__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in the way HTML Objects Handle Unexpected Method Calls [Microsoft Security Advisory (917077)] March 24, 2006 20:00 GMT Number Q-154 ______________________________________________________________________________ PROBLEM: Vulnerability in Microsoft Internet Explorer could allow an attacker to execute arbitrary code on the user's system. PLATFORM: Internet Explorer 5.01 and IE 6 DAMAGE: A remote attacker could execute arbitrary code. SOLUTION: Apply current patches. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker could execute arbitrary ASSESSMENT: code. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-154.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/ 917077.mspx ADDITIONAL LINKS: US-CERT Vulnerability Note VU#876678 http://www.kb.cert.org/vuls/id/876678 Secunia Advisory:SA18680 http://secunia.com/advisories/18680 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-1359 ______________________________________________________________________________ [***** Start Microsoft Security Advisory (917077) *****] Microsoft Security Advisory (917077) Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution Published: March 23, 2006 Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time. Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. In an e-mail based attack, customers would have to click a link to the malicious Web site or open an attachment that exploits the vulnerability. In both Web-based and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will either take the form of a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site. We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site. Note Customers who use the Microsoft Internet Explorer 7 Beta 2 Preview that was released on March 20, 2006 are not affected by the public reported vulnerability. Mitigating Factors: • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. • This vulnerability could not be exploited automatically through e-mail or while viewing e-mail in the preview pane while using Outlook or Outlook Express Customers would have to click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability. • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. General Information Overview Purpose of Advisory: To provide customers with notification of the publicly disclosed vulnerability and provide additional guidance to our customers. Advisory Status: Vulnerability confirmed, security update planned. Recommendation: Review the suggested actions and configure as appropriate. References Identification CVE Reference CVE-2006-1359 Microsoft Knowledge Base Article 917077 This advisory discusses the following software: Related Software Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1 Internet Explorer 6 for Microsoft Windows XP Service Pack 2 Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition Top of sectionTop of section Suggested Actions Workarounds Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone You can help protect against this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps: 1. In Internet Explorer, click Internet Options on the Tools menu. 2. Click the Security tab. 3. Click Internet, and then click Custom Level. 4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. 5. Click Local intranet, and then click Custom Level. 6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. 7. Click OK two times to return to Internet Explorer. Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly. Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround. Top of sectionTop of section Set Internet and Local intranet security zone settings to “High” to prompt before Active Scripting in these zones You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running Active Scripting. You can do this by setting your browser security to High. To raise the browsing security level in Microsoft Internet Explorer, follow these steps: 1. On the Internet Explorer Tools menu, click Internet Options. 2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon. 3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. Note If no slider is visible, click Default Level, and then move the slider to High. Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High. Impact of Workaround: There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround. Restrict Web sites to only your trusted Web sites. After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. 2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. 3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. 5. Repeat these steps for each site that you want to add to the zone. 6. Click OK two times to accept the changes and return to Internet Explorer. Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and “*.update.microsoft.com” (without the quotation marks). These are the sites that will host the update, and it requires an ActiveX Control to install the update. Top of sectionTop of section Top of sectionTop of section Additional Suggested Actions • Microsoft encourages users to exercise caution when they open e-mail messages and links in e-mail messages that come from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site. • Customers in the U.S. and Canada who believe they may have been affected by this vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site. • All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site. • Customers are encouraged to keep their antivirus software up to date. The Windows Defender (Beta 2) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that might take advantage of this vulnerability. • Protect Your PC We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site. • For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page. • Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. Top of sectionTop of section Resources: • You can provide feedback by completing the form by visiting the following Web site. • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • March 23, 2006: Advisory published [***** End Microsoft Security Advisory (917077) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-144: ffmpeg Q-145: Vulnerabilities in Microsoft Office Q-146: Permissive Windows Services DACLs Q-147: Macromedia Flash Player Update to Address Security Vulnerabilities Q-148: Media Server BENGINE Service Job Log Format String Overflow Q-150: unzip Q-149: kernel-patch-vserver, util-vserver Q-151: sendmail Security Update Q-152: snmptrapfmt Q-153: RealPlayer Security Update