Vulnerability Note VU#580299

Microsoft Internet Explorer contains URL decoding cross-domain vulnerability

Original Release date: 08 Feb 2005 | Last revised: 14 Jun 2005

Overview

A URL decoding vulnerability in Microsoft Internet Explorer may allow remote attackers to bypass zone security restrictions and execute arbitrary code on affected systems.

Description

IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Internet Security Manager Object determines which zone or domain a URL exists in and what actions can be performed.

An attacker may encode the host portion of a URL in a way that results in Internet Explorer evaluating content under the wrong security domain. The URL may contain special characters that are encoded twice, resulting in Internet Explorer evaluating a document on the remote server as belonging to the "My Computer" zone (Local Machine Zone). Internet Explorer may then allow arbitrary code to be executed due to less restrictive permissions in the Local Machine Zone.

Impact

Remote attackers may be able to execute arbitrary code with the privileges of a user running Internet Explorer. Attackers may also be able to perform cross-site scripting attacks and mislead users by displaying spoofed URLs. To exploit this vulnerability, the attacker must convince the user to visit a malicious web page.

Solution

Apply an update
Microsoft Windows users should use Windows Update, enable Automatic Updates, or apply the relevant patches outlined in Microsoft Security Bulletin MS05-014, described in Microsoft Knowledge Base Article 867282.


Install Windows XP Service Pack 2 (SP2)

Microsoft Windows XP SP2 includes a feature called Local Machine Zone Lockdown, as well as other improvements. The Local Machine Zone Lockdown prevents Internet Explorer and several other programs from evaluating script in the Local Machine Zone. While this does not remove the vulnerability, it does help prevent an attacker from executing script in the Local Machine Zone.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Use a different web browser

There are a number of significant vulnerabilities in technologies involving the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected08 Feb 200508 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to the Microsoft Corporation for reporting this vulnerability, who in turn credit Jouko Pynnönen with reporting the information.

This document was written by Ken MacInnis based primarily on information provided by the Microsoft Corporation.

Other Information

  • CVE IDs: CAN-2005-0054
  • Date Public: 08 Feb 2005
  • Date First Published: 08 Feb 2005
  • Date Last Updated: 14 Jun 2005
  • Severity Metric: 35.10
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.