Multiple Vulnerabilities in Microsoft Internet Explorer - 13 Feb 2002

Reported February 12, 2002, byGFI and Microsoft.

VERSIONS AFFECTED

DESCRIPTION
Six new vulnerabilities have been discoveredin Microsoft Internet Explorer.

The first involves abuffer overrun associated with an HTML directive used to imbed a document withina web page. By creating a web page that invokes this directive using speciallyselected attributes, a potential attacker could cause code to run on theuser’s system.

The second vulnerabilityis associated with the “GetObject” scripting function. Before providing ahandle to an operating system object, “GetObject” should perform a series ofsecurity checks to make sure that the caller has sufficient privileges to it. Byrequesting a handle to a file using a specially malformed representation, it maybe possible to bypass some of these checks, allowing a web page to complete anoperation that should have been prevented. This could result in the reading offiles on visiting user’s system.

The third vulnerability is related to the display of file names in theFile Download dialogue box. When a file download from a web site is started, adialogue provides the name of the file and lets the user choose what action totake. A flaw exists in the way the system handles the HTML header fields“Content-Disposition” and “Content-Type”. This could enable a potentialattacker to misrepresent the name of the file in the dialogue in an attempt totrick a user into opening or saving an unsafe file.

The fourth vulnerabilitycould allow a web page to open a file on the web site, using any applicationinstalled on a user’s system. By design, Internet Explorer should only open afile on a web site using the application which is registered to that type offile, and only if it is on a list of safe applications. Through a flaw in thehandling of the Content-Type HTML header field, a potential attacker couldcircumvent this restriction and specify the application to be invoked forprocessing a particular file. Internet Explorer would comply, even if the systemlists the application as unsafe.

The fifth vulnerabilitycould enable a web page to run a script even if the user has disabled scripting.Internet Explorer will check for the presence of scripts when initiallyrendering a page. By using the capability that exists for objects on a web pageto respond to asynchronous events and misusing this capability in a particularway, it may be possible for a web page to fire a script after the page haspassed the initial security checks.

The sixth vulnerabilityis another variant of the "Frame Domain Verification" vulnerabilitydiscussed in Microsoft Security Bulletin MS01-058.This vulnerability could enable a malicious web site operator to open twobrowser windows, one in the web site’s domain and the other on the user’slocal file system. The malicious site would then use the “Document.open”function to pass information from the local file system to the website. Thiscould enable the malicious web site any file on the user’s local computer thatcould be opened in a browser window. 

VENDOR RESPONSE

Thevendor, Microsoft, has released securitybulletin MS02-005which addresses this vulnerability, and recommends that affected users apply theappropriate patch listed in Knowledge Base Article Q316059.

CREDIT
Discoveredby SandroGauci, dH team and SECURITY.NNOV