[NT] Internet Explorer/Outlook double null character DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 02/11/04
- Previous message: SecuriTeam: "[NT] Virtual PC Services Insecure Temporary File Creation (MS04-005)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 Feb 2004 15:54:11 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Internet Explorer/Outlook double null character DoS
------------------------------------------------------------------------
SUMMARY
For some web servers, two null (%00) characters appended after the host
name cause Internet Explorer or Outlook to consume 100% CPU and freeze.
This issue can be exploited by forcing the user's browser to open a
hostile URL, either by setting up a malicious web site and luring the
user into visiting it or sending a malicious HTML e-mail to a user using
Outlook. Once Internet Explorer or Outlook is frozen, the user must kill
iexplore.exe or outlook.exe process respectively via task manager in order
to resume normal IE/Outlook use.
DETAILS
Vulnerable Systems:
* Internet Explorer 6
* Outlook 2002
* Outlook 2003
Mitigating Factors:
1) The issue does not appear when the option "Do not save encrypted pages
to disk" in Internet Options/Advanced is turned on. This option is turned
off by default, however.
2) User's computer must have routed access to Internet (as opposed to
access via an HTTP proxy server).
Analysis:
There's probably some flawed assumption in the code responsible for
parsing the requested URL, specifically in parsing the host name, that
leads to a dead loop consuming 100% CPU. This issue, however, does not
seem to occur with all host names. Furthermore, we discovered that the
sensitivity to double-null suffix obviously depends on the "Do not save
encrypted pages to disk" option being turned off (which is default).
As far as Outlook is concerned, its susceptibility to this issue is not
surprising, as Outlook is using Internet Explorer's browser object for
rendering HTML e-mail. Outlook 2003 by default prevents remote HTML images
from being displayed due to privacy reasons, which effectively prevents an
e-mail borne attack unless the sender is listed in "safe senders" list.
Our tests have shown that the computer under attack must be connected to
Internet (directly, not via HTTP proxy) in order for this issue to occur.
Finally, once IE or Outlook is frozen, Windows Explorer often freezes as
well, possibly due to calling the same piece of code that is caught in an
endless loop.
Solution:
An official patch MS04-004 was released, which fixes this issue. Affected
users can install it via Windows Update or by downloading it from:
<http://www.microsoft.com/technet/security/bulletin/ms04-004.asp>
http://www.microsoft.com/technet/security/bulletin/ms04-004.asp.
Workaround:
Users with routed Internet access who can't install the official patch can
turn on the "Do not save encrypted pages to disk" option in Internet
Explorer to neutralize this vulnerability.
Vendor Communication:
January 21, 2004: vendor notified about the issue
February 2, 2004: patch MS04-004 released
February 3, 2004: vendor confirmed the issue
February 9, 2004: vendor confirmed the solution
February 9, 2004: vendor reviewed the public report
ADDITIONAL INFORMATION
The information has been provided by <mailto:lists@acros.si> ACROS
Security
The original article can be found at:
<http://www.acrossecurity.com/aspr/ASPR-2004-01-20-1-PUB.txt>
http://www.acrossecurity.com/aspr/ASPR-2004-01-20-1-PUB.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Virtual PC Services Insecure Temporary File Creation (MS04-005)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: RPC over HTTP
... On how to configure RPC over Http for Outlook, ... To use Outlook via
the Internet ... Verify that the computer trusts the certificate used by the server
... (microsoft.public.windows.server.sbs) - Re: Cant send mail to smtp server from home.
... I suggest you contact with the third party software ... Addition information
about outlook 2000: ... 195578 How to set up Internet mail accounts in Outlook 2000
Internet Mail ... configuration is correctly on your POP3 server on Exchange. ...
(microsoft.public.windows.server.sbs) - Re: Cant use outlook from outside our network
... I ran it and "Outlook via the Internet" was not enabled so I ... >we
can identify if the problem is occur on SBS side. ... >This newsgroup only focuses
on SBS technical issues. ... (microsoft.public.windows.server.sbs) - RE: explorer.exe freezes
... Both IE and Outlook of course depend on VZ ... Verizon wireless broadband card
for Internet access ... At other times IE7 locks up upon launch. ... Faulting
application iexplore.exe, version 7.0.6000.16574, faulting module ... (microsoft.public.windowsxp.general) - Re: How to specify which email account to use to send an email mes
... Milly Staples [MVP - Outlook] ... After searching google.groups.com and finding
no answer, Jules asked: ... || are those use for email over the Internet such as
POP3/SMTP and HTTP ... (microsoft.public.outlook)
