|
-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer Original release date: February 25, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Microsoft Internet Explorer * Microsoft Outlook and Outlook Express * Other applications that use the Internet Explorer HTML rendering engine Overview Microsoft Internet Explorer contains a buffer overflow vulnerability in its handling of embedded objects in HTML documents. This vulnerability could allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message. I. Description Internet Explorer supports the <EMBED> directive, which can be used to include arbitrary objects in HTML documents. Common types of embedded objects include multimedia files, Java applets, and ActiveX controls. The SRC attribute specifies the source path and filename of an object. For example, a MIDI sound might be embedded in a web page with the following HTML code: <EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true"> Internet Explorer uses attributes of the <EMBED> directive and MIME information from the web server to determine how to handle an embedded object. In most cases, a separate application or plugin is used. A group of Russian researchers, SECURITY.NNOV, has reported that Internet Explorer does not properly handle the SRC attribute of the <EMBED> directive. An HTML document, such as a web page or HTML email message, that contains a crafted SRC attribute can trigger a buffer overflow, executing code with the privileges of the user viewing the document. Microsoft Internet Explorer, Outlook, and Outlook Express are vulnerable. Other applications that use the Internet Explorer HTML rendering engine, such as Windows compiled HTML help (.chm) files and third-party email clients, may also be vulnerable. The CERT/CC is tracking this vulnerability as VU#932283, which corresponds directly to the "buffer overrun" vulnerability described in Microsoft Security Bulletin MS02-005. This vulnerability has been assigned the CVE identifier CAN-2002-0022. II. Impact By convincing a user to view a malicious HTML document, an attacker can cause the Internet Explorer HTML rendering engine to execute arbitrary code with the privileges of the user who viewed the HTML document. This vulnerability could be exploited to distribute viruses, worms, or other malicious code. III. Solution Apply a patch Microsoft has released a cumulative patch for Internet Explorer that corrects this vulnerability and several others. For more information about the patch and the vulnerabilities, please see Microsoft Security Bulletin MS02-005: http://www.microsoft.com/technet/security/bulletin/MS02-005.asp Disable ActiveX Controls and Plugins In Internet Explorer, plugins may be used to view, play, or otherwise process embedded objects. The execution of embedded objects is controlled by the "Run ActiveX Controls and Plugins" security option. Disabling this option will prevent embedded objects from being processed, and will therefore prevent exploitation of this vulnerability. According to MS02-005: The vulnerability could not be exploited if the "Run ActiveX Controls and Plugins" security option were disabled in the Security Zone in which the page was rendered. This is the default condition in the Restricted Sites Zone, and can be disabled manually in any other Zone. At a minimum, disable the "Run ActiveX Controls and Plugins" security option in the Internet Zone and the zone used by Outlook or Outlook Express. The "Run ActiveX Controls and Plugins" security option is disabled in the "High" zone security setting. Instructions for configuring the Internet Zone to use the "High" zone security setting can be found in the CERT/CC Malicious Web Scripts FAQ: http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps Apply the Outlook Email Security Update Another way to effectively disable the processing of ActiveX controls and plugins in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where the "Run ActiveX Controls and Plugins" security option is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. * Outlook 2002 and Outlook Express 6 The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. * Outlook 2000 http://office.microsoft.com/downloads/2000/Out2ksec.aspx * Outlook 98 http://office.microsoft.com/downloads/9798/Out98sec.aspx Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Microsoft Microsoft has released a Security Bulletin and a Knowledge Base Article addressing this vulnerability: * Security Bulletin MS02-005 http://www.microsoft.com/technet/security/bulletin/MS02-005.asp * Knowledge Base Article Q317731 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731 Cyrusoft Our email client Mulberry does not use the core HTML rendering engine library for its HTML display, and so is not affected by the bug in that library. Having looked at the details of this alert I can also confirm that our own HTML rendering engine is not affected by this, as it ignores the relevant tags. Appendix B. - References 1. http://www.kb.cert.org/vuls/id/932283 2. http://www.security.nnov.ru/advisories/mshtml.asp 3. http://www.microsoft.com/technet/security/bulletin/MS02-005.asp 4. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022 6. http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/ embed.asp 7. http://developer.netscape.com/docs/manuals/htmlguid/tags14.htm#128 6379 _________________________________________________________________ The CERT/CC thanks ERRor and DarkZorro of domain Hell and 3APA3A of SECURITY.NNOV for reporting this issue to us. _________________________________________________________________ Author: Art Manion ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-04.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History February 25, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPHppRKCVPMXQI2HJAQEunQP9Hn+YSjmwNSLM4//5JrHP0ydgt0DFzh5k 0X40VYjxXcls0r3uZrpfC80W2f7DF3lS2kNcys4aEl+OXkTLn3p2BEkGYFhitwbG Tl0KvoESvT6b/1/w3TCjBregrAxPEXdw9KwQ2JFm/jmpX1+Gr15X7b2TDbf4sxJy q3UC1EPU9JE= =Jtq3 -----END PGP SIGNATURE-----