[NEWS] Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute

From: support@securiteam.com
Date: 04/17/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 17 Apr 2002 12:02:32 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to
Execute
------------------------------------------------------------------------

SUMMARY

This is a cumulative patch that, when applied, eliminates all previously
released security vulnerabilities affecting IE 5.1 for Macintosh, and
Office v. X for Macintosh. In addition, it eliminates two newly discovered
vulnerabilities.

 * The first is a buffer overrun vulnerability associated with the
handling of a particular HTML element. Because of support for HTML in
Office applications, this flaw affects both IE and Office for Macintosh. A
security vulnerability results because an attacker can levy a buffer
overrun attack against IE that attempts to exploit this flaw. A successful
attack would have the result of causing the program to fail, or to cause
code of the attacker's choice to run as if it were the user.

 * The second is a vulnerability that can allow local AppleScripts to be
invoked by a web page. This vulnerability can allow locally stored
AppleScripts to be invoked automatically without first calling the Helper
application. The AppleScripts would run as if they had been launched by
the user, and could take the same actions as any AppleScript legitimately
launched by the user. The AppleScript would have to already be present on
the system; there is no way for an attacker to deliver an AppleScript of
her choosing through this vulnerability.

DETAILS

Affected Software:
 * Microsoft Internet Explorer 5.1 for Macintosh OS X
 * Microsoft Internet Explorer 5.1 for Macintosh OS 8 & 9
 * Microsoft Outlook Express 5.0.-5.0.3 for Macintosh
 * Microsoft Entourage v. X for Macintosh
 * Microsoft Entourage 2001 for Macintosh
 * Microsoft PowerPoint v. X for Macintosh
 * Microsoft PowerPoint 2001 for Macintosh
 * Microsoft PowerPoint 98 for Macintosh
 * Microsoft Excel v. X for Macintosh
 * Microsoft Excel 2001 for Macintosh

Mitigating factors:
Unchecked Buffer in HTML Element:
 * Successfully exploiting this issue with Office files requires that a
user accept files from an unknown or untrusted source. Users should never
accept files unknown or untrusted sources. Accepting files only from
trusted sources can prevent attempts to exploit this issue.
 * A successful attack using HTML email would require specific knowledge
of the user's mail client and cannot be mounted against PC users.
 * A successful attack using an HTML web page would require the attacker
to lure the user to visiting a site under her control. Users who exercise
caution in their browsing habits can potentially protect themselves from
attempts to exploit this vulnerability.
 * On operating systems that enforce security on per-user basis, such as
Mac OS X, the specific actions that an attacker's code can take would be
limited to those allowed by the privileges of the user's account.

Local AppleScript Invocation:
 * The vulnerability only affects IE on Mac OS 8 & 9.
 * A successful attack requires that the attacker know the full path and
file name of any AppleScript they want to invoke.
 * The vulnerability provides no means to deliver an AppleScript of the
attacker's construction: it can only invoke AppleScripts already present
on the user's system.

Patch availability:
Download locations for this patch
 * Microsoft IE 5.1 for Mac OSX: Users must use the Software Update
feature of Mac OS X v10.1 to install the "Internet Explorer 5.1 Security
Update".
More information on Software Update is available at:
<http://www.apple.com/macosx/upgrade/softwareupdates.html>
http://www.apple.com/macosx/upgrade/softwareupdates.html.

 * All other products:
 <http://www.microsoft.com/mac/download>
http://www.microsoft.com/mac/download

 * Microsoft PowerPoint 98 for Macintosh:
Patch is under development and will be available shortly. When this
happens, we will re-release this bulletin with information on how to
obtain and install these patches.

What vulnerabilities are eliminated by this patch?
These are cumulative patches that, when applied, eliminated all known
security vulnerabilities affecting IE 5.1, Office v. X, 2001 and 98 for
Macintosh. In addition to eliminating all previously patched
vulnerabilities, it addresses two new ones:
 * A vulnerability that could allow an attacker to run code on the user's
system as if she were the user.
 * A vulnerability that could allow an attacker to invoke an AppleScript
stored on the user's machine if she knew the exact name and location of
the script.

Unchecked Buffer in HTML Element
What is the scope of the first vulnerability?
This is a buffer overflow vulnerability. By creating a specially formed
web page and posting it on a web site or sending it to a user as HTML
email, it is possible for an attacker to exploit the vulnerability and
cause code to run as if it were run by the user himself. In addition, it
is possible to exploit this particular vulnerability by including the
malformed web page in some Mac Office data files. This code could take any
action that the user himself is capable of including adding, changing, or
deleting data or configuration information.

In the case of Mac OS X, the specific actions that an attacker's program
could take would be limited by the security on the user's account. Users
who use accounts adhere to least privilege could limit the damage that a
successful attack could accomplish. In the case of Mac Office files, there
is no way to exploit this vulnerability without the user first knowingly
accepting files from an unknown or untrusted source and then choosing to
open them.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the code that
handles the processing of a certain HTML element. If an attacker were to
build a web page that invokes this element in a particular manner, she
could overrun the buffer and cause code of her choice to run on the user's
system.

What are HTML Elements?
Hypertext Markup Language or HTML forms the underlying language that lets
web browsers display web pages. In its most basic form, a web page is
simply a collection of text that is displayed in the web browser. To
provide for a richer and fuller experience, HTML provides the ability to
display more than unformatted text. This is accomplished using commands or
elements that give the browser to instructions on how to handle the
information that is being passed to it.

For example, suppose you wanted to give a web page a title. You would use
a specific HTML element that would call out the title. In the raw HTML,
the actual title would be demarcated by the HTML element tag and look like
this:

The tags tell the browser where the element begins and ends, so that it
can process the element correctly.

Many elements provide many different functions. They do all, though, have
the same structure in common: they are all demarcated with the element
name within brackets so that the browser can correctly identify that
something is an element, and then determine the particular element for
proper handling and see where it ends.

How are HTML elements handled?
Since there are many different HTML elements, there are different
programmatic routines to handle each particular element properly. The
browser will evaluate each particular element as it is received and based
on the initial tag pass the information that follows to the correct
handler for processing. It will continue doing this until it detects a
closing tag. At this point, it will no longer send the information to the
handler.

Using the example above, when the browser reads the initial title tag, is
received, the browser stops passing information to the title handler.

What is wrong with how the particular HTML element is handled?
There is a flaw in the handler routines for a particular HTML element.
Specifically, the data received is not properly validated against the
available input buffer.

Why does this flaw affect Office as well as IE for Macintosh?
Office for Macintosh provides support for web pages within several of its
constituent applications. The flaw that affects this particular HTML
element in question is also present in these products as well.

Is this the same flaw as the Buffer Overrun in HTML Directive?
No. While this is similar to the issue that was addressed in
<http://www.microsoft.com/technet/security/bulletin/MS02-005.asp>
MS02-005, it is different.

What could this vulnerability enable an attacker to do?
An attacker could use this vulnerability to attempt to modify the program
as it was running. This means that an attacker could seek to make her own
program run on the system as if the user had chosen to start it.

This means that the attacker's code could take any action that the user
himself was capable of including adding, changing, or deleting data or
configuration information. For instance, the attacker could attempt to
change the security settings on the system or attempt to delete a file of
her choosing on the user's system.

It is important to note that on operating systems that enforce security on
a per-user basis, such as Mac OS X, the user's capability to act on the
system may be limited, based on the specific configuration of his account.
If the user's account had few privileges, that attacker's code may be
limited in the actions that it could take. Alternately, if the user were
running as an administrator or other highly privileged account, the
attacker could take complete control of the system.

How could an attacker exploit this vulnerability?
An attacker would need to create a web page that invoked the HTML element
in question in a particular way. The user would then have to open or view
this web page in one of two ways:

 * By viewing it in IE by browsing to a site where she had posted the web
page. When the page had loaded in IE, it would attempt to exploit the
vulnerability.
 * By viewing it in Outlook Express or Entourage by opening the web page
as an HTML email. When the message had opened by the user or rendered in
the preview pane, it would attempt to exploit the vulnerability.

How great a risk does the web-borne scenario pose?
For the web-borne scenario to succeed, the attacker would have to entice
the user to visit the page she had posted. A user who exercises caution in
his choice of web sites could potentially protect himself from this
attempt to exploit the vulnerability by not visiting the attacker's
malicious page.

How great a risk does the email-borne scenario pose?
The email-borne scenario has the advantage that the attacker can send the
page directly to the user. Additionally, it could be used to attack
multiple users through a mass-mailing attack. However, this attack does
require knowing the particular mail client that the intended victim is
using, which can mitigate the threat.

You said that this flaw affects Office for Macintosh as well. How would an
attacker seek to exploit this flaw using Office?
For an attack to succeed using this method, a user would have to accept a
file from a malicious or unknown source. When the user opened the file, it
would attempt to exploit the flaw.

However, because users should never accept files from unknown or untrusted
sources, this actually does not qualify as security vulnerability. By
exercising proper caution based on the trustworthiness of the source of a
file, a user can protect himself from this scenario.

In the best interests of customers, however, we are making a fix available
now so that they can address this issue in conjunction with the IE
vulnerability.

How does the patch eliminate this vulnerability?
The patch eliminates this vulnerability by implementing proper input
validation on the HTML element in question.

I'm running IE for Mac OS X, how do I eliminate this vulnerability?
If you are running IE for Mac OS X, you can eliminate this vulnerability
by using the Software Update feature of Mac OS X v. 10.1 to install the
"Internet Explorer 5.1 Security Update".

I am running an affected product other than IE for Mac OS X, what should I
do?
If you are running any of the other affected products, you should apply
the patches available for download as specified in the "Download Locations
for this Patch" section of the bulletin.

Does this vulnerability affect IE for Windows?
No. This vulnerability does not affect IE for Windows.

Does this flaw affect Office for Windows?
No. This flaw does not affect Office for Windows.

Local Applescript Invocation
What is the scope of the second vulnerability?
This vulnerability could allow an attacker to invoke an AppleScript
already present on the user's machine. The attacker could seek to exploit
this vulnerability by constructing a web page that references an
AppleScript file already present on the user's local machine. When the web
page was viewed in a browser, the script would execute as if the user had
chosen to run the script himself.

The vulnerability only affects IE on Mac OS 8 & 9; it does not affect IE
on Mac OS X. In addition, while there are many well-known AppleScripts,
because the system hard drive can be easily renamed, it is possible to
mitigate the threat this poses by having a non-default hard drive name.

What causes the vulnerability?
The vulnerability results because of incorrect handling of AppleScripts
within a specific HTML element in IE for Macintosh. It is possible to
invoke local AppleScripts using this HTML element and bypass the built-in
security checks governing the execution of local programs.

What is AppleScript?
AppleScript is a system level scripting language that makes it easy for
users to automate common or simple tasks in the operating system,
individual applications, or across applications. A number of standard
AppleScripts ship with Mac OS 8 & 9 to handle common tasks such as
shutting down the system, putting the system to sleep, and closing
windows.

What is wrong with how AppleScript is handled in IE for Macintosh?
There is a flaw in how AppleScripts are handled when called by a
particular HTML element in IE for Macintosh. IE fails to correctly
recognize that a script resource on the local system is being called.
Because of this it treats the as if it were a script element to be handled
within the browser, by passing the stricter security governing resources
outside of the browser.

Is this the same flaw as the Local Executable Invocation via Object tag?
No. While this is similar to the issue address in
<http://www.microsoft.com/technet/security/bulletin/MS02-015.asp>
MS02-015, they are not the same. This is different from that issue.

What could this enable an attacker to do?
An attacker could seek to exploit this vulnerability to invoke an
AppleScript that is already present on the local system. The AppleScript
would run as if the user himself had chosen to run it directly. For
example, an attacker could call "Put Computer To Sleep" and cause the
system to go to sleep.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by constructing a web
page that calls an AppleScript with the specific HTML element. She would
then post it on a web site under her control and have to entice the user
to view the page in IE for Macintosh.

For the attack to succeed, the attacker would have to know the full path
and filename of an AppleScript already present on the user's local system.

What kinds of AppleScripts are present on the typical system by default?
By default, there are a number of AppleScripts called "speakable items"
present on the system. These scripts can be used for system configuration
and maintenance. Examples of typical speakable items include scripts to
change the resolution on the system, closing a single window on the
desktop, closing multiple windows on the desktop, or restarting the
computer.

Can an attacker use this vulnerability to load an AppleScript on my
machine?
No. The vulnerability does not give an attacker any means to deliver an
AppleScript of her choosing to the user.

Can a program or script other than AppleScripts be invoked?
No. The flaw affects only the handling of AppleScripts.

What does the patch do?
That patch eliminates the vulnerability by instituting proper handling of
AppleScripts that are stored on the user's local system.

I am running IE for Macintosh on Mac OS X, am I affected by this
vulnerability?
No. This vulnerability only affects IE for Macintosh on OS 8 & 9.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_29385_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.