CERT-In Vulnerability Note
CIVN-2005-0116
Internet Explorer Vulnerabilities
Original Issue Date:December 15, 2005
Severity Rating: HIGH
Systems Affected
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 Internet Explorer 6 for Microsoft Windows XP Service Pack 2 Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition
Overview
A number of vulnerabilities have been reported in Microsoft Internet Explorer, which could allow complete control to the attacker after successfully exploiting these vulnerabilities.
Description
1. File Download Dialog Box Manipulation Vulnerability - CAN-2005-2829:
A remote code execution vulnerability exists in the way Internet Explorer displays file download dialog boxes, accepts user input and allows certain keystrokes that a user makes when visiting a Web page. To make this more convincing a custom dialog box may also be positioned in front of a file download dialog box by the attacker. A user may also be convinced to double-click an element of a Web page, which could allow the attacker to execute the malicious code on the system. After successful exploitation the attacker could get the complete control of the system with full user rights. Windows Server 2003, by default runs Internet Explorer in Enhanced Security Configuration which diminishes this vulnerability.
2. HTTPS Proxy Vulnerability- CAN-2005-2830:
HTTPS is a protocol that helps secure HTTP communications. Basic authentication means that credentials are sent to the proxy server in clear text. An info disclosure vulnerability exists in the way Internet Explorer behaves in certain situations where a HTTPS proxy server requires clients to use Basic Authentication. Web addresses may be incorrectly transmitted in clear text, when using a HTTPS proxy server. An attacker monitoring the network between the user and the proxy server can read the URL. Workarounds: Do not use authenticating proxy servers that require Basic Authentication as a proxy for HTTPS communication
3. COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-2831:
The Component Object Model COM allows an object to expose its functionality to other components and to host applications. A remote code execution vulnerability exists in Internet Explorer, which instantiates certain COM objects as ActiveX Controls, the affected COM objects may corrupt the system state and allow arbitrary code to be executed. This could allow the attacker to get complete control of the system with full user rights. Windows Server 2003, by default runs Internet Explorer in Enhanced Security Configuration which diminishes this vulnerability.
4. Mismatched Document Object Model Objects Memory Corruption Vulnerability - CAN-2005-1790:
The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents. A remote code execution vulnerability exists in the way Internet Explorer handles mismatched Document Object Model DOM objects; system memory may get corrupted and could be used by attacker to execute arbitrary code. After successful exploitation the attacker could get the complete control of the system with full user rights. An attacker could host a malicious web site and could persuade users to visit web site by getting them to click a link that takes them to the attacker sites. Exploits are available on the Internet by the name Trojan Win32/Delf.DH and JS/Exploit-BO.gen. Windows Server 2003, by default runs Internet Explorer in Enhanced Security Configuration which diminishes this vulnerability.
For further details regarding this vulnerability refer to CERT-In Vulnerability Note CIVN-2005-112
Workaround
- Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone
- Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
- Restrict Web sites to only your trusted Web sites
Solution
Apply appropriate security update as mentioned in the Microsoft Security Bulletin
MS05-054
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS05-054.mspx
References
SecurityFocus
http://www.securityfocus.com/bid/15823
http://www.securityfocus.com/bid/13799
http://www.securityfocus.com/bid/15827
http://www.securityfocus.com/bid/15825
SecurityTracker
http://www.securitytracker.com/alerts/2005/Dec/1015349.html
http://www.securitytracker.com/alerts/2005/Dec/1015350.html
http://www.securitytracker.com/alerts/2005/Dec/1015348.html
US-CERT
http://www.us-cert.gov/cas/techalerts/TA05-347A.html
http://www.kb.cert.org/vuls/id/887861
Secunia Advisory
http://secunia.com/advisories/15368/
http://secunia.com/advisories/15546/
CVE Name
CAN-2005-2829
CAN-2005-2830
CAN-2005-2831
CAN-2005-1790
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|