SecurityvulnsSECURITYVULNS:DOC:10663Secunia Research: Microsoft Internet Explorer Keyboard Shortcut Processing Vulnerability
======================================================================
Secunia Research 13/12/2005
Microsoft Internet Explorer Keyboard Shortcut Processing Vulnerability
======================================================================
Table of Contents
Affected Software…1
Severity…2
Description of Vulnerability…3
Solution…4
Time Table…5
Credits…6
References…7
About Secunia…8
Verification…9
======================================================================
1) Affected Software
Microsoft Internet Explorer 6.0
Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access and security bypass
Where: From remote
======================================================================
3) Description of Vulnerability
Secunia Research has discovered a vulnerability in
Microsoft Internet Explorer, which can be exploited by malicious
people to trick users into executing malicious files.
The vulnerability is caused due to a design error in the processing
of keyboard shortcuts for certain security dialogs. This can e.g. be
exploited to delay the file download dialog and trick users into
executing a malicious ".bat" file after pressing the "r" key.
A successful attack may be outlined as:
- Detect that the user is typing on the keyboard.
- Redirect to a malicious ".bat" file.
- In a new thread, force the browser to consume a large amount of
CPU resources via a simple loop statement. This causes the
upcoming file download dialog to be delayed. - The user eventually presses the "r" key which is a keyboard
shortcut for opening the downloaded file. The download dialog has
not yet been shown for the user when this event occurs. - The loop statement stops causing the download dialog to be visible
and the keyboard shortcut event is processed. - The malicious ".bat" file is launched.
The vulnerability has been confirmed on a fully patched system with
Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions
may also be affected.
======================================================================
4) Solution
Apply patches.
Please see MS05-054 (KB905915):
http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx
======================================================================
5) Time Table
21/05/2005 - Vulnerability discovered.
24/05/2005 - Vendor notified.
20/06/2005 - Vendor confirms the vulnerability.
13/12/2005 - Vendor issues patch.
13/12/2005 - Public disclosure.
======================================================================
6) Credits
Discovered by Andreas Sandblad, Secunia Research.
======================================================================
7) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
candidate number CAN-2005-2829 for the vulnerability.
======================================================================
8) About Secunia
Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:
Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
9) Verification
Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2005-7/advisory/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
Related
