__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Internet Explorer MIME Header Vulnerability
April 2, 2001 23:00 GMT Number L-066
______________________________________________________________________________
PROBLEM: Internet Explorer incorrectly handles some unusual MIME types
which could allow binary attachments to be run in mail
messages.
PLATFORM: Windows platforms with mail readers that use Internet Explorer
to render html formatted mail messages (Outlook, Outlook
Express, others) and that have Internet Explorer versions 5.01
or 5.5 installed. Internet Explorer version 5.01 service pack 2
is not affected.
DAMAGE: The vulnerability could allow an intruder to craft an html mail
message that would automatically launch an attached binary
file.
SOLUTION: Apply patches available from the Microsoft website.
http://www.microsoft.com/windows/ie/download/critical/Q290108
/default.asp
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. The MIME types that cause the problem are
ASSESSMENT: not well known and the vulnerability is not in the wild. This
assessment could change rapidly as intruders learn the details
of the vulnerability and how to exploit it.
______________________________________________________________________________
The following bulletin was posted on the Microsoft website on March 29, 2001.
See the Microsoft website for the latest version of this bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
-------------------Start of Microsoft Bulletin-------------------
Microsoft Security Bulletin (MS01-020)
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Originally posted: March 29, 2001
Summary
=======
Who should read this bulletin: Customers using Microsoft® Internet Explorer.
Impact of vulnerability: Run code of attacker's choice.
Recommendation: Customers using IE should install the patch immediately.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Note: Internet Explorer 5.01 Service Pack 2 is not affected by this
vulnerability.
Technical details
=================
Technical description:
Because HTML e-mails are simply web pages, IE can render them and open binary
attachments in a way that is appropriate to their MIME types. However, a flaw
exists in the type of processing that is specified for certain unusual MIME
types. If an attacker created an HTML e-mail containing an executable
attachment, then modified the MIME header information to specify that the
attachment was one of the unusual MIME types that IE handles incorrectly, IE
would launch the attachment automatically when it rendered the e-mail.
An attacker could use this vulnerability in either of two scenarios. She could
host an affected HTML e-mail on a web site and try to persuade another user to
visit it, at which point script on a web page could open the mail and initiate
the executable. Alternatively, she could send the HTML mail directly to the
user. In either case, the executable attachment, if it ran, would be limited
only by user's permissions on the system.
Mitigating factors:
The vulnerability could not be exploited if File Downloads have been disabled
in the Security Zone in which the e-mail is rendered. This is not a default
setting in any zone, however.
Vulnerability identifier: CAN-2001-0154
Tested Versions:
Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this
vulnerability. Previous versions are no longer supported and may or may not be
affected by this vulnerability.
Frequently asked questions
==========================
What's the scope of the vulnerability?
This vulnerability could enable an attacker to potentially run a program of her
choice on the machine of another user. Such a program would be capable of
taking any action that the user himself could take on his machine, including
adding, changing or deleting data, communicating with web sites, or
reformatting the hard drive.
In order for the attacker to successfully attack the user via this
vulnerability, she would need to be able to persuade the user to either browse
to a web site she controlled or open an HTML e-mail that she had sent.
What causes the vulnerability?
If an HTML mail contains an executable attachment whose MIME type is
incorrectly given as one of several unusual types, a flaw in IE will cause the
attachment to be executed without displaying a warning dialogue.
Why is IE used to process HTML mails? I thought mail programs like Outlook and
Outlook Express were in charge of displaying mails.
In general, they are. Mail clients handle creating, sending, receiving and
displaying e-mail. There is one exception, however, they rely on IE to perform
a process called "rendering" if the mail is an HTML mail. Rendering is the
process of processing and displaying a web page. HTML mails are rendered by IE
because they are essentially web pages sent as mails. The flaw in this case
involves how IE renders HTML mails.
What's the problem with how IE renders HTML mails?
If a mail contains an attachment, IE should provide the ability to open the
attachment when it renders the message. The precise meaning of "open" depends
on the type of file. If the attachment is a text file, IE should provide the
ability to read it; if it's a video clip, IE should provide the ability to view
it; if it's a graphics file, IE should provide the ability to display it; and
so on.
Some types of attachments, such as executable files, are inherently dangerous.
In these cases, IE should only open the attachment if the user expressly asks
to do so, and confirms that he wants to open it. The flaw, however, enables
this safeguard to be circumvented by specifying an incorrect MIME type in the
e-mail.
What's a MIME type?
Let's start with what MIME is. MIME is an acronym for Multipurpose Internet
Mail Extensions. It's a widely used Internet standard for encoding binary files
as e-mail attachments. When an e-mail contains a binary attachment, it must
specify what type of file the attachment is, so the mail program can interpret
it correctly.
In the case of this vulnerability, IE doesn't correctly handle certain types of
fairly unusual MIME types. If an attacker created an e-mail message containing
an executable attachment, and specified that it was one of these MIME types, IE
would execute the attachment rather than prompting the user.
Would IE always execute the attachment?
No. IE would only execute the attachment if File Downloads were enabled in the
Security Zone that the e-mail was opened in. However, File Downloads are
enabled in all zones by default.
What would this vulnerability enable an attacker to do?
If an attacker created an e-mail that exploits this vulnerability, she could
use it in an attempt to run the executable attachment on another user's
computer. She could try to do this through either of two scenarios. First, she
could host the HTML mail on her web site, and try to persuade the user to visit
it. Second, she could send the email directly to the user.
What kind of actions could the attachment take if it ran?
The attachment would be able to take any action that the user himself could
take on his system. If he were an unprivileged user, it might be able to do
very little. However, if the user were an administrator on his system, the
attachment would be able to do virtually anything, including reformatting the
hard drive.
Could an e-mail accidentally be created that would exploit this vulnerability?
No. To create such an e-mail, an attacker would need to create an e-mail
containing an executable attachment, then deliberately edit the MIME headers in
the mail to be one of the affected types.
What does the patch do?
The patch eliminates the vulnerability by correcting the table of MIME types
and their associated actions in IE. This has the effect of preventing emails
from being able to automatically launch executable attachments.
I've already installed IE 5.01 Service Pack 2. Do I need to install the patch?
No. The fix for this issue is included in IE 5.01 Service Pack 2. If you've
already installed it, you do not need to install the patch.
I heard that even after applying this patch, an e-mail could start a file
download automatically. Is this true?
Yes. However, this is not related to this vulnerability, and doesn't pose a
security risk. It's always possible for an e-mail to start a file download, and
of course the author of the mail can give the file a name that sounds
innocuous. However, the file download cannot actually begin unless and until
the user selects a location to which it should be downloaded, and clicks the OK
button.
As a general rule, it is probably worth questioning the trustworthiness of any
e-mail that automatically starts a file download. The best action is to simply
click the Cancel button in the dialogue.
Patch availability
==================
Download locations for this patch
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
Additional information about this patch
=======================================
Installation platforms:
This patch can be installed on systems running Internet Explorer 5.01 Service
Pack 1 or Internet Explorer 5.5 Service Pack 1.
Inclusion in future service packs:
The fix for this issue is included in Internet Explorer 5.01 Service Pack 2 and
will be included in Internet Explorer 5.5 Service Pack 2.
Verifying patch installation:
To verify that the patch has been installed on the machine, open IE, select
Help, then select About Internet Explorer and confirm that Q290108 is listed in
the Update Versions field.
To verify the individual files, use the patch manifest provided in Knowledge
Base article Q290108
Caveats:
If the patch is installed on a system running a version of IE other than the
one it is designed for, an error message will be displayed saying that the
patch is not needed. This message is incorrect, and customers who see this
message should upgrade to a supported version of IE and re-install the patches.
Localization:
Localized versions of this patch are under development. When completed, they
will be available at the locations discussed in "Obtaining other security
patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can be
most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a redistributable
form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks Juan Carlos Cuartango (http://www.kriptopolis.com) for
reporting this issue to us and working with us to protect customers.
Support:
Microsoft Knowledge Base article Q290108 discusses this issue and will be
available approximately 24 hours after the release of this bulletin. Knowledge
Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There
is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness for
a particular purpose. In no event shall Microsoft Corporation or its suppliers
be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
V1.0 (March 29, 2001): Bulletin Created.
-------------------End of Microsoft Bulletin-------------------
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corp. for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-055: pcAnywhere Denial of Service, abnormal server connection
L-056: The Naked Wife (W32.Naked@mm) Trojan
L-057: Kerberos /tmp Root Vulnerability
L-058: HPUX Sec. Vulnerability asecure
L-059: Microsoft IIS WebDAV Denial of service Vulnerability
L-061: Microsoft IE can Divulge Location of Cached Content
L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft
L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call
l-064: The Lion Internet Worm DDOS Risk
L-065: Solaris Exploitation of snmpXdmid
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
