====================================================================== Secunia Research 09/02/2005 - Microsoft Internet Explorer Multiple Vulnerabilities - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerabilities.......................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software Microsoft Internet Explorer 5.01, 5.5 and 6 ====================================================================== 2) Severity Rating: Highly critical Impact: System access, Security Bypass, Exposure of sensitive information Where: From remote ====================================================================== 3) Description of Vulnerabilities Secunia Research has discovered multiple vulnerabilities in Microsoft Internet Explorer, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions and compromise a user's system. 1) The vulnerability is caused due to insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images containing script code. This can be exploited by e.g. a malicious website to plant arbitrary file types on a user's system via a specially crafted "Content-Disposition" HTTP header with a dot appended in the filename. Example: "Content-Disposition: attachment; filename=malicious.bat." This is related to: SA12321 The vulnerability has been confirmed on a fully patched system (without MS05-014) with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. 2) The vulnerability is caused due to insufficient cross zone restrictions. This can be exploited to link to local resources when a user clicks a link on e.g a malicious website. The vulnerability has been confirmed in Microsoft Internet Explorer 6.0 running Windows 2000, Windows XP SP1 and Windows XP SP2. 3) The vulnerability is caused due to an error in the handling of websites inside the "Temporary Internet Files" folder. This can be exploited to cause a site to be loaded in context of the "Temporary Internet Files" folder when a user clicks a link on e.g. a malicious website. Further exploitation involves gaining knowledge of a user's username and retrieving documents found inside the "Temporary Internet Files" folder. The vulnerability has been confirmed in Microsoft Internet Explorer 6.0 running Windows 2000, Windows XP SP1 and Windows XP SP2. 4) A parsing error in the "codebase" attribut of the "object" tag. This can be exploited to execute local files with any file extension from the "Local Computer Zone" by appending "?.exe". The vulnerability has been confirmed in Microsoft Internet Explorer 6.0 running Windows 2000 and Windows XP SP1. NOTE: A combination of the vulnerabilities 2, 3 and 4 can be exploited to execute arbitrary code on Microsoft Internet Explorer running Windows 2000 and Windows XP SP1, in combination with a third-party software which stores malicious files in a predictable location. ====================================================================== 4) Solution Microsoft has released patches (see MS05-014 for details). ====================================================================== 5) Time Table 25/09/2004 - Vulnerabilities discovered. 04/10/2004 - Vendor notified. 11/10/2004 - Vendor confirms the vulnerabilities. 12/10/2004 - Additional vulnerability discovered. 13/10/2004 - Vendor notified. 17/10/2004 - Vendor confirms the vulnerability. 08/02/2005 - Public disclosure. ====================================================================== 6) Credits Discovered by Andreas Sandblad, Secunia Research. ====================================================================== 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-0053 for the vulnerability. MS05-014 (KB867282): http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx US-CERT VU#698835: http://www.kb.cert.org/vuls/id/698835 SA12321: http://secunia.com/advisories/12321/ ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia web site: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia web site: http://secunia.com/secunia_research/2004-8/advisory/ ====================================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html