LeRoi
06-08-2004, 12:05 PM
TITLE:
Internet Explorer Local Resource Access and Cross-Zone Scripting
Vulnerabilities
SECUNIA ADVISORY ID:
SA11793
VERIFY ADVISORY:
http://secunia.com/advisories/11793/
CRITICAL:
Extremely critical
IMPACT:
Security Bypass, System access
WHERE:
From remote
SOFTWARE:
Microsoft Internet Explorer 6
DESCRIPTION:
Two vulnerabilities have been reported in Internet Explorer, which in
combination with other known issues can be exploited by malicious
people to compromise a user's system.
1) A variant of the "ms-its:" local resource access vulnerability can
be exploited via a specially crafted URL in the "Location:" HTTP
header to open locally installed "CHM" help files.
Example:
URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm
2) A cross-zone scripting error can be exploited to execute files in
the "Local Machine" security zone.
Secunia has confirmed the vulnerabilities in a fully patched system
with Internet Explorer 6.0. It has been reported that the preliminary
SP2 prevents exploitation by denying access.
Successful exploitation requires that a user can be tricked into
following a link or view a malicious HTML document.
NOTE: The vulnerabilities are actively being exploited in the wild to
install adware on users' systems.
SOLUTION:
Disable Active Scripting support for all but trusted web sites.
Remove support for the "ms-its:" URI handler.
PROVIDED AND/OR DISCOVERED BY:
Originally discovered in the wild.
Detailed analysis of exploit by Jelmer.
OTHER REFERENCES:
Jelmer's posting on Full-Disclosure:
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html
Internet Explorer Local Resource Access and Cross-Zone Scripting
Vulnerabilities
SECUNIA ADVISORY ID:
SA11793
VERIFY ADVISORY:
http://secunia.com/advisories/11793/
CRITICAL:
Extremely critical
IMPACT:
Security Bypass, System access
WHERE:
From remote
SOFTWARE:
Microsoft Internet Explorer 6
DESCRIPTION:
Two vulnerabilities have been reported in Internet Explorer, which in
combination with other known issues can be exploited by malicious
people to compromise a user's system.
1) A variant of the "ms-its:" local resource access vulnerability can
be exploited via a specially crafted URL in the "Location:" HTTP
header to open locally installed "CHM" help files.
Example:
URL:ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm
2) A cross-zone scripting error can be exploited to execute files in
the "Local Machine" security zone.
Secunia has confirmed the vulnerabilities in a fully patched system
with Internet Explorer 6.0. It has been reported that the preliminary
SP2 prevents exploitation by denying access.
Successful exploitation requires that a user can be tricked into
following a link or view a malicious HTML document.
NOTE: The vulnerabilities are actively being exploited in the wild to
install adware on users' systems.
SOLUTION:
Disable Active Scripting support for all but trusted web sites.
Remove support for the "ms-its:" URI handler.
PROVIDED AND/OR DISCOVERED BY:
Originally discovered in the wild.
Detailed analysis of exploit by Jelmer.
OTHER REFERENCES:
Jelmer's posting on Full-Disclosure:
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html