Multiple Vulnerabilities in Microsoft Internet Explorer - 04 Feb 2004

Reported February 3, 2004, by Microsoft.

VERSIONS AFFECTED

·        Windows Server 2003, 64-Bit Edition

·        Windows Server 2003

·        Windows XP 64-Bit Edition Version 2003

·        Windows XP 64-Bit Edition

·        Windows XP 64-Bit Edition SP1

·        Windows XP

·        Windows XP SP1

·        Windows 2000 SP2, SP3, SP4

·        Windows NT Server 4.0, Terminal Server Edition (WTS) SP6

·        Windows NT Server 4.0 SP6a

·        Windows NT Workstation 4.0 SP6a

DESCRIPTION

Microsoft Internet Explorer (IE) contains three vulnerabilities,the most serious of which can result in the execution of arbitrary code on the vulnerable computer. These three new vulnerabilities consist of the following:

·        A cross-domain security vulnerability in the IE model, which prevents windows of different domains from sharing information. This vulnerability could result in the execution of script in the Local Machine zone. To exploit this vulnerability, an attacker would need to host a malicious Web site that contained a Web page designed to exploit the vulnerability, then persuade a vulnerable user to view the Web page. The attacker could also create an HTML email message designed to exploit the vulnerability and persuade the user to view the HTML email message. After the user has visited the malicious Web site or viewed the malicious HTML email message, the attacker could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged-on user.

·        A vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML (DHTML) events in IE. This vulnerability could permit a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download. To exploit this vulnerability, an attacker would need to host a malicious Web site that contained a Web page with a specially crafted link and persuade a vulnerable user to click that link. The attacker could also create an HTML email message that had a specially crafted link, then persuade the user to view the HTML email message and click the malicious link. Clicking this link wouldn't execute code of the attacker's choice, but code could be saved on the user's computer in a targeted location.

·        A vulnerability involving the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that puts "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an IE window. To exploit this vulnerability, an attacker would need to host a malicious Web site that contained a Web page with a specially crafted link. The attacker would then need to persuade a user to click that link. The attacker could also create an HTML email message that had a specially crafted link, then persuade the user to view the HTML email message and click the malicious link. If the user clicked this link, an IE window could open with a URL of the attacker's choice in the address bar but with content from a Web site of the attacker's choice inside the window. For example, an attacker could create a link that, once clicked on by a user, would display http://www.tailspintoys.com in the address bar, but actually contained content from http://www.wingtiptoys.com.

VENDOR RESPONSE

Microsoft has released security bulletinMS04-003, "Cumulative Security Update for Internet Explorer (832894)," to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

CREDIT

Discovered by Microsoft andAndreas Sandblad (Travel Log Cross Domain Vulnerability).