Vulnerability Note VU#980499
Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML
A vulnerability exists in Microsoft Internet Explorer that allows a malicious agent to execute arbitrary code when parsing MIME parts in a document. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document (for example, when browsing a filesystem, reading email or news messages, or visiting a web page), should immediately upgrade to a non-vulnerable version of Internet Explorer.
Internet Explorer contains a table which is used to determine the handling of MIME types encountered in any HTML document (email messages, newsgroup postings, web pages, or local files). This table contains a set of entries that cause Internet Explorer to do the wrong thing with certain MIME parts, introducing a security vulnerability. Specifically, these incorrect entries lead IE to open specific MIME parts without giving the end user the opportunity to say if they should be opened. This vulnerability allows an intruder to construct a malicious content that, when viewed in Internet Explorer (or any program that uses the IE HTML rendering engine) can execute arbitrary code. It is not necessary to run an attachment; simply viewing the document in a vulnerable program is sufficient.
The systems affected by this vulnerability include:
IE 6 is not affected by this issue.
For more details, see Microsoft Security Bulletin MS01-020 (or Microsoft Knowledgebase article Q290108) on this topic at:
MS01-027. On May 15, 2002, Microsoft released a cumulative set of patches for Internet Explorer as discussed in MS02-023.
There have been reports that simply previewing HTML content (as in a mail client or filesystem browser) is sufficient to trigger the vulnerability.
This vulnerability is now being actively exploited. More information about the activity and remediation can be found in CERT Advisory CA-2001-26: Nimda Worm. This vulnerability has been exploited further, as discussed in CERT Incident Note IN-2002-05.
Attackers can cause arbitrary code to be executed on a victim's system by embedding the code in a malicious email, or news message, or web page.
Upgrade to IE 6, or apply the patch from Microsoft, available at:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Lotus Software||Affected||30 Mar 2001||05 Apr 2001|
|Microsoft Corporation||Affected||-||17 Jul 2002|
|Cyrusoft||Not Affected||30 Mar 2001||30 Mar 2001|
|Netscape Communications Corporation||Not Affected||30 Mar 2001||12 Apr 2001|
|Opera Software||Not Affected||30 Mar 2001||02 Apr 2001|
|QUALCOMM||Unknown||30 Mar 2001||30 Mar 2001|
CVSS Metrics (Learn More)
Microsoft has acknowledged Juan Carlos Cuartango as bringing this issue to their attention.
This document was written by Jeffrey S. Havrilla and Shawn V. Hernan.
- CVE IDs: CVE-2001-0154
- CERT Advisory: CA-2001-06
- Date Public: 29 Mar 2001
- Date First Published: 30 Mar 2001
- Date Last Updated: 05 Mar 2004
- Severity Metric: 60.75
- Document Revision: 40