SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#637760

Microsoft Internet Explorer Install Engine contains a buffer overflow vulnerability

Overview

The Active Setup Install Engine in Microsoft Internet Explorer contains a buffer overflow vulnerability. This may allow an attacker to take complete control of a vulnerable system.

I. Description

The Active Setup Install Engine (inseng.dll) permits cabinet files to be launched and executed. Cabinet files are archives used to store the various files used by ActiveX controls. The Install Engine, which decompresses these cab files, contains a buffer overflow vulnerability. An attacker could exploit this vulnerability by convincing a user to install an ActiveX control that is contained in a specially crafted cabinet file.

II. Impact

An attacker could execute arbitrary code with the privileges of the user logged on to the target machine. If the user is logged on with administrative privileges, the attacker could take complete control of an affected system.

III. Solution

Apply a patch

Apply the patch referenced in MS04-038.

Disable Active scripting and ActiveX

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently in beta release) includes these and other security enhancements for IE.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of anti-virus vendors.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable13-Oct-2004

References


http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx
http://secunia.com/advisories/12806/

Credit

The Microsoft Security Bulletin credits Greg Jones and Peter Winter-Smith for reporting this vulnerability.

This document was written by Will Dormann, based on the information provided in the Microsoft Security Bulletin.

Other Information

Date Public:2004-10-12
Date First Published:2004-10-13
Date Last Updated:2004-10-13
CERT Advisory: 
CVE-ID(s):CAN-2004-0216
NVD-ID(s):CAN-2004-0216
US-CERT Technical Alerts: 
Metric:18.81
Document Revision:5

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader