Vulnerability Note VU#713878

Microsoft Internet Explorer does not properly validate source of redirected frame

IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust." The determination of what zone and/or domain a URL exists in and what actions can be performed in that zone is made by the Internet Security Manager Object.

HTTP Redirection

A web server can respond to an HTTP request with a 300-series status code indicating that a requested resource exists under a different URL. In the 300 response, the server indicates the different URL in the Location field of the HTTP headers. An attacker can configure a web server to send a delayed 300 response specifying a URL that points to a resource on the client's system, in the Local Machine Zone. Such a response might include the following lines:

HTTP/1.1 302 Object moved
Location: URL_:ms-its_:C:\\Windows\Help\ieshared.chm::/webzine.htm

(Modified to avoid anti-virus detection.)

Note that this vulnerability does not rely on the use of ITS protocol handlers or CHM files. The Location field can be set to any local HTML resource.

Modal Dialogs

The showModalDialog method creates "...a modal dialog box that displays the specified HTML document." It is important to note that a modal dialog box "...retains the input focus while open" and that "The user cannot switch windows until the dialog box is closed." A modal dialog box can be closed programmatically by script running in the HTML document that provides the content for the dialog box.

The Problem

IE is vulnerable to a cross-domain violation that seems to involve a race condition, frames, and possibly the execScript method. When the location of the content of a frame is changed with an HTTP redirect response, a modal dialog box that was called from the frame before the redirect will return a cached reference to the frame's original domain. IE then incorrectly considers the cached domain instead of the redirected domain when determining the security domain of the modal dialog box. Also, since the contents of the frame have been changed by the redirect, it is possible to set the location object of the frame. By redirecting to a local resource, controlling the timing of the redirect, and setting the frame's location to a javascript: protocol URL, an attacker can execute script in the security context of the Local Machine Zone.

Functional exploit code is publicly available, and there are reports of incidents involving this vulnerability (Scob, Download.Ject, Toofeer, Berbew).

Any program that hosts the WebBrowser ActiveX control or used the IE HTML rendering engine (MSHTML) may be affected by this vulnerability.

II. Impact

Apply the patch (867801) referenced in Microsoft Security Bulletin MS04-025. This patch is also included in the update rollup described in Microsoft Knowledge Base Article 871260.

Disable Active scripting and ActiveX

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in Securing Your Web Browser and the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone, and 315933 for information about displaying the Local Machine Zone (My Computer security zone) on the Security tab in the Internet Options dialog box.

Service Pack 2 for Windows XP disables Active scripting and ActiveX controls for IE and several other programs using Local Machine Zone Lockdown.

Note that disabling Active scripting and ActiveX controls in the Internet Zone will reduce the functionality of some web sites. Disabling these features in the Local Machine Zone will reduce the functionality of some programs, including the Help and Support Center in Windows XP.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of anti-virus vendors.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Use a different web browser

There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model, trust in and access to the local file system (Local Machine Zone), the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented as operating system components that are used by IE and many other programs to provide web browser functionality. These components are integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Systems Affected

http://www.us-cert.gov/cas/techalerts/TA04-163A.html
http://www.us-cert.gov/cas/techalerts/TA04-184A.html
http://www.us-cert.gov/cas/techalerts/TA04-212A.html
http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer
http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56
http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx
http://62.131.86.111/analysis.htm
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.html
http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0031.html
http://secunia.com/advisories/11793/
http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/execscript.asp
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmodaldialog.asp
http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx
http://www.microsoft.com/security/incident/settings.mspx
http://support.microsoft.com/?scid=833633
http://support.microsoft.com/?kbid=182569
http://support.microsoft.com/?kbid=871260
http://support.microsoft.com/?kbid=315933
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx#EHAA
http://www.microsoft.com/security/incident/download_ject.mspx
http://isc.sans.org/diary.php?date=2004-06-25
http://www.securityfocus.com/bid/10473
http://xforce.iss.net/xforce/xfdb/16361

Credit

Public incidents related to this vulnerability were reported by Rafel Ivgi. Thanks to Jelmer for further research and analysis.

This document was written by Art Manion.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.