Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5028
HistoryAug 27, 2003 - 12:00 a.m.

CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer

2003-08-2700:00:00
vulners.com
11

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft
Internet Explorer

Original issue date: August 26, 2003
Last revised: –
Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

Microsoft Windows systems running

 * Internet Explorer 5.01
 * Internet Explorer 5.50
 * Internet Explorer 6.01

Previous, unsupported versions of Internet Explorer may also be
affected.

Overview

Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
the most serious of which could allow a remote attacker to execute
arbitrary code with the privileges of the user running IE.

I. Description

Microsoft Security Bulletin MS03-032 describes five vulnerabilities
in Internet Explorer. These vulnerabilities are listed below.
More detailed information is available in the individual
vulnerability notes. Note that in addition to IE, any applications
that use the IE HTML rendering engine to interpret HTML documents
may present additional attack vectors for these vulnerabilities.

VU#205148 - Microsoft Internet Explorer does not properly evaluate
Content-Type and Content-Disposition headers

 A  cross-domain  scripting vulnerability  exists  in  the way  IE
 evaluates Content-Type and Content-Disposition headers and checks
 for files  in the local browser cache.   This vulnerability could
 allow  a  remote  attacker  to  execute  arbitrary  script  in  a
 different  domain,  including  the  Local Machine  Zone.
 (Other resources: SNS Advisory No.67, CAN-2003-0531)

VU#865940 - Microsoft Internet Explorer does not properly evaluate
"application/hta" MIME type referenced by DATA attribute of OBJECT
element

 IE will execute an HTML  Application (HTA) referenced by the DATA
 attribute  of  an  OBJECT  element  if  the  Content-Type  header
 returned  by the  web  server is  set  to "application/hta".   An
 attacker  could exploit this  vulnerability to  execute arbitrary
 code with the privileges of the user running IE.
 (Other  resources:  eEye  Digital Security  Advisory  AD20030820,
 CAN-2003-0532)

VU#548964 - Microsoft Windows BR549.DLL ActiveX control contains
vulnerability

 The Microsoft  Windows BR549.DLL ActiveX  control, which provides
 support  for  the Windows  Reporting  Tool,  contains an  unknown
 vulnerability. The impact of this vulnerability is not known.

VU#813208 - Internet Explorer does not properly render an input
type tag

 IE does not properly render an input type tag, allowing a remote
 attacker to cause a denial of service.

VU#334928 - Microsoft Internet Explorer contains buffer overflow in
Type attribute of OBJECT element on double-byte character set
systems

 Certain versions  of IE  that support double-byte  character sets
 (DBCS)  contain  a  buffer  overflow vulnerability  in  the  Type
 attribute of the OBJECT element.  A remote attacker could execute
 arbitrary code with the privileges of the user running IE.
 (Other resources: SNS Advisory No.68, Microsoft Security Bulletin
 MS03-020, CAN-2003-0344)

II. Impact

These vulnerabilities have different impacts, ranging from denial
of service to execution of arbitrary commands or code. Please see
the individual vulnerability notes for specific information. The
most serious of these vulnerabilities (VU#865940) could allow a
remote attacker to execute arbitrary code with the privileges of
the user running IE. The attacker could exploit this vulnerability
by convincing the user to access a specially crafted HTML document,
such as a web page or HTML email message. No user intervention is
required beyond viewing the attacker's HTML document with IE.

III. Solution

Apply a patch

Apply the appropriate patch as specified by Microsoft Security
Bulletin MS03-032.

In addition to addressing these vulnerabilities, the patch also
changes the behavior of the HTML Help system (see VU#25249):

 As  with  the   previous  Internet  Explorer  cumulative  patches
 released  with bulletins  MS03-004, MS03-015,  and  MS03-020 this
 cumulative   patch  will  cause  window.showHelp()  to  cease  to
 function if  you have not applied  the HTML Help  update.  If you
 have installed the updated  HTML Help control from Knowledge Base
 article  811630,  you  will  still  be  able  to  use  HTML  Help
 functionality after applying this patch.

Appendix A. Vendor Information

This appendix contains information provided by vendors. When
vendors report new information, this section is updated and the
changes are noted in the revision history. If a vendor is not
listed below, we have not received their comments.

Microsoft

 Please see Microsoft Security Bulletin MS03-032.

Appendix B. References

 * CERT/CC Vulnerability Note VU#205148 -
   <http://www.kb.cert.org/vuls/id/205148>

 * CERT/CC Vulnerability Note VU#865940 -
   <http://www.kb.cert.org/vuls/id/865940>

 * CERT/CC Vulnerability Note VU#548964 -
   <http://www.kb.cert.org/vuls/id/548964>

 * CERT/CC Vulnerability Note VU#813208 -
   <http://www.kb.cert.org/vuls/id/813208>

 * CERT/CC Vulnerability Note VU#334928 -
   <http://www.kb.cert.org/vuls/id/334928>

 * CERT/CC Vulnerability Note VU#25249 -
   <http://www.kb.cert.org/vuls/id/25249>

 * eEye Digital Security Advisory AD20030820     -
   <http://www.eeye.com/html/Research/Advisories/AD20030820.html>

 * SNS Advisory No. 67 -
   <http://www.lac.co.jp/security/english/snsadv_e/67_e.html>

 * SNS Advisory No. 68 -
   <http://www.lac.co.jp/security/english/snsadv_e/68_e.html>

 * Microsoft Security Bulletin MS03-032 -
   <http://microsoft.com/technet/security/bulletin/MS03-032.asp>

 * Microsoft KB Article 822925 -
   <http://support.microsoft.com/default.aspx?scid=kb;en-us;822925>

Microsoft credits eEye Digital Security, LAC, and KPMG UK for
reporting these vulnerabilities. Information from eEye, LAC, and
Microsoft was used in this document.


Feedback can be directed to the author, Art Manion.


This document is available from:
<http://www.cert.org/advisories/CA-2003-22.html&gt;


CERT/CC Contact Information

Email: <[email protected]>
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

 &lt;http://www.cert.org/CERT_PGP.key&gt;

If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site

 &lt;http://www.cert.org/&gt;

To subscribe to the CERT mailing list for advisories and bulletins,
send email to <[email protected]>. Please include in the body of your
message

subscribe cert-advisory

  • "CERT" and "CERT Coordination Center" are registered in the U.S.
    Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 2003 Carnegie Mellon University.

Revision History

August 26, 2003: Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP0u+smjtSoHZUTs5AQF7FwQAl/9veQraef6h9lFcN+5dtxDz2xAecek/
NUPTSzatHC+E1pc+f2IcqJh01YMsM1BXpr6sPmA5FK+2fvfuvj875NnIXIztxYWe
yV5howmUOCSPpDuV6Nasdebqq4mlBygO4R8gx1MeUBj4BEvG7mLs7k7z24kkDodv
cf0X647ejlM=
=UWNE
-----END PGP SIGNATURE-----