ldyguique
04-12-2004, 05:04 PM
Modified: 14 Apr 04 --
US-CERT released the following in their newsletter:
Security Bulletin MS04-013: Cumulative Security Update for Outlook Express (837009) (http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx) (One can verify if the update was installed by:
Click on Start | Control Panel | Add/Remove Programs
Outlook Express will show the code: Q837009 if it's installed
This bulletin addresses a vulnerability affecting the systems listed below. The vulnerability affects the Microsoft Windows MHTML Protocol handler and any applications that use it, including Microsoft Outlook and Internet Explorer. This vulnerability has been assigned VU#323070 and CAN-2004-0380.
Note: MS04-013 includes patches remediating the vulnerability described in TA04-099A.
________________________
To make a long story short, there is an IE vulnerability that was first discovered last summer and Microsoft issued a patch for it in August; however, it's reappeared and MS has not confirmed nor denied whether or not the existing patch fixes the new vulnerability (which probably means that is does not).
The US-CERT (Homeland Security's Computer group) issued an advisory on April 5th, and updated it on April 7th giving a manual fix of sorts (the entire article is below and Section III. Solution is in bold).
Here's how the latest threat works: IE references an inaccessible or non-existent MIME encapsulation of aggregate HTML (MHTML) file using ITS and MHTML protocols; when it finds no Compiled HTML Help (CHM) file, ITS protocol handlers can be duped into accessing a CHM file from another domain.
Since there are currently three viruses/worms that can exploit this particular vulnerability "in the wild" (W32/Bugbear, the BloodHound.Exploit.6 and the Ibiza trojan) AND the exact code on how to create the exploit appears on several websites, US-CERT broke current policy which is to advise of a vulnerability at the time of releasing the patch.
Note: Disabling Active X will not fix the problem; doing the regedit gives one protection but not full protection; changing browsers away from IE may or maynot help as the MHTML in question is part and parcel of the OS; it is advised that one not click on any links in Outlook Express or Outlook that are "unexpected;" and A-V software may or maynot protect one.
Vulnerability Note VU#323070
Microsoft Internet Explorer does not properly validate source of CHM components referenced by ITS protocol handlers
Overview
Microsoft Internet Explorer (IE) does not adequately validate the source of script contained in compiled help (CHM) file components that are referenced by the Microsoft InfoTech Storage (ITS) protocol handlers. An attacker could exploit this vulnerability to execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.
I. Description
The Cross Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."
HTML Help
The Microsoft HTML Help system "...is the standard help system for the Windows platform." HTML Help components can be compiled to "...compress HTML, graphic, and other files into a relatively small compiled help (.chm) file...". The resulting compiled Help (CHM) file can then "...be distributed with a software application, or downloaded from the Web." The Help Viewer application "...uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition)...".
The InfoTech Storage Format
CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.
For example, the following URL references an HTML file within a CHM file hosted on a remote web site:
ms-its:http://www.example.com/directory/path/compiledhelpfile.chm:/htmlfile.html
This URL references a local CHM file:
ms-its:file://c:\directory\path\compiledhelpfile.chm:/htmlfile.html
MIME Encapsulation of Aggregate HTML Documents (MHTML)
MHTML (RFC 2110) provides a way to include multiple components of an HTML document (HTML, images, script, etc.) in a single MIME email message. The ITS protocol handlers can also reference objects contained within MHTML documents:
ms-its:mhtml:file://c:\directory\path\mhtmlfile.mhtml
The ITS protocol handlers can specify an alternate location for MHTML content (URL is wrapped):
ms-its:mhtml:file://c:\file_does_not_exist.mhtml!http://www.example.com/directory/
path/compiledhelpfile.chm:/htmlfile.html
The Problem
If an ITS protocol handler is unable to access the specified MHTML file, the handler will attempt to access the content specified by the alternate location. The ITS protocol handlers incorrectly treat HTML content from one domain (htmlfile.html in example.com) as if it were in a different domain (file://, the Local Machine Zone). This is a violation of the cross-domain security model. Limited testing shows that the ms-its, its, and mk:@MSITStore protocol handlers are vulnerable.
An attacker could exploit this vulnerability using a crafted HTML document containing script or an ActiveX object or possibly an IFRAME element. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm). Likewise, a CHM file may not have the expected .chm extension.
Functional exploit code is publicly available, and there are reports of systems being compromised via this vulnerability (Ibiza trojan).
Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected.
II. Impact
By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites (read cookies/content, modify/create content, etc.).
III. Solution
There is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.
Note: Disabling Active scripting or ActiveX controls is not an effective workaround
Disabling Active scripting and ActiveX controls in any zone does not prevent the exploitation of this vulnerability. Disabling these features in the Internet and Local Machine Zones may stop some attacks.
Disable ITS protocol handlers
Disabling ITS protocol handlers may prevent exploitation of this vulnerability. Rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Hand ler\{ms-its, its, mk}
Modifying the Windows registry in this way may have unintended consequences. On Windows XP and ME, disabling the ITS protocol handlers will reduce the functionality of the Help and Support Center (HSC).
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of antivirus vendors.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle ITS protocol URLs.
Microsoft Corporation Vulnerable 5-Apr-2004
US-CERT released the following in their newsletter:
Security Bulletin MS04-013: Cumulative Security Update for Outlook Express (837009) (http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx) (One can verify if the update was installed by:
Click on Start | Control Panel | Add/Remove Programs
Outlook Express will show the code: Q837009 if it's installed
This bulletin addresses a vulnerability affecting the systems listed below. The vulnerability affects the Microsoft Windows MHTML Protocol handler and any applications that use it, including Microsoft Outlook and Internet Explorer. This vulnerability has been assigned VU#323070 and CAN-2004-0380.
Note: MS04-013 includes patches remediating the vulnerability described in TA04-099A.
________________________
To make a long story short, there is an IE vulnerability that was first discovered last summer and Microsoft issued a patch for it in August; however, it's reappeared and MS has not confirmed nor denied whether or not the existing patch fixes the new vulnerability (which probably means that is does not).
The US-CERT (Homeland Security's Computer group) issued an advisory on April 5th, and updated it on April 7th giving a manual fix of sorts (the entire article is below and Section III. Solution is in bold).
Here's how the latest threat works: IE references an inaccessible or non-existent MIME encapsulation of aggregate HTML (MHTML) file using ITS and MHTML protocols; when it finds no Compiled HTML Help (CHM) file, ITS protocol handlers can be duped into accessing a CHM file from another domain.
Since there are currently three viruses/worms that can exploit this particular vulnerability "in the wild" (W32/Bugbear, the BloodHound.Exploit.6 and the Ibiza trojan) AND the exact code on how to create the exploit appears on several websites, US-CERT broke current policy which is to advise of a vulnerability at the time of releasing the patch.
Note: Disabling Active X will not fix the problem; doing the regedit gives one protection but not full protection; changing browsers away from IE may or maynot help as the MHTML in question is part and parcel of the OS; it is advised that one not click on any links in Outlook Express or Outlook that are "unexpected;" and A-V software may or maynot protect one.
Vulnerability Note VU#323070
Microsoft Internet Explorer does not properly validate source of CHM components referenced by ITS protocol handlers
Overview
Microsoft Internet Explorer (IE) does not adequately validate the source of script contained in compiled help (CHM) file components that are referenced by the Microsoft InfoTech Storage (ITS) protocol handlers. An attacker could exploit this vulnerability to execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.
I. Description
The Cross Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."
HTML Help
The Microsoft HTML Help system "...is the standard help system for the Windows platform." HTML Help components can be compiled to "...compress HTML, graphic, and other files into a relatively small compiled help (.chm) file...". The resulting compiled Help (CHM) file can then "...be distributed with a software application, or downloaded from the Web." The Help Viewer application "...uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition)...".
The InfoTech Storage Format
CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.
For example, the following URL references an HTML file within a CHM file hosted on a remote web site:
ms-its:http://www.example.com/directory/path/compiledhelpfile.chm:/htmlfile.html
This URL references a local CHM file:
ms-its:file://c:\directory\path\compiledhelpfile.chm:/htmlfile.html
MIME Encapsulation of Aggregate HTML Documents (MHTML)
MHTML (RFC 2110) provides a way to include multiple components of an HTML document (HTML, images, script, etc.) in a single MIME email message. The ITS protocol handlers can also reference objects contained within MHTML documents:
ms-its:mhtml:file://c:\directory\path\mhtmlfile.mhtml
The ITS protocol handlers can specify an alternate location for MHTML content (URL is wrapped):
ms-its:mhtml:file://c:\file_does_not_exist.mhtml!http://www.example.com/directory/
path/compiledhelpfile.chm:/htmlfile.html
The Problem
If an ITS protocol handler is unable to access the specified MHTML file, the handler will attempt to access the content specified by the alternate location. The ITS protocol handlers incorrectly treat HTML content from one domain (htmlfile.html in example.com) as if it were in a different domain (file://, the Local Machine Zone). This is a violation of the cross-domain security model. Limited testing shows that the ms-its, its, and mk:@MSITStore protocol handlers are vulnerable.
An attacker could exploit this vulnerability using a crafted HTML document containing script or an ActiveX object or possibly an IFRAME element. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm). Likewise, a CHM file may not have the expected .chm extension.
Functional exploit code is publicly available, and there are reports of systems being compromised via this vulnerability (Ibiza trojan).
Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected.
II. Impact
By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites (read cookies/content, modify/create content, etc.).
III. Solution
There is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.
Note: Disabling Active scripting or ActiveX controls is not an effective workaround
Disabling Active scripting and ActiveX controls in any zone does not prevent the exploitation of this vulnerability. Disabling these features in the Internet and Local Machine Zones may stop some attacks.
Disable ITS protocol handlers
Disabling ITS protocol handlers may prevent exploitation of this vulnerability. Rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Hand ler\{ms-its, its, mk}
Modifying the Windows registry in this way may have unintended consequences. On Windows XP and ME, disabling the ITS protocol handlers will reduce the functionality of the Help and Support Center (HSC).
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of antivirus vendors.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle ITS protocol URLs.
Microsoft Corporation Vulnerable 5-Apr-2004