Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2546
HistoryFeb 26, 2002 - 12:00 a.m.

Buffer Overflow in Microsoft Internet Explorer

2002-02-2600:00:00
vulners.com
25
JSON

Internet Security Systems Alert
February 25, 2002

Buffer Overflow in Microsoft Internet Explorer

Synopsis:

ISS X-Force has learned of a buffer overflow vulnerability in Microsoft
Internet Explorer versions 5.5 and 6.0. This vulnerability may be
exploited by delivering specially-crafted HTML code to Internet Explorer
or email clients that use Internet Explorer to render HTML email.
Successful exploitation of this vulnerability could allow attackers to
run commands on the computers that access malicious Web sites. This
vulnerability may also be an effective method of spreading malicious
content if integrated into a mass-emailing Internet worm.

Affected Versions:

Microsoft Internet Explorer versions 5.5 and 6.0

Due to the surge in popularity of HTML formatted email, many
applications may use Internet Explorer to render these documents. Any
email client that uses Internet Explorer for this feature may be
vulnerable as well.

Description:

A vulnerability exists in the Microsoft plug-in handling implementation
of the <EMBED> HTML tag. This tag allows Web pages to include content
that is either displayed or executed in real-time. This type of
functionality is used for various functions, such as playing audio
files, running ActiveX controls, or displaying video clips. The <EMBED>
tag is read by the Web browser to determine what type of content is
provided (through the use of MIME types) and where the content is
located. The Microsoft implementation of <EMBED> was extended to provide
more granular control of the properties of the content.

When Internet Explorer parses an <EMBED> tag, it will check the MIME
type to determine if Internet Explorer can operate on the content or if
it needs to spawn an external plug-in. Internet Explorer or the plug-in
will parse the "SRC" portion of the <EMBED> tag for the location of the
special content. The vulnerability exists in the parsing routines of the
"SRC" portion of the <EMBED> tag. Attackers may be able to craft a
specific "SRC" string to trigger a buffer overflow that may lead to the
compromise of the vulnerable client.

This type of vulnerability is commonly referred to as a "client-side"
vulnerability. The exploit is only executed when a user visits an
infected Web site or receives and opens an infected email. As with other
dangerous client-side vulnerabilities, this code can be used to create
mass-emailing Internet worms that infect machines when users open
malicious email messages.

Recommendations:

X-Force recommends that all Internet Explorer, Outlook, and Outlook
Express users apply the latest cumulative patch for Internet Explorer.
This patch contains a fix for the vulnerability documented in this
advisory. Anyone using an email client that can read HTML formatted
email may also be vulnerable, and these users should also install the
latest patches from their vendor.

To access the latest Microsoft Internet Explorer patch, refer to
Microsoft Security Bulletin MS02-05 at:
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp

A check for this vulnerability will be included in Internet Scanner XPU
6.6, which will be available soon from the ISS Download Center at:
http://www.iss.net/download

X-Force recommends that all Windows users visit the Microsoft Windows
Update Web site on a regular basis. It is designed to help end users and
administrators manage update deployment. X-Force recommends that
Microsoft Windows XP users turn on "Automatic Updates".

To enable Automatic Updates, go to Control Panel –> Performance and
Maintenance –> System, and then click the Automatic Updates tab.
X-Force recommends that users enable the second option, which will
notify the user when updates are ready to download and again when the
updates are ready to install. For more information, visit:
http://windowsupdate.microsoft.com

There are viable workarounds to help mitigate the risk of this
vulnerability and other client-side vulnerabilities. Users should
consider enabling Security Zones within Internet Explorer, Outlook, and
Outlook Express. All Microsoft Office users should also install the
latest Microsoft Office Product Updates. The Microsoft Email Security
Update will change default settings of how potentially malicious emails
are handled within Microsoft email clients. Visit the Microsoft Office
Product Update Web site for more information:
http://office.microsoft.com/productupdates/

Additional Information:

Advisory - buffer overflow in mshtml.dll,
http://www.security.nnov.ru/advisories/mshtml.asp

CERT Advisory CA-2002-04: Buffer Overflow in Microsoft Internet
Explorer,
http://www.cert.org/advisories/CA-2002-04.html

CERT Vulnerability Note VU#932283,
http://www.kb.cert.org/vuls/id/932283

Microsoft Security Bulletin MS02-005,
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp

Microsoft Knowledge Base Article Q317731,
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731

ISS X-Force Database,
http://www.iss.net/security_center/static/8116.php

ISS Download Center,
http://www.iss.net/download

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email [email protected] for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.

JSON