[Am-info] Re: CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer
Geoffrey
esoteric@3times25.net
Mon, 25 Feb 2002 16:20:11 -0500
Yeah, they put out some good stuff alright...
CERT Advisory wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer
>
> Original release date: February 25, 2002
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> * Microsoft Internet Explorer
> * Microsoft Outlook and Outlook Express
> * Other applications that use the Internet Explorer HTML rendering
> engine
>
>
> Overview
>
> Microsoft Internet Explorer contains a buffer overflow vulnerability
> in its handling of embedded objects in HTML documents. This
> vulnerability could allow an attacker to execute arbitrary code on the
> victim's system when the victim visits a web page or views an HTML
> email message.
>
>
> I. Description
>
> Internet Explorer supports the <EMBED> directive, which can be used to
> include arbitrary objects in HTML documents. Common types of embedded
> objects include multimedia files, Java applets, and ActiveX controls.
> The SRC attribute specifies the source path and filename of an object.
> For example, a MIDI sound might be embedded in a web page with the
> following HTML code:
>
> <EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true">
>
> Internet Explorer uses attributes of the <EMBED> directive and MIME
> information from the web server to determine how to handle an embedded
> object. In most cases, a separate application or plugin is used.
>
> A group of Russian researchers, SECURITY.NNOV, has reported that
> Internet Explorer does not properly handle the SRC attribute of the
> <EMBED> directive. An HTML document, such as a web page or HTML email
> message, that contains a crafted SRC attribute can trigger a buffer
> overflow, executing code with the privileges of the user viewing the
> document. Microsoft Internet Explorer, Outlook, and Outlook Express
> are vulnerable. Other applications that use the Internet Explorer HTML
> rendering engine, such as Windows compiled HTML help (.chm) files and
> third-party email clients, may also be vulnerable.
>
> The CERT/CC is tracking this vulnerability as VU#932283, which
> corresponds directly to the "buffer overrun" vulnerability described
> in Microsoft Security Bulletin MS02-005.
>
> This vulnerability has been assigned the CVE identifier CAN-2002-0022.
>
>
> II. Impact
>
> By convincing a user to view a malicious HTML document, an attacker
> can cause the Internet Explorer HTML rendering engine to execute
> arbitrary code with the privileges of the user who viewed the HTML
> document. This vulnerability could be exploited to distribute viruses,
> worms, or other malicious code.
>
>
> III. Solution
>
> Apply a patch
>
> Microsoft has released a cumulative patch for Internet Explorer that
> corrects this vulnerability and several others. For more information
> about the patch and the vulnerabilities, please see Microsoft Security
> Bulletin MS02-005:
>
> http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
>
> Disable ActiveX Controls and Plugins
>
> In Internet Explorer, plugins may be used to view, play, or otherwise
> process embedded objects. The execution of embedded objects is
> controlled by the "Run ActiveX Controls and Plugins" security option.
> Disabling this option will prevent embedded objects from being
> processed, and will therefore prevent exploitation of this
> vulnerability.
>
> According to MS02-005:
>
> The vulnerability could not be exploited if the "Run ActiveX
> Controls and Plugins" security option were disabled in the Security
> Zone in which the page was rendered. This is the default condition
> in the Restricted Sites Zone, and can be disabled manually in any
> other Zone.
>
> At a minimum, disable the "Run ActiveX Controls and Plugins" security
> option in the Internet Zone and the zone used by Outlook or Outlook
> Express. The "Run ActiveX Controls and Plugins" security option is
> disabled in the "High" zone security setting. Instructions for
> configuring the Internet Zone to use the "High" zone security setting
> can be found in the CERT/CC Malicious Web Scripts FAQ:
>
> http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
>
> Apply the Outlook Email Security Update
>
> Another way to effectively disable the processing of ActiveX controls
> and plugins in Outlook is to install the Outlook Email Security
> Update. The update configures Outlook to open email messages in the
> Restricted Sites Zone, where the "Run ActiveX Controls and Plugins"
> security option is disabled by default. In addition, the update
> provides further protection against malicious code that attempts to
> propagate via Outlook.
>
> * Outlook 2002 and Outlook Express 6
> The functionality of the Outlook Email Security Update is included
> in Outlook 2002 and Outlook Express 6.
> * Outlook 2000
> http://office.microsoft.com/downloads/2000/Out2ksec.aspx
> * Outlook 98
> http://office.microsoft.com/downloads/9798/Out98sec.aspx
>
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for this
> advisory. When vendors report new information to the CERT/CC, we
> update this section and note the changes in our revision history. If a
> particular vendor is not listed below, we have not received their
> comments.
>
> Microsoft
>
> Microsoft has released a Security Bulletin and a Knowledge Base
> Article addressing this vulnerability:
> * Security Bulletin MS02-005
> http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
> * Knowledge Base Article Q317731
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731
>
> Cyrusoft
>
> Our email client Mulberry does not use the core HTML rendering engine
> library for its HTML display, and so is not affected by the bug in
> that library. Having looked at the details of this alert I can also
> confirm that our own HTML rendering engine is not affected by this, as
> it ignores the relevant tags.
>
>
> Appendix B. - References
>
> 1. http://www.kb.cert.org/vuls/id/932283
> 2. http://www.security.nnov.ru/advisories/mshtml.asp
> 3. http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
> 4. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731
> 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022
> 6. http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/
> embed.asp
> 7. http://developer.netscape.com/docs/manuals/htmlguid/tags14.htm#128
> 6379
>
> _________________________________________________________________
>
> The CERT/CC thanks ERRor and DarkZorro of domain Hell and 3APA3A of
> SECURITY.NNOV for reporting this issue to us.
> _________________________________________________________________
>
> Author: Art Manion
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2002-04.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert@cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for emergencies
> during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomo@cert.org. Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2002 Carnegie Mellon University.
>
> Revision History
> February 25, 2002: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPHppRKCVPMXQI2HJAQEunQP9Hn+YSjmwNSLM4//5JrHP0ydgt0DFzh5k
> 0X40VYjxXcls0r3uZrpfC80W2f7DF3lS2kNcys4aEl+OXkTLn3p2BEkGYFhitwbG
> Tl0KvoESvT6b/1/w3TCjBregrAxPEXdw9KwQ2JFm/jmpX1+Gr15X7b2TDbf4sxJy
> q3UC1EPU9JE=
> =Jtq3
> -----END PGP SIGNATURE-----
>
>
>
--
Until later: Geoffrey esoteric@3times25.net
I didn't have to buy my radio from a specific company to listen
to FM, why doesn't that apply to the Internet (anymore...)?