Vulnerability Note VU#980499

Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML

Original Release date: 30 Mar 2001 | Last revised: 05 Mar 2004

Overview

A vulnerability exists in Microsoft Internet Explorer that allows a malicious agent to execute arbitrary code when parsing MIME parts in a document. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document (for example, when browsing a filesystem, reading email or news messages, or visiting a web page), should immediately upgrade to a non-vulnerable version of Internet Explorer.

Description

Internet Explorer contains a table which is used to determine the handling of MIME types encountered in any HTML document (email messages, newsgroup postings, web pages, or local files). This table contains a set of entries that cause Internet Explorer to do the wrong thing with certain MIME parts, introducing a security vulnerability. Specifically, these incorrect entries lead IE to open specific MIME parts without giving the end user the opportunity to say if they should be opened. This vulnerability allows an intruder to construct a malicious content that, when viewed in Internet Explorer (or any program that uses the IE HTML rendering engine) can execute arbitrary code. It is not necessary to run an attachment; simply viewing the document in a vulnerable program is sufficient.

The systems affected by this vulnerability include:

  • All Windows versions of Microsoft Internet Explorer 5.5 SP1 or earlier, except IE 5.01 SP2, running on x86 platforms
  • Any software which utilizes vulnerable versions of Internet Explorer to render HTML

IE 6 is not affected by this issue.

For more details, see Microsoft Security Bulletin MS01-020 (or Microsoft Knowledgebase article Q290108) on this topic at:
Note: The above patch has been superseded by the IE 5.5 patches discussed in MS01-027. On May 15, 2002, Microsoft released a cumulative set of patches for Internet Explorer as discussed in MS02-023.

There have been reports that simply previewing HTML content (as in a mail client or filesystem browser) is sufficient to trigger the vulnerability.

This vulnerability is now being actively exploited. More information about the activity and remediation can be found in CERT Advisory CA-2001-26: Nimda Worm. This vulnerability has been exploited further, as discussed in CERT Incident Note IN-2002-05.

Impact

Attackers can cause arbitrary code to be executed on a victim's system by embedding the code in a malicious email, or news message, or web page.

Solution

Upgrade to IE 6, or apply the patch from Microsoft, available at:

Note: The above patch has been superseded by the IE 5.5 patches discussed in MS01-027. A cumulative patch for this and other vulnerabilities is discussed in MS02-023.


It has been reported that upgrading to the latest version of Windows Media Player is an additional means to protect yourself from this problem. Although this appears to protect you from a specific way to exploit this vulnerability, we do not believe it is a general purpose fix. Disabling File Downloading in all of your Security Zones will also mitigate against the risks posed by the vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Lotus SoftwareAffected30 Mar 200105 Apr 2001
Microsoft CorporationAffected-17 Jul 2002
CyrusoftNot Affected30 Mar 200130 Mar 2001
Netscape Communications CorporationNot Affected30 Mar 200112 Apr 2001
Opera SoftwareNot Affected30 Mar 200102 Apr 2001
QUALCOMMUnknown30 Mar 200130 Mar 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Microsoft has acknowledged Juan Carlos Cuartango as bringing this issue to their attention.

This document was written by Jeffrey S. Havrilla and Shawn V. Hernan.

Other Information

  • CVE IDs: CVE-2001-0154
  • CERT Advisory: CA-2001-06
  • Date Public: 29 Mar 2001
  • Date First Published: 30 Mar 2001
  • Date Last Updated: 05 Mar 2004
  • Severity Metric: 60.75
  • Document Revision: 40

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.