Vulnerability Note VU#205148

Microsoft Internet Explorer does not properly evaluate Content-Type and Content-Disposition headers

Overview

A cross-domain scripting vulnerability exists in the way Microsoft Internet Explorer (IE) evaluates Content-Type and Content-Disposition headers and checks for files in the local browser cache. This vulnerability could allow a remote attacker to execute arbitrary script in a different domain, including the Local Machine Zone.

I. Description

Microsoft Security Bulletin MS03-032 describes a vulnerability in the way IE checks for files in the local browser cache:

A flaw in Internet Explorer could allow a malicious Web site operator to access information in another Internet domain, or on the user's local system by injecting specially crafted code when the browser checks for the existence of files in the browser cache. ...There is a flaw in the way Internet Explorer checks the originating domain when checking for the existence of local files in the browser cache.

SNS Advisory No.67 further elaborates:

If specific MIME type is specified in the Content-Type header of an HTTP response and if a special string is defined in the Content-Disposition header, this string can be automatically downloaded and opened within the Temporary Internet Files (TIF) under several conditions in Microsoft Internet Explorer. ...Additionally, if this vulnerability is exploited through a specific string in the Content-Disposition header, the OBJECT tag can be parsed in the "My Computer" zone.

Presumably, specially crafted Content-Type and Content-Disposition headers can cause IE to execute script in a different domain, including the Local Machine Zone. It seems that the contents of the Content-Disposition header is treated as HTML code, and any script in those contents is executed without regard to cross-domain security restrictions. For some reason, IE considers the script to be in the Local Machine Zone, when files in the Temporary Internet Files directory should not be trusted and are typically treated as if they were in the Internet zone.

II. Impact

An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary script with privileges of the user in the security context of the Local Machine Zone. This technique could be used to read certain types of files in known locations on the user's system. In conjunction with other vulnerabilities (VU#626395, VU#25249), the attacker could execute arbitrary commands on the user's system. The attacker could also determine the path to the Temporary Internet Files folder (cache) and access data from other web sites.

III. Solution

Apply patch

Apply 822925 or a more recent cumulative patch for IE. See Microsoft Security Bulletin MS03-032.

Systems Affected

Vendor	Status	Date Updated
Microsoft Corporation	Vulnerable	25-Aug-2003

References

http://www.lac.co.jp/security/english/snsadv_e/67_e.html
http://www.microsoft.com/security/security_bulletins/ms03-032.asp
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;822925
http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp
http://www.secunia.com/advisories/9580/
http://www.securityfocus.com/bid/8457
http://xforce.iss.net/xforce/xfdb/12961

Credit

Microsoft credits LAC/SNS for reporting this vulnerability. Information used in this document came from LAC/SNS and Microsoft.

This document was written by Art Manion.

Other Information

Date Public	08/20/2003
Date First Published	08/25/2003 03:55:37 PM
Date Last Updated	08/26/2003
CERT Advisory	CA-2003-22
CVE Name	CAN-2003-0531
US-CERT Technical Alerts
Metric	20.27
Document Revision	22

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader