It is becoming a busy day for bug fixes within Microsoft’s
flagship Internet Explorer browser.
The software giant issued a massive security patch to deal with six
vulnerabilities within IE 5.1, 5.5 and 6.0 browsers. Describing the bugs as
“critical,” Microsoft urged in an security bulletin that the patch should be
downloaded by anyone using IE 5.1, 5.5 or the newest 6.0 versions.
The patch addresses a buffer overflow hole that could give an attacker
complete control of a user’s machine and another vulnerability that would
let an attacker view files on an IE user’s local drive. The patch was also
needed to offset an HTML header manipulation hole that would allow an
attacker to feed an executable file to a victim while causing it to appear
to be a harmless text file, Microsoft said.
According to Microsoft, the most serious vulnerability involves a bug in the
way the IE 6.0 browser handles “content-disposition” and “content-type”
header fields within HTML streams. This bug would let an attacker change
HTML header information, affecting how IE handles downloads.
It would let an attacker create a Web page or HTML mail that “would
automatically run an executable on the user’s system,” Microsoft said.
“In such a case, it is possible for IE to believe that a file is a type safe
for automatic handling, when in fact it is executable content. An attacker
could seek to exploit this vulnerability by constructing a specially
malformed web page and posting a malformed executable file. He could then
post the web page or mail it to the intended target.
These two new variants differ from the original vulnerability in that they
for a system to be vulnerable, it must have present an application present
that, when it is erroneously passed the malformed content, chooses to hand
it back to the operating system rather than immediately raise an error. A
successful attack, therefore, would require that the attacker know that the
intended victim has one of these applications present on their system,”
according to the advisory.
Microsoft said the patch would also fix a cross-site scripting vulnerability on a
local HTML page that could allow a script to execute as if it were run by
the IE user, causing it to run in the local computer zone.
“An attacker could craft a web page with a URL that exploits this
vulnerability and then either host that page on a web server or send it as
HTML email. When the web page was viewed and the user clicked on the URL
link, the attacker’s script injected into the local resource, the attacker’s
script would run in the Local Computer zone, allowing it to run with fewer
restrictions than it would otherwise have,” the company said.
In what is being described as the ‘mother of all patches,’ Microsoft said
the vulnerabilities also include cookie information-sharing that could allow
one site to read the cookies of another and a zone-spoofing hold that could
allow a Web page to pretend to be a trusted Website.
It said an attacker could build a special cookie containing script and then
construct a Web page with a hyperlink that would deliver that cookie to the
user’s system and invoke it. The attacker could then send that Web page as
mail or post it on a server. “When the user clicked the hyperlink and the
page invoked the script in the cookie, it could potentially read or alter
the cookies of another site. Successfully exploiting this, however, would
require that the attacker know the exact name of the cookie as stored on the
file system to be read successfully,” it added.
Microsoft said the zone-spoofing vulnerability could allow a Web page to be
incorrectly reckoned to be in the Intranet zone or, in some very rare cases,
in the Trusted Sites zone. “An attacker could construct a web page that
exploits this vulnerability and attempt to entice the user to visit the web
page. If the attack were successful, the page would be run with fewer
security restrictions than is appropriate,” it warned.
It also introduces a behavior change to the Restricted Sites zone.
“Specifically, it disables frames in the Restricted Sites zone. Since the
Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email
Security Update and Outlook 2002 all read email in the Restricted Sites zone
by default, this enhancement means that those products now effectively
disable frames in HTML email by default. This new behavior makes it
impossible for an HTML email to automatically open a new window or to launch
the download of an executable,” the company said.
The patch is also meant for a permission vulnerability (not included in the
original advisory) that would allowing an intruder to execute code even if
scripting was disabled by the user. It also fixes the Document.Open()
vulnerability which put MSN and Windows Messenger users at security risk.
Immediately after Microsoft issued its monster patch, GreyMagic Software argued that the
advisory contained “several severe errors.”
GreeyMagic said Microsoft’s claim that there was a problem with cross
scripting was not accurate. “The problem is not plain cross site scripting,
the problem is that dialogArguments’ security restrictions are bypassed and
it is passed to the dialog even though it shouldn’t,” it said in a
On Microsoft’s claim that “a successful attack requires that a user first
click on a hyperlink,” GreyMagic said: “This is simply wrong, the user doesn’t
have to click anything for this issue to
be exploited, it can run automatically.”
The group, which added a demonstration to its site,
said Microsoft’s claims that the remote attack issue only exists in IE 6.0
were also incorrect. “Microsoft did not understand the problem. They only
patched a symptom of this vulnerability, not its root cause. As a result of
that incomplete “patch”, IE5 and IE5.5 are still very much vulnerable to
this attack in other resources,” it added.