-----BEGIN PGP SIGNED MESSAGE-----

CERT  Advisory   CA-2003-22  Multiple  Vulnerabilities   in  Microsoft
Internet Explorer

   Original issue date: August 26, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.


Systems Affected

   Microsoft Windows systems running

     * Internet Explorer 5.01
     * Internet Explorer 5.50
     * Internet Explorer 6.01

   Previous,  unsupported versions  of Internet  Explorer may  also be
   affected.


Overview

   Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
   the most serious of which  could allow a remote attacker to execute
   arbitrary code with the privileges of the user running IE.


I. Description

   Microsoft Security Bulletin MS03-032 describes five vulnerabilities
   in  Internet  Explorer.  These  vulnerabilities  are listed  below.
   More   detailed  information   is  available   in   the  individual
   vulnerability notes.  Note that in addition to IE, any applications
   that use the  IE HTML rendering engine to  interpret HTML documents
   may present additional attack vectors for these vulnerabilities.

   VU#205148 - Microsoft  Internet  Explorer does not properly evaluate
   Content-Type and Content-Disposition headers
   
     A  cross-domain  scripting vulnerability  exists  in  the way  IE
     evaluates Content-Type and Content-Disposition headers and checks
     for files  in the local browser cache.   This vulnerability could
     allow  a  remote  attacker  to  execute  arbitrary  script  in  a
     different  domain,  including  the  Local Machine  Zone.
     (Other resources: SNS Advisory No.67, CAN-2003-0531)

   VU#865940 - Microsoft Internet  Explorer does not properly evaluate
   "application/hta" MIME type referenced  by DATA attribute of OBJECT
   element
   
     IE will execute an HTML  Application (HTA) referenced by the DATA
     attribute  of  an  OBJECT  element  if  the  Content-Type  header
     returned  by the  web  server is  set  to "application/hta".   An
     attacker  could exploit this  vulnerability to  execute arbitrary
     code with the privileges of the user running IE.
     (Other  resources:  eEye  Digital Security  Advisory  AD20030820,
     CAN-2003-0532)

   VU#548964  - Microsoft Windows  BR549.DLL ActiveX  control contains
   vulnerability

     The Microsoft  Windows BR549.DLL ActiveX  control, which provides
     support  for  the Windows  Reporting  Tool,  contains an  unknown
     vulnerability. The impact of this vulnerability is not known.

   VU#813208  - Internet Explorer  does not  properly render  an input
   type tag
   
     IE does not properly render an input type tag, allowing a remote
     attacker to cause a denial of service.

   VU#334928 - Microsoft Internet Explorer contains buffer overflow in
   Type  attribute  of OBJECT  element  on  double-byte character  set
   systems
   
     Certain versions  of IE  that support double-byte  character sets
     (DBCS)  contain  a  buffer  overflow vulnerability  in  the  Type
     attribute of the OBJECT element.  A remote attacker could execute
     arbitrary code with the privileges of the user running IE.
     (Other resources: SNS Advisory No.68, Microsoft Security Bulletin
     MS03-020, CAN-2003-0344)


II. Impact

   These vulnerabilities  have different impacts,  ranging from denial
   of service to  execution of arbitrary commands or  code. Please see
   the  individual vulnerability notes  for specific  information. The
   most  serious of  these vulnerabilities  (VU#865940) could  allow a
   remote attacker  to execute arbitrary  code with the  privileges of
   the user running IE.  The attacker could exploit this vulnerability
   by convincing the user to access a specially crafted HTML document,
   such as a  web page or HTML email message.  No user intervention is
   required beyond viewing the attacker's HTML document with IE.


III. Solution

Apply a patch

   Apply  the appropriate  patch  as specified  by Microsoft  Security
   Bulletin MS03-032.

   In  addition to  addressing these  vulnerabilities, the  patch also
   changes the behavior of the HTML Help system (see VU#25249):

     As  with  the   previous  Internet  Explorer  cumulative  patches
     released  with bulletins  MS03-004, MS03-015,  and  MS03-020 this
     cumulative   patch  will  cause  window.showHelp()  to  cease  to
     function if  you have not applied  the HTML Help  update.  If you
     have installed the updated  HTML Help control from Knowledge Base
     article  811630,  you  will  still  be  able  to  use  HTML  Help
     functionality after applying this patch.


Appendix A. Vendor Information

   This  appendix  contains  information  provided  by  vendors.  When
   vendors  report new information,  this section  is updated  and the
   changes  are noted  in the  revision history.  If a  vendor  is not
   listed below, we have not received their comments.

Microsoft

     Please see Microsoft Security Bulletin MS03-032.


Appendix B. References

     * CERT/CC Vulnerability Note VU#205148 -
       <http://www.kb.cert.org/vuls/id/205148>

     * CERT/CC Vulnerability Note VU#865940 -
       <http://www.kb.cert.org/vuls/id/865940>

     * CERT/CC Vulnerability Note VU#548964 -
       <http://www.kb.cert.org/vuls/id/548964>

     * CERT/CC Vulnerability Note VU#813208 -
       <http://www.kb.cert.org/vuls/id/813208>

     * CERT/CC Vulnerability Note VU#334928 -
       <http://www.kb.cert.org/vuls/id/334928>

     * CERT/CC Vulnerability Note VU#25249 -
       <http://www.kb.cert.org/vuls/id/25249>

     * eEye Digital Security Advisory AD20030820     -
       <http://www.eeye.com/html/Research/Advisories/AD20030820.html>

     * SNS Advisory No. 67 -
       <http://www.lac.co.jp/security/english/snsadv_e/67_e.html>

     * SNS Advisory No. 68 -
       <http://www.lac.co.jp/security/english/snsadv_e/68_e.html>

     * Microsoft Security Bulletin MS03-032 -
       <http://microsoft.com/technet/security/bulletin/MS03-032.asp>

     * Microsoft KB Article 822925 -
       <http://support.microsoft.com/default.aspx?scid=kb;en-us;822925>

   _________________________________________________________________

   Microsoft  credits eEye  Digital  Security, LAC,  and  KPMG UK  for
   reporting these  vulnerabilities.  Information from  eEye, LAC, and
   Microsoft was used in this document.
   _________________________________________________________________

   Feedback can be directed to the author, Art Manion.
   ______________________________________________________________________

   This document is available from:
   <http://www.cert.org/advisories/CA-2003-22.html>
   ______________________________________________________________________


CERT/CC Contact Information

   Email: <cert@cert.org>
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
     <http://www.cert.org/CERT_PGP.key>

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site

     <http://www.cert.org/>

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send email to <majordomo@cert.org>. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History

   August 26, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP0u+smjtSoHZUTs5AQF7FwQAl/9veQraef6h9lFcN+5dtxDz2xAecek/
NUPTSzatHC+E1pc+f2IcqJh01YMsM1BXpr6sPmA5FK+2fvfuvj875NnIXIztxYWe
yV5howmUOCSPpDuV6Nasdebqq4mlBygO4R8gx1MeUBj4BEvG7mLs7k7z24kkDodv
cf0X647ejlM=
=UWNE
-----END PGP SIGNATURE-----