Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

U.S. CERT Cyber Security Alert TA04-293A: Multiple Vulnerabilities in Microsoft Internet Explorer
United States Computer Emergency Response Team ^ | October 19, 2004

Posted on 10/19/2004 6:19:37 PM PDT by Stoat

 
US-CERT
National Cyber Alert System
Technical Cyber Security Alert TA04-293A archive

Multiple Vulnerabilities in Microsoft Internet Explorer

Original release date: October 19, 2004
Last revised: --
Source: US-CERT

 

Systems Affected

Microsoft Windows systems running

  • Internet Explorer versions 5.01 and later; previous, unsupported versions of Internet Explorer may also be affected
  • Programs that use the WebBrowser ActiveX control (WebOC) or MSHTML rendering engine

 

Overview

Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most severe of which could allow a remote attacker to execute arbitrary code with the privileges of the user running IE.
 

I. Description

Microsoft Security Bulletin MS04-038 describes a number of IE vulnerabilities, including buffer overflows, cross-domain scripting, spoofing, and "drag and drop." Further details are available in the following vulnerability notes:

VU#291304 - Microsoft Internet Explorer contains a buffer overflow in CSS parsing

A buffer overflow vulnerability exists in the way that IE processes Cascading Style Sheets (CSS). This could allow an attacker to execute arbitrary code or cause a denial of service.
(CAN-2004-0842)

VU#637760 - Microsoft Internet Explorer Install Engine contains a buffer overflow vulnerability

The IE Active Setup Install Engine (inseng.dll), which is used to decompress ActiveX controls stored in CAB files, contains a buffer overflow vulnerability. This could allow an attacker to execute arbitrary code.
(CAN-2004-0216)

VU#207264 - Microsoft Internet Explorer does not properly handle function redirection (Similar Method Name Redirection Cross Domain Vulnerability)

IE does not properly validate redirected functions. The impact is similar to that of a cross-site scripting vulnerability, allowing an attacker to access data and execute script in other domains, including the Local Machine Zone.
(CAN-2004-0727)

VU#526089 - Microsoft Internet Explorer treats arbitrary files as images for drag and drop operations (Drag and Drop Vulnerability)

IE treats arbitrary files as images during "drag and drop" mouse operations. This could allow an attacker to trick a user into copying a file to a location where it could be executed, such as the user's Startup folder.
(CAN-2004-0839)

VU#413886 - Microsoft Internet Explorer allows mouse events to manipulate window objects and perform "drag and drop" operations (Script in Image Tag File Download Vulnerability, HijackClick 3)

IE dynamic HTML (DHTML) mouse events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This could allow an attacker to write an arbitrary file to the local file system in a location where it could be executed, such as the user's Startup folder.
(CAN-2004-0841)

In addition, MS04-038 describes two address bar spoofing vulnerabilities (VU#625616, VU#431576) that could allow an attacker to deceive a user about the location of a web site; a vulnerability involving cached HTTPS files (VU#795720) that could allow an attacker to read from or inject data into an HTTPS web site; and a vulnerability in which IE6 on Windows XP ignores the "Drag and drop and copy and paste files" setting (VU#630720).

Any program that uses the WebBrowser ActiveX control (WebOC) or MSHTML rendering engine could be affected by these vulnerabilities.
 

II. Impact

The impacts of these vulnerabilities vary, but an attacker may be able to execute arbitrary code with the privileges of the user running IE. An attacker could also exploit these vulnerabilities to perform social engineering attacks such as spoofing or phishing attacks. In most cases, an attacker would need to convince a user to view an HTML document (web page, HTML email message) with IE or another program that uses the WebBrowser ActiveX control or MSHTML rendering engine.

In some cases, an attacker could combine two or more vulnerabilities to write an arbitrary file to the local file system in a sensitive location, such as the user's Startup folder. US-CERT has monitored reports of attacks against some of these vulnerabilities.
 

III. Solution

Apply a patch

Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-038.

 

Disable Active scripting and ActiveX controls

To protect from attacks against several of these vulnerabilities, disable Active scripting and ActiveX controls in any zone used to render untrusted HTML content (typically the Internet Zone and Restricted Sites Zone). Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ.

 

Upgrade to Windows XP Service Pack 2

Service Pack 2 for Windows XP contains security improvements for IE that reduce the impact of some of these vulnerabilities.
 

Appendix A. References


 

Information used in this document came from Microsoft Security Bulletin MS04-038. Microsoft credits Greg Jones, Peter Winter-Smith, Mitja Kolsek, and John Heasman for reporting several vulnerabilities. Will Dormann reported the IE6 Windows XP drag and drop setting vulnerability.


Feedback can be directed to the authors: Art Manion and Will Dormann.



 

Copyright 2004 Carnegie Mellon University. Terms of use

Revision History

October 19, 2004: Initial release
 

Last updated October 19, 2004
printable version


TOPICS: Business/Economy; Front Page News; Miscellaneous; News/Current Events; Technical
KEYWORDS: computer; computing; exploit; getamac; internetexploiter; internetexplorer; lowqualitycrap; microsoft; patch; security; securityflaw; ta04293a; ta04293asecurity; trojan; uscert; virus; windows; worm

1 posted on 10/19/2004 6:19:39 PM PDT by Stoat
[ Post Reply | Private Reply | View Replies]

To: Stoat

[snicker]


2 posted on 10/19/2004 6:20:39 PM PDT by Petronski (I'm not always cranky.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Stoat

explorer is the kerry of browsers...get mozilla firefox.


3 posted on 10/19/2004 6:25:48 PM PDT by kingattax
[ Post Reply | Private Reply | To 1 | View Replies]

To: Petronski

So what's the purpose of US-CERT? Is it to re-issue Microsoft Security Bulletins a week after they're published?


4 posted on 10/19/2004 6:29:49 PM PDT by mdefranc
[ Post Reply | Private Reply | To 2 | View Replies]

To: mdefranc

lol


5 posted on 10/19/2004 6:34:56 PM PDT by ArmyBratproud (Kerry wants to steal documents, taxes, my gun, etc. And now the commie punk wants to steal my vote.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: mdefranc
"So what's the purpose of US-CERT? Is it to re-issue Microsoft Security Bulletins a week after they're published?"

My guess is that they are trying to focus peoples' attention on the more critical ones that affect the greatest number of people in the most negative way. I received notification of this original Microsoft security bulletin in their October 14 Security newsletter, and it was one of many, looking like this...it's just one of many without this one being highlighted in a significant way:

This Month's Security Bulletins
Critical:
Important:

6 posted on 10/19/2004 6:38:50 PM PDT by Stoat
[ Post Reply | Private Reply | To 4 | View Replies]

To: kingattax

Firefox is the superior product!


7 posted on 10/19/2004 6:43:35 PM PDT by anyone_but_kerry
[ Post Reply | Private Reply | To 3 | View Replies]

To: Stoat

I think you're correct about US-CERT's (no-doubt lavishly-funded) mission, but it's worth noting that on October 12 both ZDNet and Secunia, among others, ran alerts concerning this particular MS bulletin.


8 posted on 10/19/2004 7:02:39 PM PDT by mdefranc
[ Post Reply | Private Reply | To 6 | View Replies]

To: Stoat

Used Netscape for years, then was forced to use IE when NS got "orphaned". Happy ending: just finished migrating to Mozilla (Firefox/Thunderbird) today and am having a blast!


9 posted on 10/19/2004 7:14:43 PM PDT by macbee ("Never interrupt your enemy when he is making a mistake." - Napoleon Bonaparte)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mdefranc
I'm glad to hear that those sources are well-attuned to security issues. I'm curious, however, if they made much of a splash with it beyond the tech press?

My rationale in posting this item is to bring to a wider audence a security concern that has been judged by people far more expert than myself to be of particular significance. Before posting, I did a search on Free Republic and found that no one had posted this item yet, despite it having been released in other venues nearly a week ago. My hope is that if you discover a significant security concern in the tech press that hasn't been distributed to a wider audience yet, that you might help others out by posting it here or in other forums. Most of us are deluged by data all day long, and the most difficult thing for many of us is to filter out the really important stuff from the 'noise'. If you can assist others in doing this, I'm sure that you will have many thanks from appreciative people. Most people appreciate courteous and relevant assistance.

10 posted on 10/19/2004 7:22:32 PM PDT by Stoat
[ Post Reply | Private Reply | To 8 | View Replies]

To: anyone_but_kerry

Have you noticed any effect on the system you are running? Which OS are you running? Finally, since some of the browsers components are shared with the OS, are you concerned that not doing IE updates won't effect the OS?


11 posted on 10/19/2004 8:04:02 PM PDT by ProudVet77 (Flush John 'Fonda' Kerry)
[ Post Reply | Private Reply | To 7 | View Replies]

To: mdefranc
Yeah, I thought I'd seen this one before.

But, y'know, some Windows Weenies need to be reminded multiple times... and some of them still won't patch.

12 posted on 10/19/2004 9:42:26 PM PDT by TechJunkYard (http://scaryjohnkerry.com/)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Stoat; All
Help for viruses and malware:
 
 Ad-Aware ... Spybot ... Peper Uninstaller ... HijackThis... CWShredder ... Spyware Blaster ... IE Spyad ... Free online Virus scan ... AVG AntiVirus ... LSPfix ... How to Show Hidden Files ... How to boot into Safe Mode ... How did I get infected in the first place?


Things you need--(all FREE)
Anti-Virus
AVG Avast
Firewall
Kerio(Direct Download) Zone Alarm
 If are using zone alarm remove it it is the biggest resource hog and bandwith eater firewall there is. Use Outpost Firewall http://www.agnitum.com/products/outpost or Sygate Firewall http://www.sygate.com/, both have FREE and Pro versions and are heads above ZA.
Misc.
IE Spyads SpywareBlaster Spyware Guard
Windows Update
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file
 I would also encourage folks to go here: Mike Lin's Homepage and get the Startup Control Panel and Startup Monitor tools.
 
The best forum for malware removal:
 http://forums.spywareinfo.com/index.php?s=262d844129208feb8b0cf5b0186a32f6&act=SC&c=4
SWI Forums--

13 posted on 10/20/2004 1:41:55 AM PDT by backhoe (Just a Keyboard Cowboy, ridin' the Trackball into the Dawn of Information...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe
I've been using ZoneAlarm for several years but one of it's latest updates caused a few problems, so I re-installed the previous version that had been trouble free. I decided to take your advice and download the free personal version of the Sygate firewall. I'll install it tomorrow.

This link takes you directly to the Sygate firewall download page, where you choose between the Pro or the Free Personal Firewall. Thanks, backhoe.

http://smb.sygate.com/download_buy.htm

14 posted on 10/20/2004 2:26:49 AM PDT by Eagle9
[ Post Reply | Private Reply | To 13 | View Replies]

To: backhoe
Thank you so much, you're always so great at helping others :-)


15 posted on 10/20/2004 2:33:20 AM PDT by Stoat
[ Post Reply | Private Reply | To 13 | View Replies]

To: Eagle9

Thank you!


16 posted on 10/20/2004 3:51:20 AM PDT by backhoe (Just a Keyboard Cowboy, ridin' the Trackball into the Dawn of Information...)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Stoat

17 posted on 10/20/2004 3:51:59 AM PDT by backhoe (Just a Keyboard Cowboy, ridin' the Trackball into the Dawn of Information...)
[ Post Reply | Private Reply | To 15 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson