Vulnerability Note VU#323070
Outlook Express MHTML protocol handler does not properly validate source of alternate content
The Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler does not adequately validate the source of alternate content. An attacker could exploit this vulnerability to access data and execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running the program that invoked the handler, typically Internet Explorer (IE).
The Cross Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust." The determination of what zone and/or domain a URL exists in and what actions can be performed in that zone is made by the Internet Security Manager Object.
This URL references a local CHM file:
MIME Encapsulation of Aggregate HTML Documents (MHTML)
The ITS protocol handlers can specify an alternate location for MHTML content (URL is wrapped):
By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites and in the Local Machine Zone (read cookies/content, modify/create content, etc.).
Install a patch
Disabling the ITS and MHTML protocol handlers may prevent exploitation of this vulnerability. Delete or rename the following registry keys:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||02 Apr 2004||13 Apr 2004|
CVSS Metrics (Learn More)
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ _cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ _cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp
This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.
This document was written by Art Manion.
- CVE IDs: CAN-2004-0380
- Date Public: 25 Nov 2003
- Date First Published: 05 Apr 2004
- Date Last Updated: 17 Jun 2005
- Severity Metric: 76.50
- Document Revision: 84
If you have feedback, comments, or additional information about this vulnerability, please send us email.