__________________________________________________________ U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Incorrect VBScript Handling in IE [Microsoft Security Bulletin MS02-009] February 25, 2002 19:00 GMT Number M-045 ______________________________________________________________________________ PROBLEM: A flaw exists in how VBScript is handled in IE relating to validating cross-domain access. PLATFORM: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 DAMAGE: A malicious user could exploit this vulnerability by using scripting to extract the contents of frames in other domains, then sending that content back to their web site. This would enable the attacker to view files on the user's local machine. SOLUTION: Apply available patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The vulnerability could only be used to ASSESSMENT: view files. It could not be used to create, delete, modify or execute the files. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-045.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-009.asp PATCHES: http://www.microsoft.com/windows/ie/downloads/critical/q318089/default.asp http://www.microsoft.com/Windowsupdate ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-009 *****] Microsoft Security Bulletin MS02-009 Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files Originally posted: February 21, 2002 Summary Who should read this bulletin: Customers using Microsoft® Internet Explorer. Impact of vulnerability: Information Disclosure Maximum Severity Rating: Critical Recommendation: Customers using IE should apply the patch. Affected Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Technical description: Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame. A malicious user could exploit this vulnerability by using scripting to extract the contents of frames in other domains, then sending that content back to their web site. This would enable the attacker to view files on the user's local machine or capture the contents of third-party web sites the user visited after leaving the attacker’s site. The latter scenario could, in the worst case, enable the attacker to learn personal information like user names, passwords, or credit card information. In both cases, the user would either have to go to a site under the attacker's control or view an HTML email sent by the attacker. In addition, the attacker would have to know the exact name and location of any files on the user's system. Further, the attacker could only gain access to files that can be displayed in a browser window, such as text files, HTML files, or image files. Mitigating factors: The vulnerability could only be used to view files. It could not be used to create, delete, modify or execute them. The vulnerability would only allow an attacker to read files that can be opened in a browser window, such as image files, HTML files and text files. Other file types, such as binary files, executable files, Word documents, and so forth, could not be read. The attacker would need to specify the exact name and location of the file in order to read it. The email-borne attack scenario would be blocked if the user were using any of the following: Outlook 98 or 2000 with the Outlook Email Security Update installed; Outlook 2002; or Outlook Express 6. Severity Rating: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Moderate Moderate Critical Internet Explorer 5.5 Moderate Moderate Critical Internet Explorer 6.0 Moderate Moderate Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. This vulnerability affects the disclosure of personal information, and is most likely to have an impact on client systems. Vulnerability identifier: CAN-2002-0052 Patch availability Download locations for this patch http://www.microsoft.com/windows/ie/downloads/critical/q318089/default.asp http://www.microsoft.com/Windowsupdate Additional information about this patch Installation platforms: The IE 5.01 patch can be applied to Windows 2000 Systems with Service Pack 2 running IE 5.01. The IE 5.5 patch can be installed on systems running IE 5.5 Service Pack 1 or Service Pack 2. The IE 6.0 patch can be installed on system running IE 6.0 Gold. Inclusion in future service packs: The fix for this issue will be included in Internet Explorer 6.0 Service Pack 1. Reboot needed: Yes Superseded patches: None. Verifying patch installation: To verify the individual files, use the patch manifest provided in Knowledge Base article Q318089. Caveats: Third-party scripting languages may be affected by this issue. An architectural change is being made in a future service pack of IE that will ensure that this cannot be an issue for third-party scripting languages. Localization: Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks Zentai Peter Aron, Ivy Hungary Ltd (http://w3.ivy.hu/) for reporting this issue to us and working with us to protect customers. Support: Microsoft Knowledge Base article Q318089 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (February 21, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-009 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-035: Red Hat Linux "rsync" Vulnerability M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability M-039: Microsoft Telnet Server Buffer Overflow Vulnerability M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions M-041: Microsoft Internet Explorer Cumulative Patch M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers