SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#842160

Microsoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements

Overview

Microsoft Internet Explorer (IE) contains a buffer overflow vulnerability that can be exploited to execute arbitrary code with the privileges of the user running IE.

I. Description

A heap buffer overflow vulnerability exists in the way IE handles the SRC and NAME attributes of HTML elements such as FRAME and IFRAME. Publicly available exploit code uses JavaScript to prepare the heap by allocating memory with blocks that consist of NOP slides and shell code. After mishandling overly long SRC and NAME attributes, IE dereferences a memory address that may fall within one of the prepared heap blocks, running through the NOP slide and executing the attacker's shell code. Without the ability to prepare the heap (i.e., without Active scripting), it becomes more difficult for the attacker to execute arbitrary code. Note, however, that an attacker could use techniques other than Active scripting to prepare the heap to more easily execute arbitrary code.

It appears that this vulnerability was discovered using the mangleme tool.

Other programs (e.g., Outlook, Outlook Express, AOL, Lotus Notes) that use the WebBrowser ActiveX control could be affected by this vulnerability.

Based on currently available information, IE 6 on Windows XP SP2 is not vulnerable.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash.

Public reports indicate that this vulnerability is used by malicious code called Bofra (also identified as variants of W32/MyDoom).

III. Solution

Apply a Patch

Apply the patch referenced in MS04-040.

Install Windows XP Service Pack 2 (SP2)

Microsoft Windows XP SP2 is not affected by this vulnerability.

Disable Active scripting

Disabling Active scripting makes it somwehat more difficult for an attacker to prepare the heap to easily execute arbitrary code. At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control. Instructions for disabling Active scripting can be found in the Malicious Web Scripts FAQ. Note that an attacker may be able to prepare the heap using other techinques, in which case disabling Active scripting would only provides defense against attacks that use Active scripting.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.

Use current versions of Outlook or Outlook Express

By default, Outlook Express 6, Outlook 2002, and Outlook 2003 use the Restricted Sites Zone to display HTML messages. Because IFRAME and FRAME elements are not rendered in the Restricted Sites Zone, these email clients do not act as attack vectors by default.

Render email in plain text

Configure email client software (mail user agent [MUA]) to render email messages in plain text. Instructions to configure Outlook 2002, Outlook 2003, and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594, 831607, and 291387, respectively.

Maintain updated antivirus software

Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable3-Nov-2004

References

http://www.us-cert.gov/cas/techalerts/TA04-315A.html
https://www.us-cert.gov/cas/techalerts/TA04-336A.html
http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56
http://www.us-cert.gov/current/current_activity.html#w32/mydoom
http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx
http://support.microsoft.com/kb/889293
http://support.microsoft.com/kb/889669
http://msdn.microsoft.com/workshop/browser/overview/Overview.asp
http://support.microsoft.com/kb/154036
http://freshmeat.net/projects/mangleme/
http://www.securityfocus.com/archive/1/380175
http://secunia.com/advisories/12959/
http://www.auscert.org.au/render.html?it=4527
http://www.lurhq.com/iframeads.html
http://www.theregister.co.uk/2004/11/21/register_adserver_attack/
http://www.sophos.com/virusinfo/articles/howbofrawork.html

Credit

This vulnerability was publicly reported by ned and SkyLined.

This document was written by Art Manion.

Other Information

Date Public11/02/2004
Date First Published11/03/2004 05:05:21 PM
Date Last Updated12/10/2004
CERT Advisory 
CVE NameCAN-2004-1050
US-CERT Technical Alerts 
Metric63.79
Document Revision40

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader