16i9eaZ4vzmHDIFoguc7oDF7
9pBe29Kwa2OA7BgQEa9c+CSJmmkRm/Z1f97ZwH0xy5LpHoZA/8fcZYUT4warN5H8
85gvkhie+o3evuT1lV2/2k2grhRhMZ0d90htXbyFwmERYZSzwjCbnT5Ozcysdzci
ozODflJqOLE=
=bwru
-----END PGP SIGNATURE-----