(Patch is Incomplete - Product is Still Vulnerable) Re: Microsoft Internet Explorer Object Tag Flaw Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1007658 |
|
SecurityTracker URL: http://securitytracker.com/id/1007658
|
|
CVE Reference:
CAN-2002-0532
(Links to External Site)
|
Date: Sep 8 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 5.01, 5.5, 6.0
|
Description:
A vulnerability was reported in Microsoft Internet Explorer (IE) in the processing of a certain object data tag. A remote user can cause arbitrary code to be executed on the target user's computer.
It was reported that IE does not properly determine an object data tag returned from a web server. A remote user can create HTML that, when loaded, will cause arbitrary code to be executed on a target user's system. According to the report, IE does not properly validate a certain parameter in an HTTP response. The response can point to a specific type of file to cause an object to be scripted and executed.
Microsoft credited eEye Digital Security with reporting this flaw and issued a patch. However, a new report indicates that the patch does not fully correct the flaw. According to the report, pop-up windows are still vulnerable (if Active Scripting is enabled, of course).
A demonstration exploit that will place an executable file on your C:\ drive is available at:
http://www.malware.com/badnews.html
|
Impact:
A remote user can create HTML that, when loaded, will cause arbitrary code to be executed on the target user's computer with the privileges of the target user.
|
Solution:
It is reported that the Microsoft patch described below (MS03-032) does not fully fix the flaw.
Microsoft has issued the following cumulative patch that, according to the report, only partially fixes the flaw.
For all versions except Microsoft Internet Explorer 6.0 for Windows Server 2003:
http://www.microsoft.com/windows/ie/downloads/critical/822925/default.asp
For Microsoft Internet Explorer 6.0 for Windows Server 2003:
http://www.microsoft.com/windows/ie/downloads/critical/822925s/default.asp
The appropriate patch can be installed on IE 5.01 running on Windows 2000 systems with SP3 or SP4 installed, IE 5.5 SP2, IE 6.0 Gold, and IE 6.0 SP1.
This patch will reportedly be included in Windows XP SP2 and Windows Server 2003 SP1.
A reboot is required after installing this patch.
This patch supersedes the one reported in MS03-020.
See the vendor advisory for some important caveats regarding the HTML Help feature.
Microsoft has issued Knowledge Base article 822925 regarding this issue:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822925
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS03-032.asp (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sun, 7 Sep 2003 13:17:14 -0000
Subject: [Full-Disclosure] BAD NEWS: Microsoft Security Bulletin MS03-032
|
Since the cat somehow got out of the bag, and more importantly, this
is so blatantly obvious, herewith is the "Bad News":
The patch for Drew's object data=funky.hta doesn't work:
http://www.malware.com/badnews.html
<script>
var oPopup = window.createPopup();
function showPopup() {
oPopup.document.body.innerHTML = "<object data=ouch.php>";
oPopup.show(0,0,1,1,document.body);
}
showPopup()
</script>
Notes:
1. Disable Active Scripting
2. In case that does not work, uninstall Internet Explorer
3. http://www.eeye.com/html/Research/Advisories/AD20030820.html
4. This was sent to the manufacturer quite some time prior to this
going out. Surprisingly no immediate acknowledgement
5. This is so blatantly obvious, in particular because it is
the coupling of two known issues[one current + one from 2002]:
http://www.securityfocus.com/bid/3867/
It is beyond comprehension why this was not checked from the
outset as it is a known issue plus file://::{CLSID}in the control
panel in the object tag still functions to date.
6. At this stage one must really question the compentency of this
particular operation. This is a pathetic oversight.
--
http://www.malware.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
