Vulnerability Note VU#711843
Microsoft Internet Explorer contains cross-site scripting vulnerabilities in local HTML resources
Microsoft Internet Explorer (IE) includes several local HTML resources that contain cross-site scripting vulnerabilities. These resources use the dialogArguments property of dialog frames insecurely, allowing an attacker to execute arbitrary script in the Local Machine Zone.
Microsoft Internet Explorer (IE) includes local HTML code that is used by the browser. These code resources can be accessed from IE using the "res://" protocol. A number of these resources use the dialogArguments property of modal dialog frames insecurely, accepting script from untrusted HTML documents such as Internet web pages and email messages. Due to a separate vulnerability in the way dialog methods validate the source of dialog frames (VU#728563), script injected into these local resources via dialogArguments is executed in the Local Machine Zone.
In VU#728563, IE fails to correctly identify the source of modal dialog frames opened with the Redirect method or IFRAME elements. In VU#711843, local HTML resources accept script from modal dialog frames via the dialogArguments property. As a result, script from an attacker's web page can be injected into local HTML resources and the script will execute in the Local Machine Zone.
This local HTML resource in IE 5.01, 5.5, and 6.0 is vulnerable:
MS03-004 (Q810847) includes the functionality of the MS02-023 and MS02-047 patches and prevents attacks that use IFRAME elements against all of the local HTML resources listed above. IE 5.01 is not vulnerable.
Internet Explorer, Outlook, Outlook Express, Eudora, Lotus Notes, AOL, and any other applications that host the WebBrowser control are affected.
Further information is available in advisories by Thor Larholm (TL#002), GreyMagic Software (GM#001-AX), and Liu Die Yu (BadParent).
An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary script with privileges of the user in the security context of the Local Machine Zone. This technique could be used to read certain types of files in known locations on the user's system. In conjunction with other vulnerabilities (VU#626395, VU#25249), the attacker could execute arbitrary commands on the user's system.
Restrict HTML Help commands
Restrict the execution of the Shortcut and WinHelp HTML Help commands to specified folders, or disable the commands entirely. As in the previous recommendation, this technique will protect against arbitrary command execution via HTML Help. Details are available in Microsoft Knowledge Base Article 810687.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||03 Jun 2002||14 Mar 2003|
CVSS Metrics (Learn More)
This vulnerability was publicly reported by Thor Larholm.
This document was written by Art Manion and Shawn Van Ittersum.
- CVE IDs: CVE-2002-0189
- Date Public: 17 Apr 2002
- Date First Published: 16 Sep 2002
- Date Last Updated: 05 Jun 2007
- Severity Metric: 17.40
- Document Revision: 47
If you have feedback, comments, or additional information about this vulnerability, please send us email.