search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer fails to properly handle CLSID extensions

Vulnerability Note VU#655100

Original Release Date: 2006-06-29 | Last Revised: 2006-08-08

Overview

Microsoft Internet Explorer fails to properly handle directories with CLSID extensions. This may allow an attacker to bypass the warning dialog that Internet Explorer should display before executing downloaded code.

Description

CLSID

According to Microsoft MSDN, A CLSID is a "globally unique identifier (GUID) associated with an OLE class object."

CLSID extensions

Prior to the update in Microsoft Security Bulletin MS04-024, a file could use a CLSID as a file extension and Windows Explorer would obey the CLSID when determining how to open the file. This can mislead the user into opening a dangerous file. After installing the update for MS04-024, Windows Explorer no longer obeys a CLSID as a file extension.

The problem

The MS04-024 update does not completely address the vulnerability. Directories can have a CLSID extension. Even with the MS04-024 update installed, Windows Explorer will treat a directory with a CLSID extension as a file of the type specified by the CLSID. Within the context of Windows Explorer, this can mislead the user with respect to what is on the local filesystem. However, within the context of Internet Explorer, this technique can be used to bypass the warning dialog that Internet Explorer should display before executing downloaded code. Publicly available proof-of-concept code uses an SMB share and requires the user to double-click within the browser window.

Impact

By convincing a user to access a specially crafted web page with Internet Explorer, an attacker may be able to execute arbitrary code with the privileges of the user.

Solution

Apply an update
This vulnerability is addressed in Microsoft Security Bulletin MS06-045. With this update, Windows Explorer (and in turn, Internet Explorer) will prompt before executing code specified by a directory with a CLSID extension.

Do not follow unsolicited links


In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Block or restrict access

Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block a commonly known attack vector.

Vendor Information

655100
 

Microsoft Corporation Affected

Notified:  June 29, 2006 Updated: August 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS06-045.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly disclosed by Plebo Aesdi Nael.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2006-3281
Severity Metric: 10.80
Date Public: 2006-06-27
Date First Published: 2006-06-29
Date Last Updated: 2006-08-08 19:07 UTC
Document Revision: 12

Sponsored by CISA.