__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects [Microsoft Security Advisory (911302)] November 22, 2005 18:00 GMT Number Q-059 [REVISED 23 Nov 2005] [REVISED 30 Nov 2005] [REVISED 02 Dec 2005] ______________________________________________________________________________ PROBLEM: Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Microsoft Windows 98, on Windows 98 Second Edition, on Windows Millennium Edition, on Windows 2000 Service Pack 4, and on Windows XP Service Pack 2. PLATFORM: Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 Internet Explorer 6 on Microsoft Windows XP Service Pack 2 Internet Explorer 6 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Internet Explorer 6 on Microsoft Windows Server 2003 for Itanium- based Systems, on Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems, on Microsoft Windows Server 2003 x64 Edition, and on Microsoft Windows XP Professional x64 Edition Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition DAMAGE: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. SOLUTION: Microsoft has tested the workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Please see Microsoft Bulletin with detailed instruction on the workarounds. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Trivial exploits are available for the ASSESSMENT: vulnerabilities in this bulletin that include running commands as the logged in user and document exfiltration using built-in Windows commands. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-059.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/911302.mspx CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2005-1790 ______________________________________________________________________________ REVISION HISTORY: 11/23/2005 – Microsoft updated Security Advisory 911302. The title was updated, clarified affected software and updated workaround “Set Internet and Local intranet security zone settings to ‘High’ to prompt before running Active Scripting in these zones”. 11/30/2005 - updated bulletin to reflect change to Microsoft Security Advisory 911302. Information was added regarding proof of concept code, malicious software, and reference to Windows Live Safety Center. 12/02/2005 - revised to raise the risk level to HIGH. Trivial exploits are available for the vulnerabilities in this bulletin that include running commands as the logged in user and document exfiltration using built-in Windows commands. [***** Start Microsoft Security Advisory (911302) *****] Microsoft Security Advisory (911302) Vulnerability in the way Internet Explorer Handles Mismatched Document Object Model Objects Could Allow Remote Code Execution. Published: November 21, 2005 | Updated: November 29, 2005 Microsoft is investigating new public reports of a vulnerability in Microsoft Internet Explorer on Microsoft Windows 98, on Windows 98 Second Edition, on Windows Millennium Edition, on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We have also been made aware of proof of concept code and malicious software targeting the reported vulnerability. Customers can visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove this malicious software and future variants. We will continue to investigate these public reports. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed. Microsoft encourages users to exercise caution when they open links in e-mail. For more information about Safe Browsing, visit the Trustworthy Computing Web site. We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site. Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866- PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site. Mitigating Factors: • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. • The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario. By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98, and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E- mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed. • By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section for this security update for more information about Internet Explorer Enhanced Security Configuration. General Information Overview Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability. For more information see the “Suggested Actions” section of the security advisory for more information. Advisory Status: Under Investigation Recommendation: Review the suggested actions and configure as appropriate. References Identification CERT Reference VU#887861 CVE Reference CAN-2005-1790 Microsoft Knowledge Base Article 911302 This advisory discusses the following software. Related Software Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 Internet Explorer 6 on Microsoft Windows XP Service Pack 2 Internet Explorer 6 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Internet Explorer 6 on Microsoft Windows Server 2003 for Itanium-based Systems, on Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems, on Microsoft Windows Server 2003 x64 Edition, and on Microsoft Windows XP Professional x64 Edition Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition Top of sectionTop of section Frequently Asked Questions What is the scope of the advisory? Microsoft is aware of a new vulnerability report affecting Internet Explorer, which is a component of Microsoft Windows. This vulnerability affects the software that is listed in the “Overview” section. This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Is this a security vulnerability that requires Microsoft to issue a security update? We are currently investigating the issue to determine the appropriate course of action for customers. We will include the fix for this issue in an upcoming security bulletin. What causes the vulnerability? When Internet Explorer displays a Web page that contains an onLoad event that points to a Window object, system memory may be corrupted in such a way that an attacker could execute arbitrary code. What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could take complete control of the affected system. In a Web-based attack scenario, an attacker would host a Web site that exploits this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. How could an attacker exploit the vulnerability? An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site. Top of sectionTop of section Suggested Actions Workarounds Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Change your Internet Explorer settings to prompt or disable before running Active Scripting in the Internet and Local intranet security zone You can help protect against this vulnerability by changing your settings to prompt or disable before running Active Scripting. To do this, follow these steps: 1. In Internet Explorer, click Internet Options on the Tools menu. 2. Click the Security tab. 3. Click Internet, and then click Custom Level. 4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. 5. Click Local intranet, and then click Custom Level. 6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. 7. A dialog may appear that says “Are you sure you want to change the security settings for this zone?”. Click Yes. 8. Click OK to return to Internet Explorer. Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround. Top of sectionTop of section Set Internet and Local intranet security zone settings to “High” to prompt before running Active Scripting in these zones You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running Active Scripting. You can do this by setting your browser security to High. To raise the browsing security level in Microsoft Internet Explorer, follow these steps: 1. On the Internet Explorer Tools menu, click Internet Options. 2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon. 3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. Note If no slider is visible, click Default Level, and then move the slider to High. Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High. 4. Click Custom Level. 5. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. 6. A dialog may appear that says “Are you sure you want to change the security settings for this zone?”. Click Yes. 7. Click OK to return to Internet Explorer. Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround. Top of sectionTop of section Restrict Web sites to only your trusted Web sites After you set Internet Explorer to require a prompt before it runs Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. 2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. 3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. 5. Repeat these steps for each site that you want to add to the zone. 6. Click OK two times to accept the changes and return to Internet Explorer. Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is "*.windowsupdate.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update. Top of sectionTop of section Top of sectionTop of section • Microsoft encourages users to exercise caution when they open links in e-mail. For more information about Safe Browsing, visit the Trustworthy Computing Web site. • Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site. • All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site. • Protect Your PC We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site. • For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page. • Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. Top of sectionTop of section Resources: • You can provide feedback by completing the form by visiting the following Web site. • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • November 21, 2005: Advisory published • November 22, 2005: Updated the title, clarified affected software, and updated workaround “Set Internet and Local intranet security zone settings to ‘High’ to prompt before running Active Scripting in these zones”. • November 29, 2005: Added information regarding proof of concept code, malicious software, and reference to Windows Live Safety Center. [***** End Microsoft Security Advisory (911302) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-049: HP-UX envd Local Execution of Privileged Code Q-050: awstats Q-051: Flash Player 7 Improper Memory Access Vulnerability Q-052: awstats Q-053: HP-UX Running xterm Local Unauthorized Access Q-054: gdk-pixbuf security update Q-055: phpsysinfo Q-056: fetchmail -- programming error Q-057: unzip -- race condition Q-058: netpbm-free -- buffer overflows