TUCoPS :: Browsers :: bt926.txt

The Return of the Content-Disposition Vulnerability in IE


----------------------------------------------------------------------
SNS Advisory No.67
The Return of the Content-Disposition Vulnerability in IE

Problem first discovered on: Wed, 18 Sep 2002
Published on: Thu, 21 Aug 2003
----------------------------------------------------------------------

Overview:
---------
  Microsoft Internet Explorer is prone to a vulnerability that can, 
  under several conditions, result in the automatic download and 
  parse of a specific tag included with HTML files in the My Computer
  zone without the knowledge of the user.


Problem Description:
--------------------
  If specific MIME type is specified in the Content-Type header of 
  an HTTP response and if a special string is defined in the Content-
  Disposition header, this string can be automatically downloaded and 
  opened within the Temporary Internet Files (TIF) under several 
  conditions in Microsoft Internet Explorer.  A malicious website 
  administrator can induce a user to view a specially crafted web site 
  to cause the script to be automatically executed upon viewing the 
  malicious contents.  Execution of the script can then, disclose the 
  path to the TIF directory to the attacker.

  Additionally, if this vulnerability is exploited through a specific 
  string in the Content-Disposition header, the OBJECT tag can be 
  parsed in the "My Computer" zone.  However, if the user has access 
  to the malicious Web site, the attacker will be able to execute 
  programs on the computer with the user's privileges.


Tested Version:
---------------
  Internet Explorer 6 Service Pack 1 Japanese Edition


Solution:
---------
  Apply an appropriate patch available at:

  Microsoft Security Bulletin MS03-032:
  http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

  Microsoft Security Bulletin MS03-032(Japanese site):
  http://www.microsoft.com/japan/technet/security/bulletin/MS03-032.asp 


Discovered by:
--------------
  Yuu Arai y.arai@lac.co.jp


Acknowledgements:
-----------------

  Thanks to:
  Security Response Team of Microsoft Asia Limited


Disclaimer:
-----------
  The information contained in this advisory may be revised without prior 
  notice and is provided as it is. Users shall take their own risk when 
  taking any actions following reading this advisory. LAC Co., Ltd. shall 
  take no responsibility for any problems, loss or damage caused by, or 
  by the use of information provided here.

  This advisory can be found at the following URL: 
  http://www.lac.co.jp/security/english/snsadv_e/67_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH