TUCoPS :: Browsers :: ciacl066.txt

CIAC L-066 - Internet Explorer MIME Header Vulnerability


             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                Internet Explorer MIME Header Vulnerability

April 2, 2001 23:00 GMT                                           Number L-066
______________________________________________________________________________
PROBLEM:       Internet Explorer incorrectly handles some unusual MIME types 
               which could allow binary attachments to be run in mail 
               messages. 
PLATFORM:      Windows platforms with mail readers that use Internet Explorer 
               to render html formatted mail messages (Outlook, Outlook 
               Express, others) and that have Internet Explorer versions 5.01 
               or 5.5 installed. Internet Explorer version 5.01 service pack 2 
               is not affected. 
DAMAGE:        The vulnerability could allow an intruder to craft an html mail 
               message that would automatically launch an attached binary 
               file. 
SOLUTION:      Apply patches available from the Microsoft website. 
               http://www.microsoft.com/windows/ie/download/critical/Q290108
               /default.asp 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The MIME types that cause the problem are 
ASSESSMENT:    not well known and the vulnerability is not in the wild. This 
               assessment could change rapidly as intruders learn the details 
               of the vulnerability and how to exploit it. 
______________________________________________________________________________

The following bulletin was posted on the Microsoft website on March 29, 2001. 
See the Microsoft website for the latest version of this bulletin: 

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp 

-------------------Start of Microsoft Bulletin------------------- 

Microsoft Security Bulletin (MS01-020) 

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Originally posted: March 29, 2001

Summary
=======

Who should read this bulletin: Customers using Microsoft® Internet Explorer. 

Impact of vulnerability: Run code of attacker's choice. 

Recommendation: Customers using IE should install the patch immediately. 

Affected Software: 

    Microsoft Internet Explorer 5.01 
    Microsoft Internet Explorer 5.5 
    Note: Internet Explorer 5.01 Service Pack 2 is not affected by this 
vulnerability. 

Technical details 
=================

Technical description: 
Because HTML e-mails are simply web pages, IE can render them and open binary 
attachments in a way that is appropriate to their MIME types. However, a flaw 
exists in the type of processing that is specified for certain unusual MIME 
types. If an attacker created an HTML e-mail containing an executable 
attachment, then modified the MIME header information to specify that the 
attachment was one of the unusual MIME types that IE handles incorrectly, IE 
would launch the attachment automatically when it rendered the e-mail. 

An attacker could use this vulnerability in either of two scenarios. She could 
host an affected HTML e-mail on a web site and try to persuade another user to 
visit it, at which point script on a web page could open the mail and initiate 
the executable. Alternatively, she could send the HTML mail directly to the 
user. In either case, the executable attachment, if it ran, would be limited 
only by user's permissions on the system. 

Mitigating factors: 

The vulnerability could not be exploited if File Downloads have been disabled 
in the Security Zone in which the e-mail is rendered. This is not a default 
setting in any zone, however. 

Vulnerability identifier: CAN-2001-0154 

Tested Versions:
Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this 
vulnerability. Previous versions are no longer supported and may or may not be 
affected by this vulnerability.

Frequently asked questions 
==========================

What's the scope of the vulnerability?

This vulnerability could enable an attacker to potentially run a program of her 
choice on the machine of another user. Such a program would be capable of 
taking any action that the user himself could take on his machine, including 
adding, changing or deleting data, communicating with web sites, or 
reformatting the hard drive. 

In order for the attacker to successfully attack the user via this 
vulnerability, she would need to be able to persuade the user to either browse 
to a web site she controlled or open an HTML e-mail that she had sent. 

What causes the vulnerability?

If an HTML mail contains an executable attachment whose MIME type is 
incorrectly given as one of several unusual types, a flaw in IE will cause the 
attachment to be executed without displaying a warning dialogue. 

Why is IE used to process HTML mails? I thought mail programs like Outlook and 
Outlook Express were in charge of displaying mails.

In general, they are. Mail clients handle creating, sending, receiving and 
displaying e-mail. There is one exception, however, they rely on IE to perform 
a process called "rendering" if the mail is an HTML mail. Rendering is the 
process of processing and displaying a web page. HTML mails are rendered by IE 
because they are essentially web pages sent as mails. The flaw in this case 
involves how IE renders HTML mails. 

What's the problem with how IE renders HTML mails?

If a mail contains an attachment, IE should provide the ability to open the 
attachment when it renders the message. The precise meaning of "open" depends 
on the type of file. If the attachment is a text file, IE should provide the 
ability to read it; if it's a video clip, IE should provide the ability to view 
it; if it's a graphics file, IE should provide the ability to display it; and 
so on. 

Some types of attachments, such as executable files, are inherently dangerous. 
In these cases, IE should only open the attachment if the user expressly asks 
to do so, and confirms that he wants to open it. The flaw, however, enables 
this safeguard to be circumvented by specifying an incorrect MIME type in the 
e-mail. 

What's a MIME type?

Let's start with what MIME is. MIME is an acronym for Multipurpose Internet 
Mail Extensions. It's a widely used Internet standard for encoding binary files 
as e-mail attachments. When an e-mail contains a binary attachment, it must 
specify what type of file the attachment is, so the mail program can interpret 
it correctly. 

In the case of this vulnerability, IE doesn't correctly handle certain types of 
fairly unusual MIME types. If an attacker created an e-mail message containing 
an executable attachment, and specified that it was one of these MIME types, IE 
would execute the attachment rather than prompting the user. 

Would IE always execute the attachment?

No. IE would only execute the attachment if File Downloads were enabled in the 
Security Zone that the e-mail was opened in. However, File Downloads are 
enabled in all zones by default. 

What would this vulnerability enable an attacker to do?

If an attacker created an e-mail that exploits this vulnerability, she could 
use it in an attempt to run the executable attachment on another user's 
computer. She could try to do this through either of two scenarios. First, she 
could host the HTML mail on her web site, and try to persuade the user to visit 
it. Second, she could send the email directly to the user. 

What kind of actions could the attachment take if it ran?

The attachment would be able to take any action that the user himself could 
take on his system. If he were an unprivileged user, it might be able to do 
very little. However, if the user were an administrator on his system, the 
attachment would be able to do virtually anything, including reformatting the 
hard drive. 

Could an e-mail accidentally be created that would exploit this vulnerability?

No. To create such an e-mail, an attacker would need to create an e-mail 
containing an executable attachment, then deliberately edit the MIME headers in 
the mail to be one of the affected types. 

What does the patch do?

The patch eliminates the vulnerability by correcting the table of MIME types 
and their associated actions in IE. This has the effect of preventing emails 
from being able to automatically launch executable attachments. 

I've already installed IE 5.01 Service Pack 2. Do I need to install the patch?

No. The fix for this issue is included in IE 5.01 Service Pack 2. If you've 
already installed it, you do not need to install the patch.

I heard that even after applying this patch, an e-mail could start a file 
download automatically. Is this true?

Yes. However, this is not related to this vulnerability, and doesn't pose a 
security risk. It's always possible for an e-mail to start a file download, and 
of course the author of the mail can give the file a name that sounds 
innocuous. However, the file download cannot actually begin unless and until 
the user selects a location to which it should be downloaded, and clicks the OK 
button. 

As a general rule, it is probably worth questioning the trustworthiness of any 
e-mail that automatically starts a file download. The best action is to simply 
click the Cancel button in the dialogue. 

Patch availability
==================

Download locations for this patch 

http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp 

Additional information about this patch 
=======================================

Installation platforms: 
This patch can be installed on systems running Internet Explorer 5.01 Service 
Pack 1 or Internet Explorer 5.5 Service Pack 1. 

Inclusion in future service packs:
The fix for this issue is included in Internet Explorer 5.01 Service Pack 2 and 
will be included in Internet Explorer 5.5 Service Pack 2. 

Verifying patch installation: 

To verify that the patch has been installed on the machine, open IE, select 
Help, then select About Internet Explorer and confirm that Q290108 is listed in 
the Update Versions field. 

To verify the individual files, use the patch manifest provided in Knowledge 
Base article Q290108 

Caveats:
If the patch is installed on a system running a version of IE other than the 
one it is designed for, an error message will be displayed saying that the 
patch is not needed. This message is incorrect, and customers who see this 
message should upgrade to a supported version of IE and re-install the patches. 

Localization:
Localized versions of this patch are under development. When completed, they 
will be available at the locations discussed in "Obtaining other security 
patches". 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be 
most easily found by doing a keyword search for "security_patch". 
Patches for consumer platforms are available from the WindowsUpdate web site 
All patches available via WindowsUpdate also are available in a redistributable 
form from the WindowsUpdate Corporate site. 

Other information: 
Acknowledgments

Microsoft thanks  Juan Carlos Cuartango (http://www.kriptopolis.com) for 
reporting this issue to us and working with us to protect customers. 

Support: 

Microsoft Knowledge Base article Q290108 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. Knowledge 
Base articles can be found on the Microsoft Online Support web site. 
Technical support is available from Microsoft Product Support Services. There 
is no charge for support calls associated with security patches. 
Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. In no event shall Microsoft Corporation or its suppliers 
be liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft 
Corporation or its suppliers have been advised of the possibility of such 
damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 

Revisions: 


V1.0 (March 29, 2001): Bulletin Created. 
-------------------End of Microsoft Bulletin------------------- 



_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corp. for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-055: pcAnywhere Denial of Service, abnormal server connection
L-056: The Naked Wife (W32.Naked@mm) Trojan
L-057: Kerberos /tmp Root Vulnerability
L-058: HPUX Sec. Vulnerability asecure
L-059: Microsoft IIS WebDAV Denial of service Vulnerability
L-061: Microsoft IE can Divulge Location of Cached Content
L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft
L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call
l-064: The Lion Internet Worm DDOS Risk
L-065: Solaris Exploitation of snmpXdmid



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH