Reported February 12, 2002, by GFI and Microsoft.
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
Six new vulnerabilities have been discovered in Microsoft Internet Explorer.
The first involves a buffer overrun associated with an HTML directive used to imbed a document within a web page. By creating a web page that invokes this directive using specially selected attributes, a potential attacker could cause code to run on the user’s system.
The second vulnerability is associated with the “GetObject” scripting function. Before providing a handle to an operating system object, “GetObject” should perform a series of security checks to make sure that the caller has sufficient privileges to it. By requesting a handle to a file using a specially malformed representation, it may be possible to bypass some of these checks, allowing a web page to complete an operation that should have been prevented. This could result in the reading of files on visiting user’s system.
The third vulnerability is related to the display of file names in the File Download dialogue box. When a file download from a web site is started, a dialogue provides the name of the file and lets the user choose what action to take. A flaw exists in the way the system handles the HTML header fields “Content-Disposition” and “Content-Type”. This could enable a potential attacker to misrepresent the name of the file in the dialogue in an attempt to trick a user into opening or saving an unsafe file.
The fourth vulnerability could allow a web page to open a file on the web site, using any application installed on a user’s system. By design, Internet Explorer should only open a file on a web site using the application which is registered to that type of file, and only if it is on a list of safe applications. Through a flaw in the handling of the Content-Type HTML header field, a potential attacker could circumvent this restriction and specify the application to be invoked for processing a particular file. Internet Explorer would comply, even if the system lists the application as unsafe.
The fifth vulnerability could enable a web page to run a script even if the user has disabled scripting. Internet Explorer will check for the presence of scripts when initially rendering a page. By using the capability that exists for objects on a web page to respond to asynchronous events and misusing this capability in a particular way, it may be possible for a web page to fire a script after the page has passed the initial security checks.
The sixth vulnerability is another variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-058. This vulnerability could enable a malicious web site operator to open two browser windows, one in the web site’s domain and the other on the user’s local file system. The malicious site would then use the “Document.open” function to pass information from the local file system to the website. This could enable the malicious web site any file on the user’s local computer that could be opened in a browser window.
The vendor, Microsoft, has released security bulletin MS02-005 which addresses this vulnerability, and recommends that affected users apply the appropriate patch listed in Knowledge Base Article Q316059.
Discovered by Sandro Gauci, dH team and SECURITY.NNOV