-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA04-293A Multiple Vulnerabilities in Microsoft Internet Explorer Original release date: October 19, 2004 Last revised: -- Source: US-CERT Systems Affected Microsoft Windows systems running * Internet Explorer versions 5.01 and later; previous, unsupported versions of Internet Explorer may also be affected * Programs that use the WebBrowser ActiveX control (WebOC) or MSHTML rendering engine Overview Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most severe of which could allow a remote attacker to execute arbitrary code with the privileges of the user running IE. I. Description Microsoft Security Bulletin MS04-038 describes a number of IE vulnerabilities, including buffer overflows, cross-domain scripting, spoofing, and "drag and drop." Further details are available in the following vulnerability notes: * VU#291304 - Microsoft Internet Explorer contains a buffer overflow in CSS parsing A buffer overflow vulnerability exists in the way that IE processes Cascading Style Sheets (CSS). This could allow an attacker to execute arbitrary code or cause a denial of service. (CAN-2004-0842) * VU#637760 - Microsoft Internet Explorer Install Engine contains a buffer overflow vulnerability The IE Active Setup Install Engine (inseng.dll), which is used to decompress ActiveX controls stored in CAB files, contains a buffer overflow vulnerability. This could allow an attacker to execute arbitrary code. (CAN-2004-0216) * VU#207264 - Microsoft Internet Explorer does not properly handle function redirection (Similar Method Name Redirection Cross Domain Vulnerability) IE does not properly validate redirected functions. The impact is similar to that of a cross-site scripting vulnerability, allowing an attacker to access data and execute script in other domains, including the Local Machine Zone. (CAN-2004-0727) * VU#526089 - Microsoft Internet Explorer treats arbitrary files as images for drag and drop operations (Drag and Drop Vulnerability) IE treats arbitrary files as images during "drag and drop" mouse operations. This could allow an attacker to trick a user into copying a file to a location where it could be executed, such as the user's Startup folder. (CAN-2004-0839) * VU#413886 - Microsoft Internet Explorer allows mouse events to manipulate window objects and perform "drag and drop" operations (Script in Image Tag File Download Vulnerability, HijackClick 3) IE dynamic HTML (DHTML) mouse events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This could allow an attacker to write an arbitrary file to the local file system in a location where it could be executed, such as the user's Startup folder. (CAN-2004-0841) In addition, MS04-038 describes two address bar spoofing vulnerabilities (VU#625616, VU#431576) that could allow an attacker to deceive a user about the location of a web site; a vulnerability involving cached HTTPS files (VU#795720) that could allow an attacker to read from or inject data into an HTTPS web site; and a vulnerability in which IE6 on Windows XP ignores the "Drag and drop and copy and paste files" setting (VU#630720). Any program that uses the WebBrowser ActiveX control (WebOC) or MSHTML rendering engine could be affected by these vulnerabilities. II. Impact The impacts of these vulnerabilities vary, but an attacker may be able to execute arbitrary code with the privileges of the user running IE. An attacker could also exploit these vulnerabilities to perform social engineering attacks such as spoofing or phishing attacks. In most cases, an attacker would need to convince a user to view an HTML document (web page, HTML email message) with IE or another program that uses the WebBrowser ActiveX control or MSHTML rendering engine. In some cases, an attacker could combine two or more vulnerabilities to write an arbitrary file to the local file system in a sensitive location, such as the user's Startup folder. US-CERT has monitored reports of attacks against some of these vulnerabilities. III. Solution Apply a patch Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-038. Disable Active scripting and ActiveX controls To protect from attacks against several of these vulnerabilities, disable Active scripting and ActiveX controls in any zone used to render untrusted HTML content (typically the Internet Zone and Restricted Sites Zone). Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. Upgrade to Windows XP Service Pack 2 Service Pack 2 for Windows XP contains security improvements for IE that reduce the impact of some of these vulnerabilities. Appendix A. References * Vulnerability Note VU#291304 - * Vulnerability Note VU#637760 - * Vulnerability Note VU#207264 - * Vulnerability Note VU#526089 - * Vulnerability Note VU#413886 - * Vulnerability Note VU#625616 - * Vulnerability Note VU#431576 - * Vulnerability Note VU#795720 - * Vulnerability Note VU#630720 - * Vulnerability Note VU#673134 - * Malicious Web Scripts FAQ - * Microsoft Security Bulletin MS04-038 - _________________________________________________________________ Information used in this document came from Microsoft Security Bulletin MS04-038. Microsoft credits Greg Jones, Peter Winter-Smith, Mitja Kolsek, and John Heasman for reporting several vulnerabilities. Will Dormann reported the IE6 Windows XP drag and drop setting vulnerability. _________________________________________________________________ Feedback can be directed to the authors: Art Manion and Will Dormann. _________________________________________________________________ This document is available from: _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: _________________________________________________________________ Revision History October 19, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQXWoaRhoSezw4YfQAQKZfwgAgV5v+A2qGlqq1jlo1OSpbSY6NqRpw001 0+QCbr8eJpdl6JV6m+wcZwGKj0Hhm0CfF0ysMKw7cHB0m0XSVVma0EGKRoztIrIh i8yrHRF6zopsatf+qXciG1o4uB9TOZGz/1oUvdyH8d4s3PaqJH2+zAEJyV6mz6WD uudFcHuTEpQcmgLMJF8G8/s/gsMF565fv+Uox6rizQgYoGDAApVh5U3Rh5fnI20c aKoUofqiZn39cNjZRpxiCD2n72/oDr12aZQwjOnOZjHbWIqv92NmaTupUkmsnyk7 mnxKs3LwCKgTVKBjlEwOZSL0ryY9bzJaimUDWit/h24YMCBh8y4xiQ== =6qiJ -----END PGP SIGNATURE-----