[SNS Advisory No.48] Microsoft Internet Explorer Still Download And Execute ANY Program Automatically

From: snsadv@lac.co.jp
Date: 05/16/02

Previous message: security@caldera.com: "Security Update: [CSSA-2002-022.0] Linux: OpenSSH ticket and token passing buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 16 May 2002 15:20:37 +0900
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
To: bugtraq@securityfocus.com

----------------------------------------------------------------------
SNS Advisory No.48
Microsoft Internet Explorer Still Download And Execute ANY Program Automatically

Problem first discovered: Wed, 13 Feb 2002
Published: Mon, 18 Mar 2002
Revised: Thu, 16 May 2002
----------------------------------------------------------------------

Overview:
---------
  Microsoft Internet Explorer contains a vulnerability which allows
  for downloading of a file and its automatic execution under several
  circumstances without the knowledge of the user. If a malicious
  webmaster creates a website containing malicious contents that can
  exploit this problem, and if the user has access to these contents
  using Internet Explorer under specific environments, then arbitrary
  programs specified by the administrator will be automatically
  downloaded and executed on the user's system.

Problem Description:
--------------------
  A vulnerability exists in Microsoft Internet Explorer which could
  lead to automatic downloading and execution of a file under several
  environments. This can be achieved when a user views contents
  including the following header in HTTP responses:

  Content-Type: audio/x-ms-wma
  Content-disposition: inline; filename="foo.exe"

  It is important to note that the above-mentioned description is just
  an example and that this vulnerability has been confirmed exploitable
  using other Content-Type: headers, such as Content-Type: audio/midi.

  This vulnerability affects the following environments: (our previous
  advisory stated that only IE 6 was affected by this vulnerability,
  however, it has been confirmed through further investigation that
  IE 5.01 SP2 is also vulnerable to this issue)

  (1) Windows NT 4.0 Workstation + SP6a
      + IE 6 + all available fixes [Japanese version]

  (2) Windows NT 4.0 Workstation + SP6a + Windows Media Player 6.4
      + IE 6 + all available fixes [Japanese version]

  (3) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 6.4
      + IE 6 + all available fixes [Japanese version]

(4) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 6.4
+ IE 5.01 SP2 + all available fixes [Japanese version]

(5) Windows 98 + Windows 98 System Update + Windows Media Player 6.4
+ IE 6 + all available fixes [Japanese version]

(6) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 7.1
+ IE 6 + Office 2000 SR-1 + all available fixes [Japanese version]

Note: Windows Media Player 6.4 is installed by default on Windows 2000
and Windows 98.

Solution:
---------
This problem can be eliminated by applying a patch based on the
information provided by Microsoft Security Bulletin MS02-023.

Microsoft Security Bulletin 02-023:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp

Discovered by:
--------------
Yuu Arai (LAC) y.arai@lac.co.jp

Acknowledgements:
-----------------
  Thanks to:

  Microsoft Security Response Center
  Japan PSS Security Response Team of Microsoft Asia Limited

Disclaimer:
-----------
All information in these advisories are subject to change without any advanced
notices neither mutual consensus, and each of them is released as it is. LAC
Co.,Ltd. is not responsible for any risks of occurrences caused by applying those
information.

------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/

Previous message: security@caldera.com: "Security Update: [CSSA-2002-022.0] Linux: OpenSSH ticket and token passing buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

SecurityFocus Microsoft Newsletter #163
... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #165
... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #301
... AGEphone SIP Packet Handling Buffer Overflow Vulnerability ... Microsoft Internet Explorer NMSA.ASFSourceMediaDescription Stack Overflow Vulnerability ... Microsoft Windows is reportedly prone to a remote denial-of-service vulnerability. ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #303
... Microsoft Management Console Zone Bypass Vulnerability ... Microsoft Windows Server Service Remote Buffer Overflow Vulnerability ... Microsoft Hyperlink Object Library Function Remote Buffer Overflow Vulnerability ... Microsoft Internet Explorer Source Element Cross-Domain Information Disclosure Vulnerability ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #298
... Zone Labs ZoneAlarm Registry Key Local Denial Of Service Vulnerability ... Microsoft Internet Explorer ADODB.Recordset Filter Property Denial of Service Vulnerability ... NASCAR Racing is prone to a denial-of-service vulnerability. ... Attackers may exploit this issue via a malicious web page to execute arbitrary code in the context of the currently logged-in user. ...
(Focus-Microsoft)