[NT] Cumulative Patch for Internet Explorer (MS03-004)

• Previous message: support@securiteam.com: "[NT] Banner Buffer Overflows Found in Multiple FTP Clients"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 6 Feb 2003 21:10:34 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Cumulative Patch for Internet Explorer (MS03-004)
------------------------------------------------------------------------

SUMMARY

This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5, 6.0. In addition, it
eliminates two newly discovered vulnerabilities involving Internet
Explorer's cross-domain security model - which keeps windows of different
domains from sharing information. These flaws results in Internet Explorer
because incomplete security checking causes Internet Explorer to allow one
website to potentially access information from another domain when using
certain dialog boxes.

In order to exploit this flaw, an attacker would have to host a malicious
web site that contained a web page designed to exploit this particular
vulnerability and then persuade a user to visit that site. Once the user
has visited the malicious web site, it would be possible for the attacker
to run malicious script by misusing a dialog box and cause that script to
access information in a different domain. In the worst case, this could
enable the web site operator to load malicious code onto a user's system.
In addition, this flaw could also enable an attacker to invoke an
executable that was already present on the local system.

A related cross-domain vulnerability allows Internet Explorer's showHelp()
functionality to execute without proper security checking. showHelp() is
one of the help methods used to display an HTML page containing help
content. showHelp() allows more types of pluggable protocols than
necessary, and this could potentially allow an attacker to access user
information, invoke executables already present on a user's local system
or load malicious code onto a user's local system.

The requirements to exploit this vulnerability are the same as for the
issue described above: an attacker would have to host and lure a user to a
malicious web site. In this scenario, the attacker could open a showHelp
window to a known local file on the visiting user's local system and gain
access to information from that file by sending a specially crafted URL to
a second showHelp window. The attacker could also potentially access user
information or run code of attacker's choice.

This cumulative patch will cause window.showHelp( ) to cease to function.
When the latest HTML Help update - which is being released via Windows
Update with this patch - is installed, window.showHelp( ) will function
again, but with some limitations (see the caveats section later in this
bulletin). This has been necessary in order to block the attack vector
that might allow a web site operator to invoke an executable that was
already present on a user's local system.

DETAILS

Affected Software:
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 6.0

Mitigating factors:
 * The attacker would have to host a web site that contained a web page
used to exploit either of these cross-domain vulnerabilities.
 * The attacker would have no way to force users to visit the site.
Instead, the attacker would need to lure them there, typically by getting
them to click on a link that would take them to the attacker's site.
 * By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the
Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in
the Restricted Sites Zone if the Outlook Email Security Update has been
installed. Customers who use any of these products would be at no risk
from an e-mail borne attack that attempted to exploit this vulnerability
unless the user clicked a malicious link in the email.
 * Internet Explorer 5.01 users are not affected by the first
vulnerability.

Patch availability:
Download locations for this patch
 *
<http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp> http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp

What's the scope of the first vulnerability?
A flaw in Internet Explorer could allow a malicious web site operator to
access information in another internet domain, or on the user's local
system by injecting specially crafted code when certain dialog boxes were
presented to the user. In the worst case, this vulnerability could allow
an attacker to load a malicious executable onto the system and execute it.

The attacker would have no way to force a user to a malicious web site. By
default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the
Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in
the Restricted Sites Zone if the Outlook Email Security Update has been
installed. Customers who use any of these products would be at no risk
from an e-mail borne attack that attempted to automatically take a user to
a malicious web site and exploit this vulnerability.

What causes the vulnerability?
The vulnerability results because it is possible when using dialog boxes
to bypass the cross-domain security model that Internet Explorer
implements.

What is meant by "Internet Explorer's cross-domain security model"?
One of the principal security functions of a browser is to ensure that
browser windows that are under the control of different web sites cannot
interfere with each other or access each other's data, while still
allowing windows from the same site to interact with each other. To
differentiate between cooperative and uncooperative browser windows, the
concept of a "domain" has been created. A domain is a security boundary -
any open windows within the same domain can interact with each other, but
windows from different domains cannot. The "cross-domain security model"
is the part of the security architecture that keeps windows from different
domains from interfering with each other.

The simplest example of a domain is associated with web sites. If you
visit www.microsoft.com, and it opens a window to
<http://www.microsoft.com/security> http://www.microsoft.com/security, the
two windows can interact with each because both belong to the same domain,
www.microsoft.com. However, if you visited www.microsoft.com, and it
opened a window to a different web site, the cross-domain security model
would protect the two windows from each other. The concept goes even
further. The file system on your local computer, for instance, is also a
domain. So, for instance, www.microsoft.com could open a window and show
you a file on your hard drive. However, because your local file system is
in a different domain from the web site, the cross-domain security model
should prevent the web site from reading the file that is being displayed.

The Internet Explorer domain security model can be configured using the
Internet Security Zones settings in Internet Explorer.

What are Internet Explorer security zones?
Internet Explorer Security Zones are a system that divides online content
into categories or zones based on its trustworthiness. Specific web
domains can be assigned to a zone, depending on how much trust is placed
in the content of each domain. The zone then restricts the capabilities of
the web content, based on the zone's settings.

By default, most Internet domains are treated as part of the Internet
zone, which has settings that prevent scripts and other active code from
accessing resources on the local system. Conversely, the Local Computer
zone is a much less restricted zone that allows content to access and
manipulate content on the local system. By default, files stored on the
local computer are run in the Local Computer zone.

You mentioned that dialog boxes are involved. What is a dialog box?
A dialog box is a form that a web site creates to ask the visiting user
for additional information or to display a message.

What's wrong with the way Internet Explorer calculates cross-domain
security?
Internet Explorer evaluates security when one web page requests access to
resources in another security zone. There is a flaw in the way Internet
Explorer checks the originating domain when script runs in a dialog box.

What could this vulnerability enable an attacker to do?
An attacker could use this vulnerability to create a web page that would
allow the attacker to access data across domains. This could include
reading local system files not in use by the user or the operating system,
provided the attacker knew the full path and file name. It could also
include accessing any data that a user chose to share with another web
site. An attacker could also invoke executables on the user's local file
system or load a malicious executable on the user's system. However, the
attack would only be possible against a domain or zone where there was
content that handled dialogue box data in a special manner. Pages like
this exist in the My Computer zone, but may not necessarily exist on a
target web site.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a
malicious web page and then enticing the user to visit this page. When the
user visited the page the attacker could cause a dialogue box to open on
another web site and the attacker could now have the same access to the
second web page that the user had. The attacker could also create a web
page that when viewed by the user, would launch an executable file that
was already on the user's local system. However, this avenue of attack is
mitigated by an update to HTML Help because the change to HTML Help blocks
executing arbitrary commands with arbitrary parameters.

What is the scope of the second vulnerability?
A flaw in Internet Explorer could allow an attacker to use the showHelp
functionality either to read a local file on a user's local system or
potentially to disclose user information. An attacker would have to lure a
user to a malicious web site and the attacker would need either to know
the exact path to the local file or persuade the user to click on a link
at the malicious web site in order to disclose the user's information. An
attacker could also exploit this vulnerability to run local executables
with parameters.

The attacker would have no way to force a user to a malicious web site. By
default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the
Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in
the Restricted Sites Zone if the Outlook Email Security Update Outlook
Email Security Update has been installed. Customers who use any of these
products would be at no risk from an e-mail borne attack that attempted to
automatically take a user to a malicious web site and exploit this
vulnerability unless the user clicks on a link in the email.

What causes the vulnerability?
The vulnerability results because it is possible to bypass the
cross-domain security model that Internet Explorer implements when using
showHelp () functionality.

What is showHelp () functionality in Internet Explorer?
A web page developer can show help files in Internet Explorer using a
method called showHelp(). An HTML page of help information would be
generated when a user clicked on this object. The help topic would then be
displayed in the HTML Help application.

What could this vulnerability enable an attacker to do?
An attacker could use this vulnerability in showHelp to create a web page
that would allow the attacker to access data across different domains.
This access could include reading local system files not in use by the
user or the operating system, provided the attacker knew the full path and
file name. It could also include accessing any data that a user chose to
share with another web site.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a
malicious web page and then enticing the user to visit this page. When the
user visited the page the attacker could cause the user to invoke the
showHelp () functionality at which point the web page would instantiate a
help viewer showing a second HTML web page with help information. The
attacker could then have the same access to the second web page that the
user had.

What's wrong with cross-domain security and Internet Explorer's showHelp
()functionality?
Internet Explorer evaluates security when one web page requests access to
resources in another security zone. There is a flaw in the way Internet
Explorer checks the originating domain when a web page uses showHelp ()
functionality.

Could an attacker use either of these vulnerabilities to load a program on
my local system from their web site or server?
Yes - However Microsoft has updated the vector by which it could be
possible to run an executable with parameters on a user's computer. The
updated HTML Help control is located at
<http://windowsupdate.microsoft.com> http://windowsupdate.microsoft.com.
Users are strongly encouraged to download and install this update.

What does the patch do?
The patch addresses the vulnerability by ensuring that the correct
cross-domain security checks take place whenever showHelp functionality is
unsafe. Applying the patch, however, will break the HTML Help
functionality because HTML Help was one of the attack vectors. In order to
address this properly, the patch disables this functionality. In order to
restore HTML Help functionality, users who apply this patch are also
encouraged to download the update to HTML Help update after applying this
cumulative patch.

What is HTML Help shortcut functionality?
When a user browses help files, it is possible for HTML Help to create a
shortcut when a user clicks a specific word, phrase, or graphic in a
topic. While this functionality does not operate as a vulnerability in
itself, when combined with this or other cross domain security
vulnerabilities, this functionality could allow an attacker to run code of
the attacker's choice on a user's system. HTML help has been updated to
reduce the risk from this attack vector and to provide defense in depth.
To learn more about this functionality, please see
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconshortcutov.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconshortcutov.asp.

If I only apply this patch, will I be protected from this vulnerability?
Yes, you will be protected from the vulnerability affecting the use of
showHelp in Internet Explorer. However, it's important to note this patch
disables showHelp in order to block the attack vector that might allow a
malicious web site operator from launching an executable file already on a
user's local system. In order to restore the full functionality of
showHelp, users must install the latest version of HTML Help.

Will HTML Help functionality change when I download the new version from
Windows Update?
When the latest version of HTML Help is installed, the following
limitations will occur when a help file is opened with the showHelp
method:

 * Only supported protocols can be used with showHelp to open a web page
or help (chm) file.
 * The shortcut function supported by HTML Help will be disabled when the
help file is opened with showHelp This change will not affect the shortcut
function if the user opens the same CHM file manually by double-clicking
on it, or by invoking an application on the local system that uses the
HTMLHELP( ) API.

Where is the updated HTML Help located?
Users can find updated HTML Help on Windows Update.

Does the patch for this vulnerability include the updated HTML Help?
No - Users should download the HTML Help update (811630) separately from
Windows Update.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_43313_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US at
Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NT] Unchecked Buffer in Windows Redirector Could Allow Privilege Elevation"
• Previous message: support@securiteam.com: "[NT] Banner Buffer Overflows Found in Multiple FTP Clients"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]