Vulnerability Note VU#865940
Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element
Microsoft Internet Explorer (IE) will execute an HTML Application (HTA) referenced by the DATA attribute of an OBJECT element if the Content-Type header returned by the web server is set to "application/hta". An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user running IE.
1. The OBJECT element
Instead of accepting the server-supplied Content-Type header as recommended in RFC 2616, IE uses a rather complicated method to determine the MIME type of a file referenced by a URI. In many cases, IE will download and parse a file as part of the MIME type determination process. This check is unable to differentiate between HTA and HTML files since both files are essentially text files that contain HTML code. As a result, IE accepts the MIME Content-Type provided by the server.
4. The problem
When accessing an HTA file directly, IE prompts the user to download or run the file. However, when an HTA file is referenced by the DATA attribute of an OBJECT element, and the web server returns the Content-Type header set to "application/hta", IE may execute the HTA file directly, without user intervention. The HTML used to reference the HTA file can be created in at least three ways:
Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected, however, recent versions of these programs open mail in the Restricted Sites Zone where ActiveX controls and plug-ins and Active scripting are disabled by default.
This vulnerability is documented in an advisory from eEye Digital Security and Microsoft Security Bulletins MS03-032 and MS03-040.
The CERT/CC has received reports of this vulnerability being exploited to install backdoors and DDoS tools, read AIM credentials from the registry, install porn dialers, and modify DNS settings (QHosts). See Incident Note IN-2003-04 for further information.
By convincing a victim to view an HTML document (web page, HTML email), a remote attacker could execute arbitrary code with the privileges of the victim.
Block Content-Type headers
Use an application layer firewall, HTTP proxy, or similar technology to block or modify HTTP Content-Type headers with the value "application/hta". This technique may not work for encrypted HTTP connections and it may break applications that require the "application/hta" Content-Type header.
Use a host-based firewall to deny network access to the HTA host: %SystemRoot%\system32\mshta.exe. Examining network traces of known attack vectors, it seems that the exploit HTML/HTA code is accessed three times, twice by IE and once by mshta.exe. The HTA is instantiated at some point before the third access attempt. Blocking mshta.exe prevents the third access attempt, which appears prevent the exploit code from being loaded into the HTA. There may be other attack vectors that circumvent this workaround. For example, a vulnerability that allowed data in the browser cache to be loaded into the HTA could remove the need for mshta.exe to access the network. This technique may break applications that require HTAs to access the network. Also, specific host-based firewalls may or may not properly block mshta.exe from accessing the network.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability. The CERT/CC maintains a partial list of antivirus vendors.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||25 Aug 2003||05 Oct 2003|
CVSS Metrics (Learn More)
Microsoft credits eEye Digital Security for reporting this vulnerability. Information used in this document came from eEye, Microsoft, and http_equiv.
This document was written by Art Manion.
- CVE IDs: CVE-2003-0532
- CERT Advisory: CA-2003-22
- Date Public: 20 Aug 2003
- Date First Published: 25 Aug 2003
- Date Last Updated: 29 Jul 2009
- Severity Metric: 56.70
- Document Revision: 134
If you have feedback, comments, or additional information about this vulnerability, please send us email.