Date: Fri, 29 Mar 2024 07:18:24 -0400 (EDT) Message-ID: <783247386.21.1711711104891@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_20_128407897.1711711104888" ------=_Part_20_128407897.1711711104888 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The CERT/CC has received reports indicating that attackers are actively = exploiting the Microsoft Internet Explorer vulnerability described in VU#865940.
Reports to the CERT/CC indicate that attackers are leveraging the vulner= ability described in VU#8= 65940 to cause victim systems to perform various tasks. These attacks i= nclude the installation of tools for launching distributed denial-of-servic= e (DDoS) attacks, reading sensitve information from the Windows registry, a= nd the use of the victim system's modem to dial pay-per-minute services the= reby incurring significant expense to users. Another attack known as "QHost= s" misdirects network traffic by modifying Domain Name System (DNS) setting= s. By convincing a user running a vulnerable version of Microsoft Internet = Explorer (IE) to view an HTML document (e.g., a web page or HTML email), a = remote attacker could execute arbitrary code with the privileges of the use= r.
The vulnerability described in VU#865940 exists due to an interaction be= tween IE's MIME type processing and the way it handles HTML application (HT= A) files embedded in OBJECT tags. When an HTA file is referenced by the DAT= A attribute of an OBJECT element, and the web server returns the Content-Ty= pe header set to application/hta, IE may ex= ecute the HTA file directly, without user intervention. The HTML used to re= ference the HTA file can be created in at least three ways:
Additional details on VU#865940 can be found in the Vulnerability Note.
Any program that uses the WebBrowser ActiveX control or the IE HTML rend= ering engine (MSHTML) may be affected by this vulnerability. Outlook and Ou= tlook Express are affected, however recent versions of these programs open = mail in the Restricted sites zone where ActiveX controls and plug-ins are d= isabled by default.
Although Microsoft released a cumulative patch for Internet Explorer (se= e MS03-032) that stops HTAs from executing in one case in which static= HTML is used to create an OBJECT element referencing the HTA, the patch di= d not prevent HTAs from executing in the cases when the requisite HT= ML is generated by script or by Data Binding. We have confirmed reports of = attackers exploiting the Data Binding method. Microsoft has subsequently re= leased security bulletin MS03-040 which supercedes MS03-032 and refere= nces a patch (828750) that purportedly fixes the cases where the HTML is ge= nerated by script or Data Binding.
The cumulative patch (822925) referenced in Microsoft Security Bulletin = MS03-032 (released on 2003-08-20) stops HTAs from executing in one cas= e in which static HTML is used to create an OBJECT element referencing the = HTA (1). The patch does not prevent HTAs from executing in at least = two other cases in which the requisite HTML is generated by script (2) or b= y Data Binding (3). Microsoft has since released a new cumulative patch (82= 8750), referenced in Microsoft Security Bulletin MS03-040 that fixes t= he latter cases. The CERT/CC recommends that users and administrators apply= the patches from MS03-040 and consider taking the additional steps outline= d below.
It appears that disabling the "Run ActiveX controls and plug-ins" settin= g will prevent OBJECT elements from being instantiated, thus preventing exp= loitation of this vulnerability. Disable "Run ActiveX controls and plug-ins= " in the Internet zone and any zone used to read HTML email. Note that ther= e may be other attack vectors that are not governed by the "Run ActiveX con= trols and plug-ins" setting.
Another way to effectively disable ActiveX controls and plug-ins in Outl= ook is to install the Outlook Email Security Update. The update configures = Outlook to open email messages in the Restricted Sites Zone, where Active s= cripting is disabled by default. In addition, the update provides further p= rotection against malicious code that attempts to propagate via Outlook. Th= e Outlook Email Security Update is available for Outlook 98 and Outlook 200= 0. The functionality of the Outlook Email Security Update is included in Ou= tlook 2002 and Outlook Express 6.
Antivirus software with updated virus definitions may identify and preve= nt some exploit attempts. Variations of exploits or attack vectors may not = be detected. Do not rely on antivirus software to defend against this vulne= rability. The CERT/CC maintains a partial list of antivirus vendors.
Deleting or renaming the following registry key prevents HTAs from execu= ting in the three cases listed above:
Use an application layer firewall, HTTP proxy, or similar technology to = block or modify HTTP Content-Type headers with the value "application/hta".= This technique may not work for encrypted HTTP connections and it may brea= k applications that require the "application/hta" Content-Type header.
Use a host-based firewall to deny network access to the HTA host: %Syste= mRoot%\system32\mshta.exe. Examining network traces of known attack vectors= , it seems that the exploit HTML/HTA code is accessed three times, twice by= IE and once by mshta.exe. The HTA is instantiated at some point before the= third access attempt. Blocking mshta.exe prevents the third access attempt= , which appears prevent the exploit code from being loaded into the HTA. Th= ere may be other attack vectors that circumvent this workaround. For exampl= e, a vulnerability that allowed data in the browser cache to be loaded into= the HTA could remove the need for mshta.exe to access the network. This te= chnique may break applications that require HTAs to access the network. Als= o, specific host-based firewalls may or may not properly block mshta.exe fr= om accessing the network.
If you believe a system under your administrative control has been compr= omised, please follow the Steps for Recovering from a UNIX or NT System Comp= romise.