HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2004-09
Vulnerabilities in Microsoft Internet Explorer allows Program Execution

Original issue date: April 7, 2004
Updated on: April 14, 2004

Severity: High

Systems Affected

Microsoft Windows systems running

  • Internet Explorer 5.01
  • Internet Explorer 5.5
  • Internet Explorer 6.0


Overview

A vulnerability in the handling of "Windows Help" files by Internet Explorer allows the remote execution of arbitrary code on a local computer by a malicious web site. Remote and locally installed "CHM" help files can be opened by websites via either the "showHelp()" function or certain URI handlers like "ms-its:" and "mk:@MSITStore:". This vulnerability is currently being exploited against Australian users using the bogus bank email.

Impact:

By creating a malicious Web page that contains a malformed CLSID parameter, a remote attacker could cause arbitrary code to be executed on the victim's computer without the knowledge or consent of the user, once the user visits the site.

Description

Two problems exist in the functioning of Internet Explorer in the handling of "CHM" files:

1) It is possible to treat other local files as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.

This has been exploited via programs such as WinAmp, Flash Player, XMLHTTP, ADODB stream and others, which allow files with arbitrary content to be placed in known locations.

2) Files, which haven't been installed locally, may still execute arbitrary code in context of the "Local Zone" by referencing a non-existent file.

Example:

The vulnerability can be exploited in Internet Explorer including the latest versions with all patches and service packs installed.

Internet Explorer (IE) does not adequately validate the source of script contained in compiled help (CHM) file components that are referenced by the Microsoft InfoTech Storage (ITS) protocol handlers. An attacker could exploit this vulnerability to execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.

CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.

As per US CERT Vulnerability Note VU#323070 , the ITS protocol handlers incorrectly treat HTML content from one domain ( htmlfile.html in example.com) as if it were in a different domain (file://, the Local Machine Zone) in violation of the cross-domain security model. An attacker could exploit this vulnerability using a crafted HTML document containing script or an ActiveX object or possibly an IFRAME element. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm). Likewise, a CHM file may not have the expected .chm extension.

Securityfocus has reported availability of exploits of this vulnerability.

http://www.securityfocus.com/bid/9658/exploit/

AusCERT Update AU-2004.007 has reported exploitation of this vulnerability against Australian users using a bogus bank email.

Clicking on the link supplied in the mail message initiates the execution of a malicious key logger program on the user's computer. Details regarding the activities of the Bank Withdrawl Trojan that is based on this vulnerability can be found at:

http://www.codephish.info/modules.php? op=modload&name=News&file=article&sid=96

Workaround

  • Users of IE are advised to avoid visiting websites of untrusted origin suggested in unsolicited email messages.
  • Remove the file association for CHM files. However, this will effectively disable Windows Help.
  • It may be possible to workaround this issue by renaming the following registry entry:

    HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its

    This may not eliminate the vulnerability but using a different name for the handler may mitigate existing exploits.
  • As per US-CERT Vulnerability Note VU #323070 , disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. This will not prevent exploitation of the vulnerability, but it is likely to prevent the payload of the exploit from being executed.
  • Install and maintain updated antivirus software.

Solution

Apply appropriate updates as given in Microsoft security bulletins MS04-011 .

References

AU-2004.007 AusCERT Update
http://www.auscert.org.au/3990

Secunia
http://secunia.com/advisories/10523/

Security Focus
http://www.securityfocus.com/bid/9658

US-CERT Vulnerability Note VU #323070
http://www.kb.cert.org/vuls/id/323070

Internet Security Systems
http://xforce.iss.net/xforce/xfdb/15705

CVE ID: CAN-2004-0380
http://www.cve.mitre.org/cgi-bin/cvename.cgi? name=CAN-2004-0380

AL-2004.10 AUSCERT ALERT
http://www.auscert.org.au/3981

codephish
http://www.codephish.info/modules.php?op= modload&name=News&file=article&sid=96

RFC 2110: MIME E-mail Encapsulation of Aggregate Documents, such as HTML (MHTML)
http://www.ietf.org/rfc/rfc2110.txt

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003