Airscanner Mobile Security Advisory #05080501: IE & MIME By Design Loophole Product: Internet Explorer (All versions) Platform: Tested on Windows XP Professional SP-2 Requirements: Internet Explorer with scripting enabled Credits: Seth Fogie Airscanner Mobile Security www.airscanner.com March 11, 2005 Risk Level: Medium Summary: Internet Explorer is unique in that it handles file contents not by extension, but via a MIME detection engine built into the browser. Details of this specification are at (http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp). The result of this design is that a file named *.jpg, for example, will not be processed as an image file if the contents of the file include data that corresponds to another MIME-supported file type. Technically, this is by design and is considered to be a feature, rather than a bug. Unfortunately, this feature allows attackers to create a file with active content (e.g. Java or Javascript) and upload it as a JPG image to the Internet, and then create a hyperlinked URL supposedly pointing to an innocent JPEG. However, clicking on the link to the “JPEG” will instead load the file into the browser and potentially will execute whatever active content the attacker has written. The unsuspecting victim would likely think they are viewing a simple image file, but instead they could load a silent JavaScript program. Details: Inline HTML embedded images DO NOT WORK.. eg. Hyperlinks to “images” will work (note: in order to work the following link must be tested in Internet Explorer): http://www.airscanner.com/security/images/IE_MIME.jpg Workaround: Block all images, disable active scripting, or use a browser that is not vulnerable (e.g., Firefox) Vendor Response Notified, but this security flaw is a “by design” issue, and not strictly a “bug.” Vendor "..may improve this by an update patch to be released in the future or in the next version of the product." Legal: Copyright (c) 2005 Airscanner Corp. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Airscanner Corp. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact Airscanner Corp. for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/