CERT-In Advisory
CIAD-2004-0009
Vulnerabilities in Microsoft Internet Explorer allows Program Execution
Original Issue Date: April 07, 2004
Updated: April 14, 2004
Severity Rating: High
Systems Affected
Microsoft Windows systems running
- Internet Explorer 5.01
- Internet Explorer 5.5
- Internet Explorer 6.0
Overview
A vulnerability in the handling of "Windows Help" files by Internet Explorer allows the remote execution of arbitrary code on a local computer by a malicious web site. Remote and locally installed "CHM" help files can be opened by websites via either the "showHelp " function or certain URI handlers like "ms-its:" and "mk:@MSITStore:". This vulnerability is currently being exploited against Australian users using the bogus bank email.
Impact:
By creating a malicious Web page that contains a malformed CLSID parameter, a remote attacker could cause arbitrary code to be executed on the victim's computer without the knowledge or consent of the user, once the user visits the site.
Description
Two problems exist in the functioning of Internet Explorer in the handling of "CHM" files:
1 It is possible to treat other local files as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.
This has been exploited via programs such as WinAmp, Flash Player, XMLHTTP, ADODB stream and others, which allow files with arbitrary content to be placed in known locations.
2 Files, which haven't been installed locally, may still execute arbitrary code in context of the "Local Zone" by referencing a non-existent file.
Example:
The vulnerability can be exploited in Internet Explorer including the latest versions with all patches and service packs installed. Internet Explorer IE does not adequately validate the source of script contained in compiled help CHM file components that are referenced by the Microsoft InfoTech Storage ITS protocol handlers. An attacker could exploit this vulnerability to execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. CHM files use the Microsoft InfoTech Storage format ITS . IE can access components within CHM files via the IStorage interface using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore. As per US CERT Vulnerability Note VU#323070 , the ITS protocol handlers incorrectly treat HTML content from one domain htmlfile.html in example.com as if it were in a different domain file://, the Local Machine Zone in violation of the cross-domain security model. An attacker could exploit this vulnerability using a crafted HTML document containing script or an ActiveX object or possibly an IFRAME element. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension .html or .htm . Likewise, a CHM file may not have the expected .chm extension. Securityfocus has reported availability of exploits of this vulnerability. http://www.securityfocus.com/bid/9658/exploit/
AusCERT Update AU-2004.007 has reported exploitation of this vulnerability against Australian users using a bogus bank email. Clicking on the link supplied in the mail message initiates the execution of a malicious key logger program on the user's computer. Details regarding the activities of the Bank Withdrawl Trojan that is based on this vulnerability can be found at: http://www.codephish.info/modules.php? op=modload&name=News&file=article&sid=96
Solution
Apply appropriate updates as given in
Microsoft security bulletins MS04-011 .
Workaround
- Users of IE are advised to avoid visiting websites of untrusted origin suggested in unsolicited email messages.
- Remove the file association for CHM files. However, this will effectively disable Windows Help.
- It may be possible to workaround this issue by renaming the following registry entry:
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its
This may not eliminate the vulnerability but using a different name for the handler may mitigate existing exploits.
- As per US-CERT Vulnerability Note VU #323070 , disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. This will not prevent exploitation of the vulnerability, but it is likely to prevent the payload of the exploit from being executed.
- Install and maintain updated antivirus software.
References
AU-2004.007 AusCERT Update
http://www.auscert.org.au/3990
Secunia
http://secunia.com/advisories/10523/
Security Focus
http://www.securityfocus.com/bid/9658
US-CERT Vulnerability Note VU #323070
http://www.kb.cert.org/vuls/id/323070
Internet Security Systems
http://xforce.iss.net/xforce/xfdb/15705
CVE ID: CAN-2004-0380
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380
AL-2004.10 AUSCERT ALERT
http://www.auscert.org.au/3981
RFC 2110: MIME E-mail Encapsulation of Aggregate Documents, such as HTML MHTML
http://www.ietf.org/rfc/rfc2110.txt
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|