Vulnerability Note VU#323070
Outlook Express MHTML protocol handler does not properly validate source of alternate content
The Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler does not adequately validate the source of alternate content. An attacker could exploit this vulnerability to access data and execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running the program that invoked the handler, typically Internet Explorer (IE).
The Cross Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust." The determination of what zone and/or domain a URL exists in and what actions can be performed in that zone is made by the Internet Security Manager Object.
This URL references a local CHM file:
MIME Encapsulation of Aggregate HTML Documents (MHTML)
The ITS protocol handlers can specify an alternate location for MHTML content (URL is wrapped):
By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites and in the Local Machine Zone (read cookies/content, modify/create content, etc.).
Install a patch
Disabling the ITS and MHTML protocol handlers may prevent exploitation of this vulnerability. Delete or rename the following registry keys:
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.
Read and send email in plain text format
Outlook 2002 SP1 and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of antivirus vendors.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle MHTML protocol URLs.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||02 Apr 2004||13 Apr 2004|
CVSS Metrics (Learn More)
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ _cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ _cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp
This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.
This document was written by Art Manion.
- CVE IDs: CAN-2004-0380
- Date Public: 25 Nov 2003
- Date First Published: 05 Apr 2004
- Date Last Updated: 17 Jun 2005
- Severity Metric: 76.50
- Document Revision: 84
If you have feedback, comments, or additional information about this vulnerability, please send us email.