SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Client)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
(CIAC Issues Bulletin) Re: Microsoft Internet Explorer May Automatically Execute Certain E-mail Attachments
SecurityTracker Alert ID:  1001223
SecurityTracker URL:  http://securitytracker.com/id/1001223
CVE Reference:   CVE-2001-0154   (Links to External Site)
Updated:  Apr 3 2001
Original Entry Date:  Apr 3 2001
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.01 (except with Service Pack 2), 5.5
Description:   Microsoft issued a security bulletin (MS01-020) announcing that, when rendering HTML-based e-mail messages that have incorrect MIME headers, Microsoft Internet Explorer may execute arbitrary code contained in an attachment to the email.

There is a flaw in Internet Explorer's processing of certain "unusual" MIME types. This vulnerability enables an attacker to create an HTML-based email containing a header with one of the certain unusual MIME types and containing an executable attachment such that the Internet Explorer browser will automatically execute the attachment when processing the message.

The vendor notes that the vulnerability cannot be exploited if the "File Downloads" setting has been expressly disabled in the Security Zone in which the e-mail is rendered.
Impact:   A remote attacker could send a specially crafted HTML-based e-mail message containing a malicious executable that will be automatically executed by Internet Explorer when a recipient opens the e-mail for reading (if the user's default browser is Internet Explorer).
Solution:   The vendor has released a patch.
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-020.asp (Links to External Site)
Cause:   State error
Underlying OS:   Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 30 2001 Microsoft Internet Explorer May Automatically Execute Certain E-mail Attachments


 Source Message Contents
Date:  Tue, 3 Apr 2001 09:36:01 -0700 (PDT)
Subject:  CIAC BULLETIN L-066 Internet Explorer MIME Header Vulnerability


  [for public release]
-----BEGIN PGP SIGNED MESSAGE-----


             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                Internet Explorer MIME Header Vulnerability

April 2, 2001 23:00 GMT                                           Number L-066
______________________________________________________________________________
PROBLEM:       Internet Explorer incorrectly handles some unusual MIME types 
               which could allow binary attachments to be run in mail 
               messages. 
PLATFORM:      Windows platforms with mail readers that use Internet Explorer 
               to render html formatted mail messages (Outlook, Outlook 
               Express, others) and that have Internet Explorer versions 5.01 
               or 5.5 installed. Internet Explorer version 5.01 service pack 2 
               is not affected. 
DAMAGE:        The vulnerability could allow an intruder to craft an html mail 
               message that would automatically launch an attached binary 
               file. 
SOLUTION:      Apply patches available from the Microsoft website. 
               http://www.microsoft.com/windows/ie/download/critical/Q290108
               /default.asp 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The MIME types that cause the problem are 
ASSESSMENT:    not well known and the vulnerability is not in the wild. This 
               assessment could change rapidly as intruders learn the details 
               of the vulnerability and how to exploit it. 
______________________________________________________________________________

The following bulletin was posted on the Microsoft website on March 29, 2001. 
See the Microsoft website for the latest version of this bulletin: 

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp 

- -------------------Start of Microsoft Bulletin------------------- 

http://www.ciac.org/ciac/bulletins/l-066.shtml


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOskPkbnzJzdsy3QZAQEd1gQAnriB3PfRe83IxZVCWX4WT5NzB7LiUQSC
3/oPqSDYxvEKCkKioJxGlrEJkLM4rSmR7pDMGzlXtySFitfQ4GqXJnnD+1HQrzoS
/qWh3Nh3fwW8d01NDCHIzCozwQWciiKN5IoGKEy3cX5LSxU9ysrThetR/wzUPd5i
Bb59nrYT5ws=
=6y2b
-----END PGP SIGNATURE-----

-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC