|发信人：firstname.lastname@example.org (I'll be back)，信区：cn.bbs.comp.security
标 题：US-CERT Technical Cyber Security Alert TA04-099A -- Vulnera (转
【 以下文字转载自 BugTraqML 讨论区 】
发信人: email@example.com (CERT Advisory), 信区: BugTraqML
标 题: US-CERT Technical Cyber Security Alert TA04-099A -- Vulnerabil
ity in I
发信站: NCTU CSIE FreeBSD Server (Fri Apr 9 08:47:21 2004)
出 处: freebsd.csie.nctu.edu.tw
-----BEGIN PGP SIGNED MESSAGE-----
Vulnerability in Internet Explorer ITS Protocol Handler
Original release date: April 8, 2004
Last revised: --
* Microsoft Windows systems running Internet Explorer
A cross-domain scripting vulnerability in Microsoft Internet Explor
(IE) could allow an attacker to execute arbitrary code with the
privileges of the user running IE. The attacker could also read and
manipulate data on web sites in other domains or zones.
There is a cross-domain scripting vulnerability in the way ITS
protocol handlers determine the security domain of an HTML componen
stored in a Compiled HTML Help (CHM) file. The HTML Help system
"...uses the underlying components of Microsoft Internet Explo
display help content. It supports HTML, ActiveX, Java, [and] script
languages (JScript, and Microsoft Visual Basic Scripting Edition).&
CHM files use the InfoTech Storage (ITS) format to store components
such as HTML files, graphic files, and ActiveX objects. IE provides
several protocol handlers that can access ITS files and individual
components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also ha
the ability to access parts of MIME Encapsulation of Aggregate HTML
Documents (MHTML) using the mhtml: protocol handler.
When IE references an inaccessible or non-existent MHTML file using
the ITS and mhtml: protocols, the ITS protocol handlers can access
CHM file from an alternate source. IE incorrectly treats the CHM fi
as if it were in the same domain as the unavailable MHTML file. Usi
a specially crafted URL, an attacker can cause arbitrary script in
CHM file to be executed in a different domain, violating the
cross-domain security model.
Any programs that use the WebBrowser ActiveX control or the IE HTML
rendering engine (MSHTML) may be affected by this vulnerability.
Internet Explorer, Outlook, and Outlook Express are all examples of
such programs. Any programs, including other web browsers, that use
the IE protocol handlers (URL monikers) could function as attack
vectors. Also, due to the way that IE determines MIME types, HTML a
CHM files may not have the expected file name extensions (.htm/.htm
and .chm respectively).
NOTE: Using an alternate web browser may not mitigate this
vulnerability. It may be possible for a web browser other than IE o
Windows system to invoke IE to handle ITS protocol URLs.
US-CERT is tracking this issue as VU#323070. This reference number
corresponds to CVE candidate CAN-2004-0380.
By convincing a victim to view an HTML document such as a web page
HTML email message, an attacker could execute script in a different
security domain than the one containing the attacker's document. By
causing script to be run in the Local Machine Zone, the attacker co
execute arbitrary code with the privileges of the user running IE.
attacker could also read or modify data in other web sites (includi
reading cookies or content and modifying or creating content).
Publicly available exploit code exists for this vulnerability. US-C
has monitored incident reports that indicate that this vulnerabilit
is being exploited. The Ibiza trojan, variants of W32/Bugbear, and
BloodHound.Exploit.6 are some example of malicious code that exploi
this vulnerability. It is important to note that any arbitrary
executable payload could be delivered via this vulnerability, and
different anti-virus vendors may identify malicious code with
A malicious web site or email message may contain HTML similar to t
(This URL is intentionally modified to avoid detection by
In this example, HTML and script in exploit.html will be executed i
the security context of the Local Machine Zone. It is common practi
for exploit.html to either contain or download an executable payloa
such as a backdoor, trojan horse, virus, bot, or other malicious co
Note that it is possible to encode a URL in an attempt to bypass HT
content inspection or anti-virus software.
Currently, there is no complete solution for this vulnerability. Un
a patch is available, consider the workarounds listed below.
Disable ITS protocol handlers
Disabling ITS protocol handlers appears to prevent exploitation of
this vulnerability. Delete or rename the following registry keys:
Disabling these protocol handlers will significantly reduce the
functionality of the Windows Help system and may have other uninten
consequences. Plan to undo these changes after patches have been
tested and installed. Follow good Internet security practices
These recommended security practices will help to reduce exposure t
attacks and mitigate the impact of cross-domain vulnerabilities.
* Disable Active scripting and ActiveX controls
NOTE: Disabling Active scripting and ActiveX controls will not
prevent the exploitation of this vulnerability.
Disabling Active scripting and ActiveX controls in the Internet
and Local Machine Zones may stop certain types of attacks and w
prevent exploitation of different cross-domain vulnerabilities.
Disable Active scripting and ActiveX controls in any zones used
read HTML email.
Disabling Active scripting and ActiveX controls in the Local
Machine Zone will prevent malicious code that requires Active
scripting and ActiveX controls from running. Changing these
settings may reduce the functionality of scripts, applets, Wind
components, or other applications. See Microsoft Knowledge Base
Article 833633 for detailed information about security settings
for the Local Machine Zone. Note that Service Pack 2 for Window
XP includes these changes.
* Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant
messages, web forums, or Internet relay chat (IRC) channels.
* Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify
and prevent some exploit attempts. Variations of exploits or
attack vectors may not be detected. Do not rely solely on
anti-virus software to defend against this vulnerability. More
information about viruses and anti-virus vendors is available o
the US-CERT Computer Virus Resources page.
Appendix B. References
* Vulnerability Note VU#323070 -
* US-CERT Computer Virus Resources -
* CVE CAN-2004-0380 -
* Introduction to URL Security Zones -
* About Cross-Frame Scripting and Security -
* MIME Type Determination in Internet Explorer -
* URL Monikers -
* Asynchronous Pluggable Protocols -
* Microsoft HTML Help 1.4 SDK -
* Microsoft Knowledge Base Article 182569 -
* Microsoft Knowledge Base Article 174360 -
* Microsoft Knowledge Base Article 833633 -
* Windows XP Service Pack 2 Technical Preview -
* AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990
This vulnerability was reported by Thor Larholm.
Feedback can be directed to the author: Art Manion.
Copyright 2004 Carnegie Mellon University.
April 8, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----