[SNS Advisory No.67] The Return of the Content-Disposition Vulnerability in IE

From: SecureNet Service(SNS) Spiffy Reviews (snsadvat_private)
Date: Wed Aug 20 2003 - 21:56:23 PDT

Next message: Carl-Daniel Hailfinger: "[Advisory] SECURITY BUG in BitKeeper"

Previous message: SecureNet Service(SNS) Spiffy Reviews: "[SNS Advisory No.68] Internet Explorer Object Type Buffer Overflow in Double-Byte Character Set Environment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------
SNS Advisory No.67
The Return of the Content-Disposition Vulnerability in IE

Problem first discovered on: Wed, 18 Sep 2002
Published on: Thu, 21 Aug 2003
----------------------------------------------------------------------

Overview:
---------
  Microsoft Internet Explorer is prone to a vulnerability that can, 
  under several conditions, result in the automatic download and 
  parse of a specific tag included with HTML files in the My Computer
  zone without the knowledge of the user.


Problem Description:
--------------------
  If specific MIME type is specified in the Content-Type header of 
  an HTTP response and if a special string is defined in the Content-
  Disposition header, this string can be automatically downloaded and 
  opened within the Temporary Internet Files (TIF) under several 
  conditions in Microsoft Internet Explorer.  A malicious website 
  administrator can induce a user to view a specially crafted web site 
  to cause the script to be automatically executed upon viewing the 
  malicious contents.  Execution of the script can then, disclose the 
  path to the TIF directory to the attacker.

  Additionally, if this vulnerability is exploited through a specific 
  string in the Content-Disposition header, the OBJECT tag can be 
  parsed in the "My Computer" zone.  However, if the user has access 
  to the malicious Web site, the attacker will be able to execute 
  programs on the computer with the user's privileges.


Tested Version:
---------------
  Internet Explorer 6 Service Pack 1 Japanese Edition


Solution:
---------
  Apply an appropriate patch available at:

  Microsoft Security Bulletin MS03-032:
  http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

  Microsoft Security Bulletin MS03-032(Japanese site):
  http://www.microsoft.com/japan/technet/security/bulletin/MS03-032.asp 


Discovered by:
--------------
  Yuu Arai y.araiat_private


Acknowledgements:
-----------------

  Thanks to:
  Security Response Team of Microsoft Asia Limited


Disclaimer:
-----------
  The information contained in this advisory may be revised without prior 
  notice and is provided as it is. Users shall take their own risk when 
  taking any actions following reading this advisory. LAC Co., Ltd. shall 
  take no responsibility for any problems, loss or damage caused by, or 
  by the use of information provided here.

  This advisory can be found at the following URL: 
  http://www.lac.co.jp/security/english/snsadv_e/67_e.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: Carl-Daniel Hailfinger: "[Advisory] SECURITY BUG in BitKeeper"
Previous message: SecureNet Service(SNS) Spiffy Reviews: "[SNS Advisory No.68] Internet Explorer Object Type Buffer Overflow in Double-Byte Character Set Environment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 10:00:35 PDT