search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer does not adequately validate references to cached objects and methods

Vulnerability Note VU#162097

Original Release Date: 2002-12-12 | Last Revised: 2004-05-26

Overview

Microsoft Internet Explorer does not adequately validate references to cached objects and methods across domains and security zones. The impact is similar to that of a cross-site scripting vulnerability, allowing an attacker to access data in other sites, including the Local Computer zone.

Description

Microsoft Internet Explorer features the ability to process scripts contained in HTML documents. This feature is known as Active scripting, and Internet Explorer supports several scripting languages, including VBScript and JScript. JScript is similar to Netscape's JavaScript and both languages played some part in the development of ECMAScript (ECMA-262). For security reasons, a script loaded from one site should not be able to access resources on another site, including the local client. In JavaScript, the Same Origin Policy protects clients by ensuring that "when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame." Internet Explorer implements a similar policy, adding the restriction that scripts are not allowed to access properties or objects across security zones.

As reported by GreyMagic Software and Liu Die Yu, Internet Explorer does not adequately validate references to certain cached objects and methods across different domains and security zones. A script from a potentially malicious site executing in one domain and security zone is able to access resources in another domain and zone, including the Local Computer zone, via the DHTML Document Object Model interface.

Outlook, Outlook Express, AOL, MSN, Eudora, Lotus Notes, and any other software that uses the WebBrowser ActiveX control could be affected by this vulnerability.

Note that in order for this vulnerability to be exploited, Active scripting must be enabled in the security zone in which the HTML document is rendered.

More information is available in Microsoft Security Bulletin MS02-068.

Impact

By convincing a user to follow a URL or read an HTML email message containing malicious script, and attacker could take any action with the privileges of the user executing the script. This could include opening new browser windows to different sites in different security zones, reading or modifying information in open browser windows, reading files on the local file system, and executing commands that are in a location known to the attacker. An attacker who is able to obtain cookies used for authentication may be able to impersonate a legitimate user and obtain sensitive data such as passwords or credit card information. By leveraging features of the Microsoft HTML Help system (VU#25249), an attacker could execute commands with parameters or cause arbitrary files to be downloaded to a known location on the local system, subject to the user's privileges.

Solution


Apply Patch

Apply the patch referenced in Microsoft Security Bulletin MS03-015.

A number of object and method caching vulnerabilities were addressed by MS02-066. The external method caching vulnerability was addressed by MS02-068, which supersedes MS02-066. As of May 2003, the clipboardData method caching vulnerability has not been addressed. Both the external and clipboardData vulnerabilities affect Internet Explorer version 6.0 SP1.


Disable Active scripting

At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, and any other software that uses Internet Explorer to render HTML. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ.

Apply Outlook Email Security Update

The Outlook Email Security Update configures Outlook 2000 and Outlook 98 to use the Restricted sites zone to open email. By default, Active scripting is disabled in the Restricted sites zone. Outlook Express 6.0 and Outlook 2002 include the functionality provided by the Outlook Security Update.
Outlook 2000:
http://office.microsoft.com/downloads/2000/Out2ksec.aspx

Outlook 98:
http://office.microsoft.com/downloads/9798/Out98sec.aspx
Restrict HTML Help commands

Restrict the execution of the Shortcut and WinHelp HTML Help commands to specified folders, or disable the commands entirely. This will prevent malicious scripts from downloading arbitrary files and executing arbitrary commands with parameters via HTML Help. It will also limit the ability of HTML Help to open URLs and execute commands.

http://support.microsoft.com/?kbid=810687
Microsoft has also released an updated version of HTML Help (811630) that is available via Windows Update:

http://support.microsoft.com/default.aspx?scid=KB;en-us;q811630
Filter Script Code

It may be possible to use an application layer filter to detect and block or disable script code within HTML data.

Vendor Information

162097
 
Affected   Unknown   Unaffected

Microsoft Corporation

Notified:  December 12, 2002 Updated:  June 18, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please reference Microsoft Security Bulletin MS02-068. As of May 2003, the clipboardData method caching vulnerability has not been addressed.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

GreyMagic Software and Liu Die Yu publicly reported multiple instances of this vulnerability.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2002-1262
Severity Metric: 34.78
Date Public: 2002-10-22
Date First Published: 2002-12-12
Date Last Updated: 2004-05-26 06:25 UTC
Document Revision: 62

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.