CRIME FW: US-CERT Technical Cyber Security Alert TA04-163A -- Cross-Domain Redirect Vulnerability in Internet Explorer

From: George Heuston (GeorgeH@private)
Date: Fri Jun 11 2004 - 14:09:48 PDT

  • Next message: gepr@private: "RE: FW: 2nd Call--CRIME Meeting 8 June 2004, 10-Noon, @ Zoo Conf Rooms"

    -----Original Message-----
    From: US-CERT Technical Alerts [mailto:technical-alerts@us-cert.gov] 
    Sent: Friday, June 11, 2004 1:44 PM
    To: technical-alerts@us-cert.gov
    Subject: US-CERT Technical Cyber Security Alert TA04-163A --
    Cross-Domain Redirect Vulnerability in Internet Explorer 
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    
    Technical Cyber Security Alert TA04-163A
    
    Cross-Domain Redirect Vulnerability in Internet Explorer
    
       Original release date: June 11, 2004
       Last revised: --
       Source: US-CERT
    
    
    Systems Affected
    
         Microsoft Windows systems
    
    
    Overview
    
       A cross-domain vulnerability in Internet Explorer (IE) could allow an
       attacker to execute arbitrary code with the privileges of the user
       running IE.
    
    
    I. Description
    
       There is a cross-domain vulnerability in the way IE determines the
       security zone of a browser frame that is opened in one domain then
       redirected by a web server to a different domain. A complex set of
       conditions is involved, including a delayed HTTP response (3xx status
       code) to change the content of the frame to the new domain.
       Vulnerability Note VU#713878 describes this vulnerability in more
       technical detail and will be updated as further information becomes
       available.
    
       Other programs that host the WebBrowser ActiveX control or use the
       MSHTML rendering engine, such as Outlook and Outlook Express, may
    also
       be affected.
    
       This issue has been assigned CVE CAN-2004-0549.
    
    
    II. Impact
    
       By convincing a victim to view an HTML document (web page, HTML
       email), an attacker could execute script in a different security
       domain than the one containing the attacker's document. By causing
       script to be run in the Local Machine Zone, the attacker could
    execute
       arbitrary code with the privileges of the user running IE.
    
       Publicly available exploit code exists for this vulnerability, and
       US-CERT has monitored incident reports that indicate that this
       vulnerability is being actively exploited.
    
    
    III. Solution
    
       Until a complete solution is available from Microsoft, consider the
       following workarounds.
    
     Disable Active scripting and ActiveX controls
    
       Disabling Active scripting and ActiveX controls in the Internet Zone
       (or any zone used by an attacker) appears to prevent exploitation of
       this vulnerability. Disabling Active scripting and ActiveX controls
    in
       the Local Machine Zone will prevent widely used payload delivery
       techniques from functioning. Instructions for disabling Active
       scripting in the Internet Zone can be found in the Malicious Web
       Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
       information about securing the Local Machine Zone. Also, Service Pack
       2 for Windows XP (currently at RC1) includes these and other security
       enhancements for IE.
     
     Do not follow unsolicited links
    
       Do not click on unsolicited URLs received in email, instant messages,
       web forums, or internet relay chat (IRC) channels. While this is
       generally good security practice, following this behavior will not
       prevent exploitation of this vulnerability in all cases.
      
     Maintain updated anti-virus software
    
       Anti-virus software with updated virus definitions may identify and
       prevent some exploit attempts. Variations of exploits or attack
       vectors may not be detected. Do not rely solely on anti-virus
    software
       to defend against this vulnerability. More information about viruses
       and anti-virus vendors is available on the US-CERT Computer Virus
       Resources page.
    
    
    Appendix B. References
    
         * Vulnerability Note VU#713878-
           <http://www.kb.cert.org/vuls/id/713878>
    
         * Malicious Web Scripts FAQ -
           <http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps>
    
         * Computer Virus Resources -
           <http://www.us-cert.gov/other_sources/viruses.html>
    
         * CVE CAN-2004-0549 -
           <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0549>
    
         * Microsoft Knowledge Base Article 833633 -
           <http://support.microsoft.com/default.aspx?scid=833633>
    
         * Windows XP Service Pack 2 RC1 -
     
    <http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wi
           nxpsp2.mspx>
    
         * Increase Your Browsing and E-Mail Safety -
           <http://www.microsoft.com/security/incident/settings.mspx>
    
         * Working with Internet Explorer 6 Security Settings -
     
    <http://www.microsoft.com/windows/ie/using/howto/security/settings
           .mspx>
    
         _________________________________________________________________
    
    
       Public incidents related to this vulnerability were reported by Rafel
       Ivgi. Thanks to Jelmer for further research and analysis.
     
        _________________________________________________________________
    
    
       Feedback can be directed to the author:  Art Manion.
    
       Send mail to <mailto:cert@private>.
    
       Please include the Subject line "TA04-163A Feedback VU#713878".
    
         _________________________________________________________________
    
    
       Copyright 2004 Carnegie Mellon University.
    
       Terms of use:  <http://www.us-cert.gov/legal.html>
    
         _________________________________________________________________
    
       The most recent version of this document can be found at:
    
         <http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
    
         _________________________________________________________________
    
    
       Revision History
    
       June 11, 2004: Initial release
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)
    
    iD8DBQFAyhdcXlvNRxAkFWARAt2eAKCRDeqWLNgG+xXJtd0PyRGeN+S69ACfcXoi
    GDMew8rDUjleel9OLMqs9W4=
    =ZAyn
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Fri Jun 11 2004 - 14:57:12 PDT