|
 |
|
Microsoft Internet Explorer Multiple Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA12889
|
|
|
Release Date:
|
2004-10-20
|
|
Last Update:
|
2005-11-21
|
|
|
Critical:
|
Extremely critical
|
|
Impact:
|
Security Bypass
Cross Site Scripting
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Microsoft Internet Explorer 6.x
|
| | CVE reference: | CVE-2004-1043 (Secunia mirror)
CVE-2005-0053 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Some vulnerabilities have been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system, conduct cross-site/zone scripting and bypass a security feature in Microsoft Windows XP SP2.
1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.
This vulnerability is a variant of:
SA12321
NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.
2) A security site / zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents or inject arbitrary script code in context of a previous loaded document using a malicious javascript URI handler.
Successful exploitation may allow execution of arbitrary HTML and script code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the "Local Computer" zone using a HTML Help shortcut.
NOTE: This will bypass the "Local Computer" zone lockdown security feature in SP2.
3) A security site / zone restriction error in the handling of the "Related Topics" command in an embedded HTML Help control can be exploited by e.g. a malicious website to execute arbitrary script code in the context of arbitrary sites or zones.
NOTE: This may be exploited to bypass the "Local Computer" zone lockdown security feature in SP2.
Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/internet_explorer_command_execution_vulnerability_test/
Vulnerability 1 and 2, or 3 alone, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files can be exploited to compromise a user's system. This has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, using the Network Software Inspector.
Solution:
1) Microsoft has issued patches, for more information:
SA11165
SA14190
2, 3) Apply patches.
Microsoft Windows 2000 (requires Service Pack 3 or Service Pack 4):
http://www.microsoft.com/downloads/de...=BE1B11C0-EF09-4295-8FB2-0FF17BA65460
Microsoft Windows XP (requires Service Pack 1or Service Pack 2):
http://www.microsoft.com/downloads/de...=43201B00-298D-4C0C-A26F-AAEDF163FEB7
Microsoft Windows XP 64-Bit Edition (requires Service Pack 1):
http://www.microsoft.com/downloads/de...=1FC58C5F-3A97-4B89-96C3-AAEFFCE28535
Microsoft Windows XP 64-Bit Edition Version 2003:
http://www.microsoft.com/downloads/de...=3B3878C9-57FB-45A9-B5C2-234AD538D6CC
Microsoft Windows XP Embedded SP2:
http://www.microsoft.com/downloads/de...=dcf129e8-17b7-4e37-9674-95f41169ec55
Microsoft Windows XP Embedded SP1:
http://www.microsoft.com/downloads/de...=aed17ac4-2061-467b-9127-92b539e56f0a
Microsoft Windows Server 2003:
http://www.microsoft.com/downloads/de...=23E619FE-F6DB-4666-A247-339F55B059CC
Microsoft Windows Server 2003 64-Bit Edition:
http://www.microsoft.com/downloads/de...=3B3878C9-57FB-45A9-B5C2-234AD538D6CC
Microsoft Windows NT Server 4.0 (requires Service Pack 6a) and Microsoft Windows NT Server 4.0 Terminal Server Edition (requires Service Pack 6):
http://www.microsoft.com/downloads/de...=7B2C22A9-98C6-4661-9B8D-6C59C8812071
Provided and/or discovered by:
1) Discovered independently by:
* http-equiv
* Andreas Sandblad of Secunia Research (reported to Microsoft on 2004-10-13).
2) Discovered by:
* http-equiv
Additional information provided by:
* Roozbeh Afrasiabi
3) Discovered by:
* Paul, Greyhats Security
* Michael Evanchik
Additional information provided by:
* ShredderSub7
Changelog:
2004-10-21: Updated advisory.
2004-10-28: Added another workaround in "Solution" section and linked to Microsoft Knowledge Base article.
2004-11-02: Updated with additional information in "Description" and "Solution" section.
2004-11-29: Updated "Description" section with additional information from Paul.
2004-12-23: Added link to US-CERT vulnerability note.
2004-12-25: Updated "Description" section with additional information from Paul and Michael Evanchik.
2005-01-07: Increased rating. Added link to test. Updated "Description" and "Solution" sections.
2005-01-11: Updated solution. Microsoft has issued patches for issue 2 and 3.
2005-01-12: Added link to US-CERT vulnerability note.
2005-02-08: Microsoft issued patches.
2005-11-21: Added patch information for Windows XP Embedded.
Original Advisory:
MS05-001 (KB890175):
http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx
MS05-014 (KB867282):
http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
3) http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm
Other References:
SA12321:
http://secunia.com/advisories/12321/
SA11165:
http://secunia.com/advisories/11165/
SA14190:
http://secunia.com/advisories/14190/
How to Disable "Drag and Drop or copy and paste files" option in Internet Explorer:
http://support.microsoft.com/kb/888534
How to Disable Active Content in Internet Explorer:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036
US-CERT VU#939688:
http://www.kb.cert.org/vuls/id/939688
US-CERT VU#972415:
http://www.kb.cert.org/vuls/id/972415
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
131 Related Secunia Security Advisories, displaying 10
|
|
|
1. Internet Explorer 6 Window "location" Handling Vulnerability
|
|
2. Internet Explorer "substringData()" Memory Corruption Vulnerability
|
|
3. Internet Explorer "Print Table of Links" Cross-Zone Scripting
|
|
4. Internet Explorer HTTP Request Smuggling/Splitting Vulnerabilities
|
|
5. Internet Explorer FTP Command Injection Vulnerability
|
|
6. Microsoft Internet Explorer Multiple Vulnerabilities
|
|
7. Internet Explorer Multiple Code Execution Vulnerabilities
|
|
8. Microsoft Web Proxy Auto-Discovery Feature Security Issue
|
|
9. Internet Explorer Data Stream Handling Vulnerability
|
|
10. Internet Explorer Unspecified Address Bar Spoofing Vulnerability
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
