[Snort-sigs] [Fwd: CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer]

Vjay LaRosa vjayl at ...375...
Mon Feb 25 15:24:05 EST 2002


Does any one have a signature for this yet? Thanks!

vjl



CERT Advisory wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer
>
>    Original release date: February 25, 2002
>    Last revised: --
>    Source: CERT/CC
>
>    A complete revision history can be found at the end of this file.
>
> Systems Affected
>
>      * Microsoft Internet Explorer
>      * Microsoft Outlook and Outlook Express
>      * Other  applications  that use the Internet Explorer HTML rendering
>        engine
>
> Overview
>
>    Microsoft  Internet  Explorer contains a buffer overflow vulnerability
>    in   its   handling  of  embedded  objects  in  HTML  documents.  This
>    vulnerability could allow an attacker to execute arbitrary code on the
>    victim's  system  when  the  victim visits a web page or views an HTML
>    email message.
>
> I. Description
>
>    Internet Explorer supports the <EMBED> directive, which can be used to
>    include  arbitrary objects in HTML documents. Common types of embedded
>    objects  include multimedia files, Java applets, and ActiveX controls.
>    The SRC attribute specifies the source path and filename of an object.
>    For  example,  a  MIDI  sound might be embedded in a web page with the
>    following HTML code:
>
>      <EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true">
>
>    Internet  Explorer  uses  attributes of the <EMBED> directive and MIME
>    information from the web server to determine how to handle an embedded
>    object. In most cases, a separate application or plugin is used.
>
>    A  group  of  Russian  researchers,  SECURITY.NNOV,  has reported that
>    Internet  Explorer  does  not properly handle the SRC attribute of the
>    <EMBED>  directive. An HTML document, such as a web page or HTML email
>    message,  that  contains  a crafted SRC attribute can trigger a buffer
>    overflow,  executing  code with the privileges of the user viewing the
>    document.  Microsoft  Internet  Explorer, Outlook, and Outlook Express
>    are vulnerable. Other applications that use the Internet Explorer HTML
>    rendering  engine, such as Windows compiled HTML help (.chm) files and
>    third-party email clients, may also be vulnerable.
>
>    The  CERT/CC  is  tracking  this  vulnerability  as  VU#932283,  which
>    corresponds  directly  to the "buffer overrun" vulnerability described
>    in Microsoft Security Bulletin MS02-005.
>
>    This vulnerability has been assigned the CVE identifier CAN-2002-0022.
>
> II. Impact
>
>    By  convincing  a  user to view a malicious HTML document, an attacker
>    can  cause  the  Internet  Explorer  HTML  rendering engine to execute
>    arbitrary  code  with  the  privileges of the user who viewed the HTML
>    document. This vulnerability could be exploited to distribute viruses,
>    worms, or other malicious code.
>
> III. Solution
>
> Apply a patch
>
>    Microsoft  has  released a cumulative patch for Internet Explorer that
>    corrects  this  vulnerability and several others. For more information
>    about the patch and the vulnerabilities, please see Microsoft Security
>    Bulletin MS02-005:
>
>      http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
>
> Disable ActiveX Controls and Plugins
>
>    In  Internet Explorer, plugins may be used to view, play, or otherwise
>    process  embedded  objects.  The  execution  of  embedded  objects  is
>    controlled  by the "Run ActiveX Controls and Plugins" security option.
>    Disabling  this  option  will  prevent  embedded  objects  from  being
>    processed,   and   will   therefore   prevent   exploitation  of  this
>    vulnerability.
>
>    According to MS02-005:
>
>      The  vulnerability  could  not  be  exploited  if  the "Run ActiveX
>      Controls and Plugins" security option were disabled in the Security
>      Zone  in which the page was rendered. This is the default condition
>      in  the  Restricted Sites Zone, and can be disabled manually in any
>      other Zone.
>
>    At  a minimum, disable the "Run ActiveX Controls and Plugins" security
>    option  in  the  Internet Zone and the zone used by Outlook or Outlook
>    Express.  The  "Run  ActiveX  Controls and Plugins" security option is
>    disabled  in  the  "High"  zone  security  setting.  Instructions  for
>    configuring  the Internet Zone to use the "High" zone security setting
>    can be found in the CERT/CC Malicious Web Scripts FAQ:
>
>      http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
>
> Apply the Outlook Email Security Update
>
>    Another  way to effectively disable the processing of ActiveX controls
>    and  plugins  in  Outlook  is  to  install  the Outlook Email Security
>    Update.  The  update  configures Outlook to open email messages in the
>    Restricted  Sites  Zone,  where the "Run ActiveX Controls and Plugins"
>    security  option  is  disabled  by  default.  In  addition, the update
>    provides  further  protection  against malicious code that attempts to
>    propagate via Outlook.
>
>      * Outlook 2002 and Outlook Express 6
>        The functionality of the Outlook Email Security Update is included
>        in Outlook 2002 and Outlook Express 6.
>      * Outlook 2000
>        http://office.microsoft.com/downloads/2000/Out2ksec.aspx
>      * Outlook 98
>        http://office.microsoft.com/downloads/9798/Out98sec.aspx
>
> Appendix A. - Vendor Information
>
>    This  appendix  contains  information  provided  by  vendors  for this
>    advisory.  When  vendors  report  new  information  to the CERT/CC, we
>    update this section and note the changes in our revision history. If a
>    particular  vendor  is  not  listed  below, we have not received their
>    comments.
>
> Microsoft
>
>    Microsoft  has  released  a  Security  Bulletin  and  a Knowledge Base
>    Article addressing this vulnerability:
>      * Security Bulletin MS02-005
>        http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
>      * Knowledge Base Article Q317731
>        http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731
>
> Cyrusoft
>
>    Our  email client Mulberry does not use the core HTML rendering engine
>    library  for  its  HTML  display, and so is not affected by the bug in
>    that  library.  Having  looked at the details of this alert I can also
>    confirm that our own HTML rendering engine is not affected by this, as
>    it ignores the relevant tags.
>
> Appendix B. - References
>
>     1. http://www.kb.cert.org/vuls/id/932283
>     2. http://www.security.nnov.ru/advisories/mshtml.asp
>     3. http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
>     4. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731
>     5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022
>     6. http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/
>        embed.asp
>     7. http://developer.netscape.com/docs/manuals/htmlguid/tags14.htm#128
>        6379
>
>      _________________________________________________________________
>
>    The  CERT/CC  thanks  ERRor and DarkZorro of domain Hell and 3APA3A of
>    SECURITY.NNOV for reporting this issue to us.
>      _________________________________________________________________
>
>    Author: Art Manion
>    ______________________________________________________________________
>
>    This document is available from:
>    http://www.cert.org/advisories/CA-2002-04.html
>    ______________________________________________________________________
>
> CERT/CC Contact Information
>
>    Email: cert at ...376...
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
>    during other hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
>    We  strongly  urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>
>    http://www.cert.org/CERT_PGP.key
>
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
>    information.
>
> Getting security information
>
>    CERT  publications  and  other security information are available from
>    our web site
>
>    http://www.cert.org/
>
>    To  subscribe  to  the CERT mailing list for advisories and bulletins,
>    send  email  to majordomo at ...377... Please include in the body of your
>    message
>
>    subscribe cert-advisory
>
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
>
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied  as  to  any matter including, but not limited to, warranty of
>    fitness  for  a  particular purpose or merchantability, exclusivity or
>    results  obtained from use of the material. Carnegie Mellon University
>    does  not  make  any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>      _________________________________________________________________
>
>    Conditions for use, disclaimers, and sponsorship information
>
>    Copyright 2002 Carnegie Mellon University.
>
> Revision History
>    February 25, 2002:  Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQCVAwUBPHppRKCVPMXQI2HJAQEunQP9Hn+YSjmwNSLM4//5JrHP0ydgt0DFzh5k
> 0X40VYjxXcls0r3uZrpfC80W2f7DF3lS2kNcys4aEl+OXkTLn3p2BEkGYFhitwbG
> Tl0KvoESvT6b/1/w3TCjBregrAxPEXdw9KwQ2JFm/jmpX1+Gr15X7b2TDbf4sxJy
> q3UC1EPU9JE=
> =Jtq3
> -----END PGP SIGNATURE-----

--
 V.Jay LaRosa                           EMC Corporation
 Systems Administrator                  171 South Street
 (508)435-1000 ext 14957                Hopkinton, MA 01748
 (508)497-8082 fax                      www.emc.com







More information about the Snort-sigs mailing list