====================================================================== Secunia Research 13/12/2005 Microsoft Internet Explorer Keyboard Shortcut Processing Vulnerability ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software Microsoft Internet Explorer 6.0 Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System access and security bypass Where: From remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to trick users into executing malicious files. The vulnerability is caused due to a design error in the processing of keyboard shortcuts for certain security dialogs. This can e.g. be exploited to delay the file download dialog and trick users into executing a malicious ".bat" file after pressing the "r" key. A successful attack may be outlined as: 1. Detect that the user is typing on the keyboard. 2. Redirect to a malicious ".bat" file. 3. In a new thread, force the browser to consume a large amount of CPU resources via a simple loop statement. This causes the upcoming file download dialog to be delayed. 4. The user eventually presses the "r" key which is a keyboard shortcut for opening the downloaded file. The download dialog has not yet been shown for the user when this event occurs. 5. The loop statement stops causing the download dialog to be visible and the keyboard shortcut event is processed. 6. The malicious ".bat" file is launched. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected. ====================================================================== 4) Solution Apply patches. Please see MS05-054 (KB905915): http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx ====================================================================== 5) Time Table 21/05/2005 - Vulnerability discovered. 24/05/2005 - Vendor notified. 20/06/2005 - Vendor confirms the vulnerability. 13/12/2005 - Vendor issues patch. 13/12/2005 - Public disclosure. ====================================================================== 6) Credits Discovered by Andreas Sandblad, Secunia Research. ====================================================================== 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned candidate number CAN-2005-2829 for the vulnerability. ====================================================================== 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia web site: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia web site: http://secunia.com/secunia_research/2005-7/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/