SkellBasher
Yes Sorto, I'll take my Prozac
join:2000-10-22
North Tonawanda, NY
| OT : CERT® Advisory CA-2003-22
Shocking, another vunerability in IE!!!!
»www.cert.org/advisories/CA-2003-22.html
CERT® Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer
Original issue date: August 26, 2003
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
Microsoft Windows systems running
Internet Explorer 5.01
Internet Explorer 5.50
Internet Explorer 6.01
Previous, unsupported versions of Internet Explorer may also be affected.
Overview
Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code with the privileges of the user running IE.
I. Description
Microsoft Security Bulletin MS03-032 describes five vulnerabilities in Internet Explorer. These vulnerabilities are listed below. More detailed information is available in the individual vulnerability notes. Note that in addition to IE, any applications that use the IE HTML rendering engine to interpret HTML documents may present additional attack vectors for these vulnerabilities.
VU#205148 - Microsoft Internet Explorer does not properly evaluate Content-Type and Content-Disposition headers
A cross-domain scripting vulnerability exists in the way IE evaluates Content-Type and Content-Disposition headers and checks for files in the local browser cache. This vulnerability could allow a remote attacker to execute arbitrary script in a different domain, including the Local Machine Zone.
(Other resources: SNS Advisory No.67, CAN-2003-0531)
VU#865940 - Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element
IE will execute an HTML Application (HTA) referenced by the DATA attribute of an OBJECT element if the Content-Type header returned by the web server is set to "application/hta". An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user running IE.
(Other resources: eEye Digital Security Advisory AD20030820, CAN-2003-0532)
VU#548964 - Microsoft Windows BR549.DLL ActiveX control contains vulnerability
The Microsoft Windows BR549.DLL ActiveX control, which provides support for the Windows Reporting Tool, contains an unknown vulnerability. The impact of this vulnerability is not known.
VU#813208 - Internet Explorer does not properly render an input type tag
IE does not properly render an input type tag, allowing a remote attacker to cause a denial of service.
VU#334928 - Microsoft Internet Explorer contains buffer overflow in Type attribute of OBJECT element on double-byte character set systems
Certain versions of IE that support double-byte character sets (DBCS) contain a buffer overflow vulnerability in the Type attribute of the OBJECT element. A remote attacker could execute arbitrary code with the privileges of the user running IE.
(Other resources: SNS Advisory No.68, Microsoft Security Bulletin MS03-020, CAN-2003-0344)
II. Impact
These vulnerabilities have different impacts, ranging from denial of service to execution of arbitrary commands or code. Please see the individual vulnerability notes for specific information. The most serious of these vulnerabilities (VU#865940) could allow a remote attacker to execute arbitrary code with the privileges of the user running IE. The attacker could exploit this vulnerability by convincing the user to access a specially crafted HTML document, such as a web page or HTML email message. No user intervention is required beyond viewing the attacker's HTML document with IE.
III. Solution
Apply a patch
Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-032.
In addition to addressing these vulnerabilities, the patch also changes the behavior of the HTML Help system (see VU#25249):
As with the previous Internet Explorer cumulative patches released with bulletins MS03-004, MS03-015, and MS03-020 this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.
Microsoft
Please see Microsoft Security Bulletin MS03-032.
Appendix B. References
CERT/CC Vulnerability Note VU#205148 -
CERT/CC Vulnerability Note VU#865940 -
CERT/CC Vulnerability Note VU#548964 -
CERT/CC Vulnerability Note VU#813208 -
CERT/CC Vulnerability Note VU#334928 -
CERT/CC Vulnerability Note VU#25249 -
eEye Digital Security Advisory AD20030820 -
SNS Advisory No. 67 -
SNS Advisory No. 68 -
Microsoft Security Bulletin MS03-032 -
Microsoft KB Article 822925 -
--------------------------------------------------------------------------------
Microsoft credits eEye Digital Security, LAC, and KPMG UK for reporting these vulnerabilities. Information from eEye, LAC, and Microsoft was used in this document.
--------------------------------------------------------------------------------
Feedback can be directed to the author, Art Manion.
--------------------------------------------------------------------------------
This document is available from: »www.cert.org/advisories/CA-2003-22.html
--------------------------------------------------------------------------------
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
»www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
»www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
--------------------------------------------------------------------------------
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
--------------------------------------------------------------------------------
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
--
No man, for any considerable period, can wear one face to himself and another to the multitude, without finally getting bewildered as to which may be true. -Hawthorne |
