RealTime IT News

Microsoft Supplies 'Critical' Patch for IE

It is becoming a busy day for bug fixes within Microsoft's flagship Internet Explorer browser.

The software giant issued a massive security patch to deal with six vulnerabilities within IE 5.1, 5.5 and 6.0 browsers. Describing the bugs as "critical," Microsoft urged in an security bulletin that the patch should be downloaded by anyone using IE 5.1, 5.5 or the newest 6.0 versions.

The patch addresses a buffer overflow hole that could give an attacker complete control of a user's machine and another vulnerability that would let an attacker view files on an IE user's local drive. The patch was also needed to offset an HTML header manipulation hole that would allow an attacker to feed an executable file to a victim while causing it to appear to be a harmless text file, Microsoft said.

According to Microsoft, the most serious vulnerability involves a bug in the way the IE 6.0 browser handles "content-disposition" and "content-type" header fields within HTML streams. This bug would let an attacker change HTML header information, affecting how IE handles downloads.

It would let an attacker create a Web page or HTML mail that "would automatically run an executable on the user's system," Microsoft said.

"In such a case, it is possible for IE to believe that a file is a type safe for automatic handling, when in fact it is executable content. An attacker could seek to exploit this vulnerability by constructing a specially malformed web page and posting a malformed executable file. He could then post the web page or mail it to the intended target.

These two new variants differ from the original vulnerability in that they for a system to be vulnerable, it must have present an application present that, when it is erroneously passed the malformed content, chooses to hand it back to the operating system rather than immediately raise an error. A successful attack, therefore, would require that the attacker know that the intended victim has one of these applications present on their system," according to the advisory.

Microsoft said the patch would also fix a cross-site scripting vulnerability on a local HTML page that could allow a script to execute as if it were run by the IE user, causing it to run in the local computer zone.

"An attacker could craft a web page with a URL that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the web page was viewed and the user clicked on the URL link, the attacker's script injected into the local resource, the attacker's script would run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have," the company said.

In what is being described as the 'mother of all patches,' Microsoft said the vulnerabilities also include cookie information-sharing that could allow one site to read the cookies of another and a zone-spoofing hold that could allow a Web page to pretend to be a trusted Website.

It said an attacker could build a special cookie containing script and then construct a Web page with a hyperlink that would deliver that cookie to the user's system and invoke it. The attacker could then send that Web page as mail or post it on a server. "When the user clicked the hyperlink and the page invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully," it added.

Microsoft said the zone-spoofing vulnerability could allow a Web page to be incorrectly reckoned to be in the Intranet zone or, in some very rare cases, in the Trusted Sites zone. "An attacker could construct a web page that exploits this vulnerability and attempt to entice the user to visit the web page. If the attack were successful, the page would be run with fewer security restrictions than is appropriate," it warned.

It also introduces a behavior change to the Restricted Sites zone. "Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable," the company said.

The patch is also meant for a permission vulnerability (not included in the original advisory) that would allowing an intruder to execute code even if scripting was disabled by the user. It also fixes the Document.Open() vulnerability which put MSN and Windows Messenger users at security risk.

Immediately after Microsoft issued its monster patch, GreyMagic Software argued that the advisory contained "several severe errors."

GreeyMagic said Microsoft's claim that there was a problem with cross scripting was not accurate. "The problem is not plain cross site scripting, the problem is that dialogArguments' security restrictions are bypassed and it is passed to the dialog even though it shouldn't," it said in a statement.

On Microsoft's claim that "a successful attack requires that a user first click on a hyperlink," GreyMagic said: "This is simply wrong, the user doesn't have to click anything for this issue to be exploited, it can run automatically."

The group, which added a demonstration to its site, said Microsoft's claims that the remote attack issue only exists in IE 6.0 were also incorrect. "Microsoft did not understand the problem. They only patched a symptom of this vulnerability, not its root cause. As a result of that incomplete "patch", IE5 and IE5.5 are still very much vulnerable to this attack in other resources," it added.