[Snort-sigs] [Fwd: CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer]
vjayl at ...375...
Mon Feb 25 15:24:05 EST 2002
Does any one have a signature for this yet? Thanks!
CERT Advisory wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer
> Original release date: February 25, 2002
> Last revised: --
> Source: CERT/CC
> A complete revision history can be found at the end of this file.
> Systems Affected
> * Microsoft Internet Explorer
> * Microsoft Outlook and Outlook Express
> * Other applications that use the Internet Explorer HTML rendering
> Microsoft Internet Explorer contains a buffer overflow vulnerability
> in its handling of embedded objects in HTML documents. This
> vulnerability could allow an attacker to execute arbitrary code on the
> victim's system when the victim visits a web page or views an HTML
> email message.
> I. Description
> Internet Explorer supports the <EMBED> directive, which can be used to
> include arbitrary objects in HTML documents. Common types of embedded
> objects include multimedia files, Java applets, and ActiveX controls.
> The SRC attribute specifies the source path and filename of an object.
> For example, a MIDI sound might be embedded in a web page with the
> following HTML code:
> <EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true">
> Internet Explorer uses attributes of the <EMBED> directive and MIME
> information from the web server to determine how to handle an embedded
> object. In most cases, a separate application or plugin is used.
> A group of Russian researchers, SECURITY.NNOV, has reported that
> Internet Explorer does not properly handle the SRC attribute of the
> <EMBED> directive. An HTML document, such as a web page or HTML email
> message, that contains a crafted SRC attribute can trigger a buffer
> overflow, executing code with the privileges of the user viewing the
> document. Microsoft Internet Explorer, Outlook, and Outlook Express
> are vulnerable. Other applications that use the Internet Explorer HTML
> rendering engine, such as Windows compiled HTML help (.chm) files and
> third-party email clients, may also be vulnerable.
> The CERT/CC is tracking this vulnerability as VU#932283, which
> corresponds directly to the "buffer overrun" vulnerability described
> in Microsoft Security Bulletin MS02-005.
> This vulnerability has been assigned the CVE identifier CAN-2002-0022.
> II. Impact
> By convincing a user to view a malicious HTML document, an attacker
> can cause the Internet Explorer HTML rendering engine to execute
> arbitrary code with the privileges of the user who viewed the HTML
> document. This vulnerability could be exploited to distribute viruses,
> worms, or other malicious code.
> III. Solution
> Apply a patch
> Microsoft has released a cumulative patch for Internet Explorer that
> corrects this vulnerability and several others. For more information
> about the patch and the vulnerabilities, please see Microsoft Security
> Bulletin MS02-005:
> Disable ActiveX Controls and Plugins
> In Internet Explorer, plugins may be used to view, play, or otherwise
> process embedded objects. The execution of embedded objects is
> controlled by the "Run ActiveX Controls and Plugins" security option.
> Disabling this option will prevent embedded objects from being
> processed, and will therefore prevent exploitation of this
> According to MS02-005:
> The vulnerability could not be exploited if the "Run ActiveX
> Controls and Plugins" security option were disabled in the Security
> Zone in which the page was rendered. This is the default condition
> in the Restricted Sites Zone, and can be disabled manually in any
> other Zone.
> At a minimum, disable the "Run ActiveX Controls and Plugins" security
> option in the Internet Zone and the zone used by Outlook or Outlook
> Express. The "Run ActiveX Controls and Plugins" security option is
> disabled in the "High" zone security setting. Instructions for
> configuring the Internet Zone to use the "High" zone security setting
> can be found in the CERT/CC Malicious Web Scripts FAQ:
> Apply the Outlook Email Security Update
> Another way to effectively disable the processing of ActiveX controls
> and plugins in Outlook is to install the Outlook Email Security
> Update. The update configures Outlook to open email messages in the
> Restricted Sites Zone, where the "Run ActiveX Controls and Plugins"
> security option is disabled by default. In addition, the update
> provides further protection against malicious code that attempts to
> propagate via Outlook.
> * Outlook 2002 and Outlook Express 6
> The functionality of the Outlook Email Security Update is included
> in Outlook 2002 and Outlook Express 6.
> * Outlook 2000
> * Outlook 98
> Appendix A. - Vendor Information
> This appendix contains information provided by vendors for this
> advisory. When vendors report new information to the CERT/CC, we
> update this section and note the changes in our revision history. If a
> particular vendor is not listed below, we have not received their
> Microsoft has released a Security Bulletin and a Knowledge Base
> Article addressing this vulnerability:
> * Security Bulletin MS02-005
> * Knowledge Base Article Q317731
> Our email client Mulberry does not use the core HTML rendering engine
> library for its HTML display, and so is not affected by the bug in
> that library. Having looked at the details of this alert I can also
> confirm that our own HTML rendering engine is not affected by this, as
> it ignores the relevant tags.
> Appendix B. - References
> 1. http://www.kb.cert.org/vuls/id/932283
> 2. http://www.security.nnov.ru/advisories/mshtml.asp
> 3. http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
> 4. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731
> 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022
> 6. http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/
> 7. http://developer.netscape.com/docs/manuals/htmlguid/tags14.htm#128
> The CERT/CC thanks ERRor and DarkZorro of domain Hell and 3APA3A of
> SECURITY.NNOV for reporting this issue to us.
> Author: Art Manion
> This document is available from:
> CERT/CC Contact Information
> Email: cert at ...376...
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for emergencies
> during other hours, on U.S. holidays, and on weekends.
> Using encryption
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
> If you prefer to use DES, please call the CERT hotline for more
> Getting security information
> CERT publications and other security information are available from
> our web site
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomo at ...377... Please include in the body of your
> subscribe cert-advisory
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> Conditions for use, disclaimers, and sponsorship information
> Copyright 2002 Carnegie Mellon University.
> Revision History
> February 25, 2002: Initial release
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> -----END PGP SIGNATURE-----
V.Jay LaRosa EMC Corporation
Systems Administrator 171 South Street
(508)435-1000 ext 14957 Hopkinton, MA 01748
(508)497-8082 fax www.emc.com
More information about the Snort-sigs