The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Exploitation of Internet Explorer Vulnerability</h2>

Original release Date: October 1, 2003<br/>
Last revised: October 4, 2003<br/>
<p>The CERT/CC has received reports indicating that attackers are
actively exploiting the Microsoft Internet Explorer vulnerability
described in <a href="">VU#865940</a>.</p>
<p>Reports to the CERT/CC indicate that attackers are leveraging the
vulnerability described in <a href="">VU#865940</a> to cause
victim systems to perform various tasks.  These attacks include the
installation of tools for launching distributed denial-of-service
(DDoS) attacks, reading sensitve information from the Windows
registry, and the use of the victim system's modem to dial
pay-per-minute services thereby incurring significant expense to
users. Another attack known as "QHosts" misdirects network traffic by
modifying Domain Name System (DNS) settings. By convincing a user
running a vulnerable version of Microsoft Internet Explorer (IE) to
view an HTML document (e.g., a web page or HTML email), a remote
attacker could execute arbitrary code with the privileges of the
<p>The vulnerability described in VU#865940 exists due to an
interaction between IE's MIME type processing and the way it handles
HTML application (HTA) files embedded in OBJECT tags.  When an HTA
file is referenced by the DATA attribute of an OBJECT element, and the
web server returns the Content-Type header set to <font face="monospace">application/hta</font>, IE may execute the HTA file
directly, without user intervention.  The HTML used to reference the
HTA file can be created in at least three ways:

<li>The HTML can be static</li>
<li>The HTML can be generated by script

<li>The HTML can be generated by <a href="">Data
Binding</a> an XML source to an HTML consumer

The extension of the HTA file does not affect this behavior, for
example <font face="monospace">&lt;OBJECT DATA="somefile.jpg"&gt;</font> (where
somefile.jpg is a text file containing HTML code).  IE security zone
settings for ActiveX controls may prevent an HTA from being executed
in this manner.</p>
details on VU#865940 can be found in the <a href="">Vulnerability Note</a>.</p>
<p>Any program that uses the WebBrowser ActiveX control or the IE HTML
rendering engine (MSHTML) may be affected by this vulnerability.
Outlook and Outlook Express are affected, however recent versions of
these programs open mail in the Restricted sites zone where ActiveX
controls and plug-ins are disabled by default.</p>

<p>Although Microsoft released a cumulative patch for Internet
Explorer (see <a href="">MS03-032</a>)
that stops HTAs from executing in one case in which static HTML is
used to create an OBJECT element referencing the HTA, the patch did
<b>not</b> prevent HTAs from executing in the cases when the requisite
HTML is generated by script or by Data Binding.  We have confirmed
reports of attackers exploiting the Data Binding method.  Microsoft
has subsequently released security bulletin <a href="">MS03-040</a>
which supercedes MS03-032 and references a patch (828750) that
purportedly fixes the cases where the HTML is generated by script or
Data Binding.<p>

The CERT/CC is unaware of a complete solution for this vulnerability.

<h4>Apply patch</h4>
<p>The cumulative patch (822925) referenced in Microsoft Security
Bulletin <a href="">MS03-032</a>
(released on 2003-08-20) stops HTAs from executing in one case in
which static HTML is used to create an OBJECT element referencing the
HTA (1). The patch does <b>not</b> prevent HTAs from executing in at
least two other cases in which the requisite HTML is generated by
script (2) or by Data Binding (3).  Microsoft has since released a new
cumulative patch (828750), referenced in Microsoft Security Bulletin
<a href="">MS03-040</a>
that fixes the latter cases.  The CERT/CC recommends that users and
administrators apply the patches from MS03-040 and consider taking the
additional steps outlined below.</p>
<h4><u>Additional steps for users</u></h4>
<h4>Disable ActiveX controls and plug-ins</h4>
<p>It appears that disabling the "Run ActiveX controls and plug-ins"
setting will prevent OBJECT elements from being instantiated, thus
preventing exploitation of this vulnerability. Disable "Run ActiveX
controls and plug-ins" in the Internet zone and any zone used to read
HTML email. Note that there may be other attack vectors that are not
governed by the "Run ActiveX controls and plug-ins" setting.</p>
<h4>Apply the Outlook Email Security Update</h4>
<p>Another way to effectively disable ActiveX controls and plug-ins in
Outlook is to install the Outlook Email Security Update. The update
configures Outlook to open email messages in the Restricted Sites
Zone, where Active scripting is disabled by default. In addition, the
update provides further protection against malicious code that
attempts to propagate via Outlook. The Outlook Email Security Update
is available for Outlook 98 and Outlook 2000. The functionality of the
Outlook Email Security Update is included in Outlook 2002 and Outlook
Express 6.</p>
<h4>Maintain updated antivirus software</h4>
<p>Antivirus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely on antivirus software to
defend against this vulnerability. The CERT/CC maintains a partial
list of <a href="">antivirus vendors</a>.</p>
<h4><u>Additional steps for system administrators</u></h4>

The following steps are recommended for system administrators and advanced users.

<h4>Unmap HTA MIME type</h4>
<p>Deleting or renaming the following registry key prevents HTAs from executing in the three cases listed above:
<font face="monospace">HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta</font>
Note that there may be other attack vectors that do not rely on this MIME setting.</p>
<h4>Block Content-Type headers</h4>
<p>Use an application layer firewall, HTTP proxy, or similar technology
to block or modify HTTP Content-Type headers with the value
"application/hta". This technique may not work for encrypted HTTP
connections and it may break applications that require the
"application/hta" Content-Type header.</p>
<h4>Block mshta.exe</h4>
<p>Use a host-based firewall to deny network access to the HTA host:
%SystemRoot%\system32\mshta.exe. Examining network traces of known
attack vectors, it seems that the exploit HTML/HTA code is accessed
three times, twice by IE and once by mshta.exe. The HTA is
instantiated at some point before the third access attempt. Blocking
mshta.exe prevents the third access attempt, which appears prevent the
exploit code from being loaded into the HTA. There may be other attack
vectors that circumvent this workaround. For example, a vulnerability
that allowed data in the browser cache to be loaded into the HTA could
remove the need for mshta.exe to access the network. This technique
may break applications that require HTAs to access the network. Also,
specific host-based firewalls may or may not properly block mshta.exe
from accessing the network.</p>
<h4>Recovering from a system compromise</h4>
<p>If you believe a system under your administrative control has been
compromised, please follow the <a href="">Steps
for Recovering from a UNIX or NT System Compromise</a>.</p>

The CERT/CC is tracking activity related to this vulnerability as
CERT#35432. Relevant artifacts or reports can be sent to with the appropriate CERT# in the subject line.

<hr noshade="" width="100%"/>
<b>Authors</b>: <a href="">Allen
Householder, Art Manion, and Chad Dougherty</a><br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright ©2003 Carnegie Mellon University.</p>
<p>Revision History
October 1, 2003:  Initial release<br/>
October 4, 2003:  Added information pertaining to MS03-040, noted registry and QHosts attacks<br/>
<!-- This completes the table started in *_titlebar.html -->

<!--#include virtual="/cert/include/footer.html"--></p></p></p>