Airscanner Mobile Security Advisory #05080501: IE & MIME By Design Loophole

Product:
Internet Explorer (All versions)

Platform:
Tested on Windows XP Professional SP-2

Requirements:
Internet Explorer with scripting enabled

Credits:
Seth Fogie
Airscanner Mobile Security
www.airscanner.com
March 11, 2005

Risk Level:
Medium

Summary:
Internet Explorer is unique in that it handles file contents not by 
extension, but via a MIME detection engine built into the browser. 
Details of this specification are at 
(http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp). 


The result of this design is that a file named *.jpg, for example, will 
not be processed as an image file if the contents of the file include 
data that corresponds to another MIME-supported file type. Technically, 
this is by design and is considered to be a feature, rather than a bug. 
Unfortunately, this feature allows attackers to create a file with 
active content (e.g. Java or Javascript) and upload it as a JPG image to 
the Internet, and then create a hyperlinked URL supposedly pointing to 
an innocent JPEG. However, clicking on the link to the “JPEG” will 
instead load the file into the browser and potentially will execute 
whatever active content the attacker has written. The unsuspecting 
victim would likely think they are viewing a simple image file, but 
instead they could load a silent JavaScript program.

Details:
Inline HTML embedded images DO NOT WORK.. eg.

Hyperlinks to “images” will work (note: in order to work the following 
link must be tested in Internet Explorer): 
http://www.airscanner.com/security/images/IE_MIME.jpg

Workaround:
Block all images, disable active scripting, or use a browser that is not 
vulnerable (e.g., Firefox)

Vendor Response
Notified, but this security flaw is a “by design” issue, and not 
strictly a “bug.” Vendor "..may improve this by an update patch to be 
released in the future or in the next version of the product."

Legal:

Copyright (c) 2005 Airscanner Corp.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of Airscanner Corp. If you wish to reprint the whole or 
any part of this alert in any other medium other than electronically, 
please contact Airscanner Corp. for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use on an AS IS condition. 
There are no warranties with regard to this information. Neither the 
author nor the publisher accepts any liability for any direct, indirect, 
or consequential loss or damage arising from use of, or reliance on, 
this information.