INFORMATION ALERT

AN EMERGING ISSUE WITH:
SIX FLAWS IN MICROSOFT INTERNET EXPLORER (5.01, 5.5, 6.0)

SEVERITY:
Medium

DATE:
February 12, 2002

SUMMARY:

Late on February 11, Microsoft released a Security Bulletin
<http://www.microsoft.com/technet/tre...echnet/securit
y/bulletin/MS02-005.asp> advising of a cumulative patch
which fixes six new vulnerabilities discovered in Internet
Explorer (IE) 5.01, 5.5 and 6.0. The worst of these new
vulnerabilities is a buffer overflow which could allow an attacker
to execute any program on your computer.


EXPOSURE:


Six new vulnerabilities have been found in Internet Explorer 5.01,
5.5 and 6.0:


* A buffer overflow was found in IE associated with the HTML used
to embed documents into Web pages. By crafting a malicious Web
page, a hacker could cause a buffer overflow in IE that would
result in the execution of any program he wished. The hacker would
first need to lure you to his malicious site via an e-mailed link
or by redirecting you from another seemingly harmless Web site.


* An HTML scripting function allows a Web site to establish
contact with data files on a visiting system. IE has security
checks in place to verify that the site asking to open the data
file has permission to do so. However, researchers found that
attackers can bypass these security checks with a specifically
malformed request. By creating a site with these malformed
requests and luring you to that site, a hacker could read files on
your computer without your permission.


* By crafting certain HTML headers, a hacker can misrepresent the
name of a file in an IE download dialog window. IE blindly trusts
the file name presented in these HTML headers and displays that
name in its download dialog, regardless of the real name of the
file being downloaded. A hacker could exploit this to trick you
into downloading things you otherwise would not (for instance, she
could disguise trojan.exe as harmless.txt).


* Normally, if you click a file on a Web page that is associated
with some application in Windows, IE will automatically open the
file in that application. For instance, if you click a PDF file IE
might open it in Acrobat Reader. Researchers found that a hacker
can craft the HTML headers associated with a file to cause it to
open with any application of his choosing (assuming that
application is installed on your machine). Microsoft's examples of
how this technique could harm you are vague; however, our
preliminary research indicates that a hacker might exploit this by
creating a Web page containing a harmless looking text file that
could invoke the Windows Registry Editor. You might think you were
clicking a harmless text file that would open a text editor, but
instead the file would contain malicious registry settings that
would be imported into your registry, configuring your machine to
the hacker's advantage.


* A vulnerability allows an attacker to force you to run a script
from his Web page even if you have disabled scripting. Normally
when you load a Web page, everything that is supposed to be on the
page comes up and stays up until you leave. However, Web pages
also have the capability of adding items to the page over time.
Hackers can take advantage of this by making scripts on their page
appear after IE checks for them. This could result in your IE
client executing malicious scripts even if your IE security
settings do not allow them.


* The last issue is another variant of what Microsoft calls the
"Frame Domain Verification" vulnerability. If it sounds familiar,
that's because we have seen this vulnerability many times in IE's
past:


-- MS00-033
<http://www.microsoft.com/technet/tre...?url=/technet/
security/bulletin/MS00-033.asp>,
-- MS00-055
<http://www.microsoft.com/technet/tre.../technet/secur
ity/bulletin/MS00-055.asp>,
-- MS00-093
<http://www.microsoft.com/technet/tre.../technet/secur
ity/bulletin/MS00-093.asp>,
-- MS01-015
<http://www.microsoft.com/technet/tre.../technet/secur
ity/bulletin/MS01-015.asp> and
-- MS01-058
<http://www.microsoft.com/technet/tre.../technet/secur
ity/bulletin/MS01-058.asp>).


In a nutshell, a hacker could create a Web site that opens a
parent window in his domain but also opens a secondary window in
your local file system. Because IE does not verify if new windows
are in the same domain as the parent windows, it would allow the
hacker to pass information from your local file system to his
domain. The hacker could use this to read any files on your system
which are viewable in IE.