Original issue date: August 26, 2003<br> Last revised: October 6, 2003<br> Source: CERT/CC<br> <p> A complete <a href="#revision">revision history</a> is at the end of this file. </p> <br> <h3>Systems Affected</h3> Microsoft Windows systems running <ul> <li>Internet Explorer 5.01</li> <li>Internet Explorer 5.50</li> <li>Internet Explorer 6.01</li> </ul> Previous, unsupported versions of Internet Explorer may also be affected. <br> <h2>Overview</h2> <p> Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code with the privileges of the user running IE. </p> <p> <b>Note:</b> (2003-10-04) The patch provided by <a href="http://www.microsoft.com/technet/security/bulletin/MS03-032.asp">MS03-032</a> does not completely resolve the vulnerability described in <a href="http://www.kb.cert.org/vuls/id/865940">VU#865940</a>. Microsoft has since released <a href="http://www.microsoft.com/technet/security/\ bulletin/MS03-040.asp">MS03-040</a> which supercedes MS03-032. </p> <br> <h2>I. Description</h2> <p> Microsoft Security Bulletin <a href="http://www.microsoft.com/technet/security/bulletin/MS03-032.asp">MS03-032</a> describes five vulnerabilities in Internet Explorer. These vulnerabilities are listed below. More detailed information is available in the individual <a href="http://www.kb.cert.org/vuls/byid?searchview&query=ms03-032">vulnerability notes</a>. Note that in addition to IE, any applications that use the IE HTML rendering engine to interpret HTML documents may present additional attack vectors for these vulnerabilities. </p> <p> <b><a href="http://www.kb.cert.org/vuls/id/205148">VU#205148</a> - Microsoft Internet Explorer does not properly evaluate Content-Type and Content-Disposition headers</b><br> A cross-domain scripting vulnerability exists in the way IE evaluates Content-Type and Content-Disposition headers and checks for files in the local browser cache. This vulnerability could allow a remote attacker to execute arbitrary script in a different domain, including the Local Machine Zone.<br> <i><small>(Other resources: SNS Advisory <a href="http://www.lac.co.jp/security/english/snsadv_e/67_e.html">No.67</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0531">CAN-2003-0531</a>)</small></i> </p> <p> <b><a href="http://www.kb.cert.org/vuls/id/865940">VU#865940</a> - Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element</b><br> IE will execute an HTML Application (HTA) referenced by the DATA attribute of an OBJECT element if the Content-Type header returned by the web server is set to "application/hta". An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user running IE.<br> <i><small>(Other resources: eEye Digital Security Advisory <a href="http://www.eeye.com/html/Research/Advisories/AD20030820.html">AD20030820</a>, <a href="http://www.microsoft.com/technet/security/bulletin/MS03-032.asp">MS03-032</a>, <a href="http://www.microsoft.com/technet/security/bulletin/MS03-040.asp">MS02-040</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0532">CAN-2003-0532</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0838">CAN-2003-0838</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0809">CAN-2003-0809</a>)</small></i> </p> <p> <b><a href="http://www.kb.cert.org/vuls/id/548964">VU#548964</a> - Microsoft Windows BR549.DLL ActiveX control contains vulnerability</b><br> The Microsoft Windows BR549.DLL ActiveX control, which provides support for the Windows Reporting Tool, contains an unknown vulnerability. The impact of this vulnerability is not known. </p> <p> <b><a href="http://www.kb.cert.org/vuls/id/813208">VU#813208</a> - Microsoft Internet Explorer does not properly render an input type tag</b><br> IE does not properly render an input type tag, allowing a remote attacker to cause a denial of service. </p> <p> <b><a href="http://www.kb.cert.org/vuls/id/334928">VU#334928</a> - Microsoft Internet Explorer contains buffer overflow in Type attribute of OBJECT element on double-byte character set systems</b><br> Certain versions of IE that support double-byte character sets (DBCS) contain a buffer overflow vulnerability in the Type attribute of the OBJECT element. A remote attacker could execute arbitrary code with the privileges of the user running IE.<br> <i><small>(Other resources: SNS Advisory <a href="http://www.lac.co.jp/security/english/snsadv_e/68_e.html">No.68</a>, Microsoft Security Bulletin <a href="http://www.microsoft.com/technet/security/bulletin/MS03-020.asp">MS03-020</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0344">CAN-2003-0344</a>)</small></i> </p> <br> <h2>II. Impact</h2> <p> These vulnerabilities have different impacts, ranging from denial of service to execution of arbitrary commands or code. Please see the individual <a href="http://www.kb.cert.org/vuls/byid?searchview&query=ms03-032">vulnerability notes</a> for specific information. The most serious of these vulnerabilities (<a href="http://www.kb.cert.org/vuls/id/865940">VU#865940</a>) could allow a remote attacker to execute arbitrary code with the privileges of the user running IE. The attacker could exploit this vulnerability by convincing the user to access a specially crafted HTML document, such as a web page or HTML email message. No user intervention is required beyond viewing the attacker's HTML document with IE. </p> <br> <h2>III. Solution</h2> <h4>Apply a patch</h4> <p> Apply the appropriate patch as specified by Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-040.asp">MS03-040</a>. </p> <p> <b>Note:</b> (2003-10-04) The patch described in MS03-032 (822925) does not completely resolve the vulnerability described in <a href="http://www.kb.cert.org/vuls/id/865940">VU#865940</a>. This patch does not address at least two attack vectors that can be used to exploit this vulnerability. Microsoft has since released Security Bulletin <a href="http://microsoft.c\ om/technet/security/bulletin/MS03-040.asp">MS03-040</a> which supercedes MS03-032 and addresses the other attack vectors for VU#865940. The CERT/CC encourages users to apply the patch referenced in MS03-040 and also consider applying the additional steps listed in the <a href="http://www.kb.cert.org/vuls/id/865940#solution">solution</a> section of VU#865940. </p> <p> The patch also changes the behavior of the HTML Help system (see <a href="http://www.kb.cert.org/vuls/id/25249">VU#25249</a>): <ul><i> As with the previous Internet Explorer cumulative patches released with bulletins MS03-004, MS03-015, and MS03-020 this cumulative patch will cause window.showHelp() to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article <a href="http://support.microsoft.com/?id=811630">811630</a>, you will still be able to use HTML Help functionality after applying this patch.</i></ul> </p> <p> After releasing <a href="http://microsoft.com/technet/security/bulletin/MS03-032.asp">MS03-032</a>, Microsoft identified a problem with the patch. The only affected configurations are Windows XP systems running the web server component of Internet Information Services (IIS) 5.1 with .NET Framework 1.0 serving ASP.NET web pages. Clients using such servers may receive error messages when attempting to view web pages. More information, including a workaround, is available in Microsoft Knowledge Base Article <a href="http://support.microsoft.com/?id=827641">827641</a>. </p> <br> <a name="vendors"></a> <h2>Appendix A. Vendor Information</h2> <p> This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments. </p> <a name="microsoft"> <h4><a href="http://www.microsoft.com/">Microsoft</a></h4> <blockquote> <p> Please see Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-040.asp">MS03-040</a>. </p> </blockquote> <!-- end vendor --> <br> <a name="references"></a> <h2>Appendix B. References</h2> <ul> <li>CERT/CC Vulnerability Note VU#205148 - <<a href="http://www.kb.cert.org/vuls/id/205148">http://www.kb.cert.org/vuls/id/205148</a>></li> <li>CERT/CC Vulnerability Note VU#865940 - <<a href="http://www.kb.cert.org/vuls/id/865940">http://www.kb.cert.org/vuls/id/865940</a>></li> <li>CERT/CC Vulnerability Note VU#548964 - <<a href="http://www.kb.cert.org/vuls/id/548964">http://www.kb.cert.org/vuls/id/548964</a>></li> <li>CERT/CC Vulnerability Note VU#813208 - <<a href="http://www.kb.cert.org/vuls/id/813208">http://www.kb.cert.org/vuls/id/813208</a>></li> <li>CERT/CC Vulnerability Note VU#334928 - <<a href="http://www.kb.cert.org/vuls/id/334928">http://www.kb.cert.org/vuls/id/334928</a>></li> <li>CERT/CC Vulnerability Note VU#25249 - <<a href="http://www.kb.cert.org/vuls/id/25249">http://www.kb.cert.org/vuls/id/25249</a>></li> <li>eEye Digital Security Advisory AD20030820 - <<a href="http://www.eeye.com/html/Research/Advisories/AD20030820.html">http://www.eeye.com/html/Research/Advisories/AD20030820.html</a>></li> <li>SNS Advisory No. 67 - <<a href="http://www.lac.co.jp/security/english/snsadv_e/67_e.html">http://www.lac.co.jp/security/english/snsadv_e/67_e.html</a>></li> <li>SNS Advisory No. 68 - <<a href="http://www.lac.co.jp/security/english/snsadv_e/68_e.html">http://www.lac.co.jp/security/english/snsadv_e/68_e.html</a>></li> <li>Microsoft Security Bulletin MS03-032 - <<a href="http://microsoft.com/technet/security/bulletin/MS03-032.asp">http://microsoft.com/technet/security/bulletin/MS03-032.asp</a>></li> <li>Microsoft Security Bulletin MS03-040 - <<a href="http://microsoft.com/technet/security/bulletin/MS03-040.asp">http://microsoft.com/technet/security/bulletin/MS03-040.asp</a>></li> <li>Microsoft KB Article 822925 - <<a href="http://support.microsoft.com/?id=822925">http://support.microsoft.com/?id=822925</a>></li> <li>Microsoft KB Article 811630 - <<a href="http://support.microsoft.com/?id=811630">http://support.microsoft.com/?id=811630</a>></li> <li>Microsoft KB Article 827641 - <<a href="http://support.microsoft.com/?id=827641">http://support.microsoft.com/?id=827641</a>></li> <li>ASP.NET Fix for 'Server Application Unavailable' Error - <<a href="http://www.asp.net/faq/ms03-32-issue.aspx">http://www.asp.net/faq/ms03-32-issue.aspx</a>></li> </ul> <hr noshade> <p> Microsoft credits <a href="http://www.eeye.com/">eEye Digital Security</a>, <a href="http://www.lac.co.jp/security/english/index.html">LAC</a>, and <a href="http://www.kpmg.co.uk">KPMG UK</a> for reporting these vulnerabilities. Information from eEye, LAC, and Microsoft was used in this document. </p> <hr noshade> <p> Feedback can be directed to the author, <a href="mailto:cert@cert.org?subject=CA-2003-12%20%20VU%23865940%20Feedback">Art Manion</a>. </p> <!--#include virtual="/include/footer_nocopyright2.html" --> <p>Copyright 2003 Carnegie Mellon University.</p> <a name="revision"></a> <p>Revision History <p> <small> August 26, 2003: Initial release<br> September 3, 2003: Added patch warning about WinXP/.NET web servers<br> September 9, 2003: Noted patch does not address VU#865940 and point to workarounds<br> October 4, 2003: Added information about MS03-040<br> October 6, 2003: Fixed VU#865490 typo, fixed CAN-2003-808 reference, added #revision tag<br> </small> </p> |