__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Internet Explorer MIME Header Vulnerability April 2, 2001 23:00 GMT Number L-066 ______________________________________________________________________________ PROBLEM: Internet Explorer incorrectly handles some unusual MIME types which could allow binary attachments to be run in mail messages. PLATFORM: Windows platforms with mail readers that use Internet Explorer to render html formatted mail messages (Outlook, Outlook Express, others) and that have Internet Explorer versions 5.01 or 5.5 installed. Internet Explorer version 5.01 service pack 2 is not affected. DAMAGE: The vulnerability could allow an intruder to craft an html mail message that would automatically launch an attached binary file. SOLUTION: Apply patches available from the Microsoft website. http://www.microsoft.com/windows/ie/download/critical/Q290108 /default.asp ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The MIME types that cause the problem are ASSESSMENT: not well known and the vulnerability is not in the wild. This assessment could change rapidly as intruders learn the details of the vulnerability and how to exploit it. ______________________________________________________________________________ The following bulletin was posted on the Microsoft website on March 29, 2001. See the Microsoft website for the latest version of this bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp -------------------Start of Microsoft Bulletin------------------- Microsoft Security Bulletin (MS01-020) Incorrect MIME Header Can Cause IE to Execute E-mail Attachment Originally posted: March 29, 2001 Summary ======= Who should read this bulletin: Customers using Microsoft® Internet Explorer. Impact of vulnerability: Run code of attacker's choice. Recommendation: Customers using IE should install the patch immediately. Affected Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Note: Internet Explorer 5.01 Service Pack 2 is not affected by this vulnerability. Technical details ================= Technical description: Because HTML e-mails are simply web pages, IE can render them and open binary attachments in a way that is appropriate to their MIME types. However, a flaw exists in the type of processing that is specified for certain unusual MIME types. If an attacker created an HTML e-mail containing an executable attachment, then modified the MIME header information to specify that the attachment was one of the unusual MIME types that IE handles incorrectly, IE would launch the attachment automatically when it rendered the e-mail. An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a web site and try to persuade another user to visit it, at which point script on a web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by user's permissions on the system. Mitigating factors: The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however. Vulnerability identifier: CAN-2001-0154 Tested Versions: Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability. Frequently asked questions ========================== What's the scope of the vulnerability? This vulnerability could enable an attacker to potentially run a program of her choice on the machine of another user. Such a program would be capable of taking any action that the user himself could take on his machine, including adding, changing or deleting data, communicating with web sites, or reformatting the hard drive. In order for the attacker to successfully attack the user via this vulnerability, she would need to be able to persuade the user to either browse to a web site she controlled or open an HTML e-mail that she had sent. What causes the vulnerability? If an HTML mail contains an executable attachment whose MIME type is incorrectly given as one of several unusual types, a flaw in IE will cause the attachment to be executed without displaying a warning dialogue. Why is IE used to process HTML mails? I thought mail programs like Outlook and Outlook Express were in charge of displaying mails. In general, they are. Mail clients handle creating, sending, receiving and displaying e-mail. There is one exception, however, they rely on IE to perform a process called "rendering" if the mail is an HTML mail. Rendering is the process of processing and displaying a web page. HTML mails are rendered by IE because they are essentially web pages sent as mails. The flaw in this case involves how IE renders HTML mails. What's the problem with how IE renders HTML mails? If a mail contains an attachment, IE should provide the ability to open the attachment when it renders the message. The precise meaning of "open" depends on the type of file. If the attachment is a text file, IE should provide the ability to read it; if it's a video clip, IE should provide the ability to view it; if it's a graphics file, IE should provide the ability to display it; and so on. Some types of attachments, such as executable files, are inherently dangerous. In these cases, IE should only open the attachment if the user expressly asks to do so, and confirms that he wants to open it. The flaw, however, enables this safeguard to be circumvented by specifying an incorrect MIME type in the e-mail. What's a MIME type? Let's start with what MIME is. MIME is an acronym for Multipurpose Internet Mail Extensions. It's a widely used Internet standard for encoding binary files as e-mail attachments. When an e-mail contains a binary attachment, it must specify what type of file the attachment is, so the mail program can interpret it correctly. In the case of this vulnerability, IE doesn't correctly handle certain types of fairly unusual MIME types. If an attacker created an e-mail message containing an executable attachment, and specified that it was one of these MIME types, IE would execute the attachment rather than prompting the user. Would IE always execute the attachment? No. IE would only execute the attachment if File Downloads were enabled in the Security Zone that the e-mail was opened in. However, File Downloads are enabled in all zones by default. What would this vulnerability enable an attacker to do? If an attacker created an e-mail that exploits this vulnerability, she could use it in an attempt to run the executable attachment on another user's computer. She could try to do this through either of two scenarios. First, she could host the HTML mail on her web site, and try to persuade the user to visit it. Second, she could send the email directly to the user. What kind of actions could the attachment take if it ran? The attachment would be able to take any action that the user himself could take on his system. If he were an unprivileged user, it might be able to do very little. However, if the user were an administrator on his system, the attachment would be able to do virtually anything, including reformatting the hard drive. Could an e-mail accidentally be created that would exploit this vulnerability? No. To create such an e-mail, an attacker would need to create an e-mail containing an executable attachment, then deliberately edit the MIME headers in the mail to be one of the affected types. What does the patch do? The patch eliminates the vulnerability by correcting the table of MIME types and their associated actions in IE. This has the effect of preventing emails from being able to automatically launch executable attachments. I've already installed IE 5.01 Service Pack 2. Do I need to install the patch? No. The fix for this issue is included in IE 5.01 Service Pack 2. If you've already installed it, you do not need to install the patch. I heard that even after applying this patch, an e-mail could start a file download automatically. Is this true? Yes. However, this is not related to this vulnerability, and doesn't pose a security risk. It's always possible for an e-mail to start a file download, and of course the author of the mail can give the file a name that sounds innocuous. However, the file download cannot actually begin unless and until the user selects a location to which it should be downloaded, and clicks the OK button. As a general rule, it is probably worth questioning the trustworthiness of any e-mail that automatically starts a file download. The best action is to simply click the Cancel button in the dialogue. Patch availability ================== Download locations for this patch http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp Additional information about this patch ======================================= Installation platforms: This patch can be installed on systems running Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5 Service Pack 1. Inclusion in future service packs: The fix for this issue is included in Internet Explorer 5.01 Service Pack 2 and will be included in Internet Explorer 5.5 Service Pack 2. Verifying patch installation: To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q290108 is listed in the Update Versions field. To verify the individual files, use the patch manifest provided in Knowledge Base article Q290108 Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches. Localization: Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks Juan Carlos Cuartango (http://www.kriptopolis.com) for reporting this issue to us and working with us to protect customers. Support: Microsoft Knowledge Base article Q290108 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (March 29, 2001): Bulletin Created. -------------------End of Microsoft Bulletin------------------- _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corp. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-055: pcAnywhere Denial of Service, abnormal server connection L-056: The Naked Wife (W32.Naked@mm) Trojan L-057: Kerberos /tmp Root Vulnerability L-058: HPUX Sec. Vulnerability asecure L-059: Microsoft IIS WebDAV Denial of service Vulnerability L-061: Microsoft IE can Divulge Location of Cached Content L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call l-064: The Lion Internet Worm DDOS Risk L-065: Solaris Exploitation of snmpXdmid