virus: Urgent - another Explorer exploit - and another reason why HTML mail is evil

From: L' Ermit (lhermit@hotmail.com)
Date: Mon Feb 25 2002 - 21:56:54 MST


-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Alert
February 25, 2002

Buffer Overflow in Microsoft Internet Explorer

Synopsis:

ISS X-Force has learned of a buffer overflow vulnerability in Microsoft
Internet Explorer versions 5.5 and 6.0. This vulnerability may be
exploited by delivering specially-crafted HTML code to Internet Explorer
or email clients that use Internet Explorer to render HTML email.
Successful exploitation of this vulnerability could allow attackers to
run commands on the computers that access malicious Web sites. This
vulnerability may also be an effective method of spreading malicious
content if integrated into a mass-emailing Internet worm.

Affected Versions:

Microsoft Internet Explorer versions 5.5 and 6.0

Due to the surge in popularity of HTML formatted email, many
applications may use Internet Explorer to render these documents. Any
email client that uses Internet Explorer for this feature may be
vulnerable as well.

Description:

A vulnerability exists in the Microsoft plug-in handling implementation
of the <EMBED> HTML tag. This tag allows Web pages to include content
that is either displayed or executed in real-time. This type of
functionality is used for various functions, such as playing audio
files, running ActiveX controls, or displaying video clips. The <EMBED>
tag is read by the Web browser to determine what type of content is
provided (through the use of MIME types) and where the content is
located. The Microsoft implementation of <EMBED> was extended to provide
more granular control of the properties of the content.

When Internet Explorer parses an <EMBED> tag, it will check the MIME
type to determine if Internet Explorer can operate on the content or if
it needs to spawn an external plug-in. Internet Explorer or the plug-in
will parse the "SRC" portion of the <EMBED> tag for the location of the
special content. The vulnerability exists in the parsing routines of the
"SRC" portion of the <EMBED> tag. Attackers may be able to craft a
specific "SRC" string to trigger a buffer overflow that may lead to the
compromise of the vulnerable client.

This type of vulnerability is commonly referred to as a "client-side"
vulnerability. The exploit is only executed when a user visits an
infected Web site or receives and opens an infected email. As with other
dangerous client-side vulnerabilities, this code can be used to create
mass-emailing Internet worms that infect machines when users open
malicious email messages.

Recommendations:

X-Force recommends that all Internet Explorer, Outlook, and Outlook
Express users apply the latest cumulative patch for Internet Explorer.
This patch contains a fix for the vulnerability documented in this
advisory. Anyone using an email client that can read HTML formatted
email may also be vulnerable, and these users should also install the
latest patches from their vendor.

To access the latest Microsoft Internet Explorer patch, refer to
Microsoft Security Bulletin MS02-05 at:
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp

A check for this vulnerability will be included in Internet Scanner XPU
6.6, which will be available soon from the ISS Download Center at:
http://www.iss.net/download

X-Force recommends that all Windows users visit the Microsoft Windows
Update Web site on a regular basis. It is designed to help end users and
administrators manage update deployment. X-Force recommends that
Microsoft Windows XP users turn on "Automatic Updates".

To enable Automatic Updates, go to Control Panel --> Performance and
Maintenance --> System, and then click the Automatic Updates tab.
X-Force recommends that users enable the second option, which will
notify the user when updates are ready to download and again when the
updates are ready to install. For more information, visit:
http://windowsupdate.microsoft.com

There are viable workarounds to help mitigate the risk of this
vulnerability and other client-side vulnerabilities. Users should
consider enabling Security Zones within Internet Explorer, Outlook, and
Outlook Express. All Microsoft Office users should also install the
latest Microsoft Office Product Updates. The Microsoft Email Security
Update will change default settings of how potentially malicious emails
are handled within Microsoft email clients. Visit the Microsoft Office
Product Update Web site for more information:
http://office.microsoft.com/productupdates/

Additional Information:

Advisory - buffer overflow in mshtml.dll,
http://www.security.nnov.ru/advisories/mshtml.asp

CERT Advisory CA-2002-04: Buffer Overflow in Microsoft Internet
Explorer,
http://www.cert.org/advisories/CA-2002-04.html

CERT Vulnerability Note VU#932283,
http://www.kb.cert.org/vuls/id/932283

Microsoft Security Bulletin MS02-005,
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp

Microsoft Knowledge Base Article Q317731,
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731

ISS X-Force Database,
http://www.iss.net/security_center/static/8116.php

ISS Download Center,
http://www.iss.net/download

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx



This archive was generated by hypermail 2.1.5 : Wed Sep 25 2002 - 13:28:43 MDT