Vulnerability Note VU#784102
Microsoft Internet Explorer does not properly validate source of URL stored in Travel Log
Microsoft Internet Explorer (IE) does not properly determine the source of script used in URLs stored in the "Travel Log." An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. From Microsoft Security Bulletin MS04-004:
One of the principal security functions of a browser is to ensure that browser windows that are under the control of different Web sites cannot interfere with each other or access each other's data, while allowing windows from the same site to interact with each other. To differentiate between cooperative and uncooperative browser windows, the concept of a "domain" has been created. A domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot. The cross-domain security model is the part of the security architecture that keeps windows from different domains from interfering with each other.
This URL will display an alert dialog with the contents of the HTTP cookie for the current site:
The cross-domain security model should not allow script from one domain to read or modify data in a different domain using this type of "script URL".
The MS03-048 patch prevents script URLs from being directly stored in the travel log. It still possible, however, to use other techniques, such as frames (BackToFramedJpu) or certain DHTML methods (Andreas Sandblad #12), to store script URLs in the travel log. These two attack vectors are blocked by the MS04-004 patch.
An attacker could exploit this vulnerability using a crafted HTML document containing script. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm).
Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected; however, recent versions of these programs open mail in the Restricted Sites Zone where ActiveX controls and Active scripting are disabled by default.
By convincing a victim to view an HTML document (web page, HTML email), an attacker could evaluate script in a different security domain than the one containing the attacker's document. If the script is evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites (read cookies/content, modify/create content, etc.).
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||25 Nov 2003||02 Feb 2004|
CVSS Metrics (Learn More)
This vulnerability was publicly reported by Liu Die Yu. Thanks to Microsoft for information used in this document.
This document was written by Art Manion.
- CVE IDs: CAN-2003-1026
- Date Public: 25 Nov 2003
- Date First Published: 02 Feb 2004
- Date Last Updated: 17 Feb 2004
- Severity Metric: 41.01
- Document Revision: 38
If you have feedback, comments, or additional information about this vulnerability, please send us email.