[NT] Buffer Overflow in Microsoft Internet Explorer

From: support@securiteam.com
Date: 02/27/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 27 Feb 2002 06:42:10 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow in Microsoft Internet Explorer
------------------------------------------------------------------------

SUMMARY

Microsoft Internet Explorer contains a buffer overflow vulnerability in
its handling of embedded objects in HTML documents. This vulnerability
allows an attacker to execute arbitrary code on the victim's system when
the target visits a web page or views an HTML email message.

DETAILS

Systems affected:
 * Microsoft Internet Explorer
 * Microsoft Outlook and Outlook Express
 * Other applications that use the Internet Explorer HTML rendering
engine

Internet Explorer supports the <EMBED> directive, which can be used to
include arbitrary objects in HTML documents. Common types of embedded
objects include multimedia files, Java applets, and ActiveX controls. The
SRC attribute specifies the source path and filename of an object. For
example, a MIDI sound might be embedded in a web page with the following
HTML code:

<EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true">
Internet Explorer uses attributes of the <EMBED> directive and MIME
information from the web server to determine how to handle an embedded
object. In most cases, a separate application or plugin is used.

A group of Russian researchers, SECURITY.NNOV, has reported that Internet
Explorer does not properly handle the SRC attribute of the <EMBED>
directive. An HTML document, such as a web page or HTML email message,
that contains a crafted SRC attribute can trigger a buffer overflow,
executing code with the privileges of the user viewing the document.

According to the Severity Rating for the "Buffer Overrun in HTML
Directive" vulnerability in MS02-005, Internet Explorer 5.5 and 6.0 are
vulnerable. Outlook and Outlook Express are also vulnerable, since they
use Internet Explorer to render HTML email messages. Other applications
that use the Internet Explorer HTML rendering engine, such as Windows
compiled HTML help (.chm) files and third-party email clients, may also be
vulnerable.

The CERT/CC is tracking this vulnerability as VU#932283, which corresponds
directly to the "buffer overrun" vulnerability described in Microsoft
Security Bulletin MS02-005. This vulnerability has been assigned the CVE
identifier CAN-2002-0022.

Impact:
By convincing a user to view a malicious HTML document, an attacker can
cause the Internet Explorer HTML rendering engine to execute arbitrary
code with the privileges of the user who viewed the HTML document. This
vulnerability could be exploited to distribute viruses, worms, or other
malicious code.

Solution:
Apply a patch
Microsoft has released a cumulative patch for Internet Explorer that
corrects this vulnerability and several others. For more information about
the patch and the vulnerabilities, please see Microsoft Security Bulletin
MS02-005:
 <http://www.microsoft.com/technet/security/bulletin/MS02-005.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp

Disable ActiveX Controls and Plugins
In Internet Explorer, plugins may be used to view, play, or otherwise
process embedded objects. The execution of embedded objects is controlled
by the "Run ActiveX Controls and Plugins" security option. Disabling this
option will prevent embedded objects from being processed, and will
therefore prevent exploitation of this vulnerability.

According to MS02-005:
The vulnerability could not be exploited if the "Run ActiveX Controls and
Plugins" security option were disabled in the Security Zone in which the
page was rendered. This is the default condition in the Restricted Sites
Zone, and can be disabled manually in any other Zone.

At a minimum, disable the "Run ActiveX Controls and Plugins" security
option in the Internet Zone and the zone used by Outlook or Outlook
Express. The "Run ActiveX Controls and Plugins" security option is
disabled in the "High" zone security setting. Instructions for configuring
the Internet Zone to use the "High" zone security setting can be found in
the CERT/CC Malicious Web Scripts FAQ:
 <http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>
http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
 
Apply the Outlook Email Security Update
Another way to effectively disable the processing of ActiveX controls and
plugins in Outlook is to install the Outlook Email Security Update. The
update configures Outlook to open email messages in the Restricted Sites
Zone, where the "Run ActiveX Controls and Plugins" security option is
disabled by default. In addition, the update provides further protection
against malicious code that attempts to propagate via Outlook.

Outlook 2002 and Outlook Express 6
The functionality of the Outlook Email Security Update is included in
Outlook 2002 and Outlook Express 6.
Outlook 2000
 <http://office.microsoft.com/downloads/2000/Out2ksec.aspx>
http://office.microsoft.com/downloads/2000/Out2ksec.aspx
Outlook 98
 <http://office.microsoft.com/downloads/9798/Out98sec.aspx>
http://office.microsoft.com/downloads/9798/Out98sec.aspx

Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory
as collected by CERT. If a particular vendor is not listed below, CERT has
not received their comments.

Microsoft
Microsoft has released a Security Bulletin and a Knowledge Base Article
addressing this vulnerability:

Security Bulletin MS02-005
 <http://www.microsoft.com/technet/security/bulletin/MS02-005.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
Knowledge Base Article Q317731
 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731

Cyrusoft
Our email client Mulberry does not use the core HTML rendering engine
library for its HTML display, and so is not affected by the bug in that
library. Having looked at the details of this alert I can also confirm
that our own HTML rendering engine is not affected by this, as it ignores
the relevant tags.

ADDITIONAL INFORMATION

References
 <http://www.kb.cert.org/vuls/id/932283>
http://www.kb.cert.org/vuls/id/932283
 <http://www.security.nnov.ru/advisories/mshtml.asp>
http://www.security.nnov.ru/advisories/mshtml.asp
 <http://www.microsoft.com/technet/security/bulletin/MS02-005.asp>
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731>
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731
 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022
 
<http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/embed.asp> http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/embed.asp
 <http://developer.netscape.com/docs/manuals/htmlguid/tags14.htm#1286379>
http://developer.netscape.com/docs/manuals/htmlguid/tags14.htm#1286379

The information has been provided by <mailto:cert-advisory@cert.org> CERT
Advisory.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages