TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Alert February 25, 2002 Buffer Overflow in Microsoft Internet Explorer Synopsis: ISS X-Force has learned of a buffer overflow vulnerability in Microsoft Internet Explorer versions 5.5 and 6.0. This vulnerability may be exploited by delivering specially-crafted HTML code to Internet Explorer or email clients that use Internet Explorer to render HTML email. Successful exploitation of this vulnerability could allow attackers to run commands on the computers that access malicious Web sites. This vulnerability may also be an effective method of spreading malicious content if integrated into a mass-emailing Internet worm. Affected Versions: Microsoft Internet Explorer versions 5.5 and 6.0 Due to the surge in popularity of HTML formatted email, many applications may use Internet Explorer to render these documents. Any email client that uses Internet Explorer for this feature may be vulnerable as well. Description: A vulnerability exists in the Microsoft plug-in handling implementation of the <EMBED> HTML tag. This tag allows Web pages to include content that is either displayed or executed in real-time. This type of functionality is used for various functions, such as playing audio files, running ActiveX controls, or displaying video clips. The <EMBED> tag is read by the Web browser to determine what type of content is provided (through the use of MIME types) and where the content is located. The Microsoft implementation of <EMBED> was extended to provide more granular control of the properties of the content. When Internet Explorer parses an <EMBED> tag, it will check the MIME type to determine if Internet Explorer can operate on the content or if it needs to spawn an external plug-in. Internet Explorer or the plug-in will parse the "SRC" portion of the <EMBED> tag for the location of the special content. The vulnerability exists in the parsing routines of the "SRC" portion of the <EMBED> tag. Attackers may be able to craft a specific "SRC" string to trigger a buffer overflow that may lead to the compromise of the vulnerable client. This type of vulnerability is commonly referred to as a "client-side" vulnerability. The exploit is only executed when a user visits an infected Web site or receives and opens an infected email. As with other dangerous client-side vulnerabilities, this code can be used to create mass-emailing Internet worms that infect machines when users open malicious email messages. Recommendations: X-Force recommends that all Internet Explorer, Outlook, and Outlook Express users apply the latest cumulative patch for Internet Explorer. This patch contains a fix for the vulnerability documented in this advisory. Anyone using an email client that can read HTML formatted email may also be vulnerable, and these users should also install the latest patches from their vendor. To access the latest Microsoft Internet Explorer patch, refer to Microsoft Security Bulletin MS02-05 at: http://www.microsoft.com/technet/security/bulletin/MS02-005.asp A check for this vulnerability will be included in Internet Scanner XPU 6.6, which will be available soon from the ISS Download Center at: http://www.iss.net/download X-Force recommends that all Windows users visit the Microsoft Windows Update Web site on a regular basis. It is designed to help end users and administrators manage update deployment. X-Force recommends that Microsoft Windows XP users turn on "Automatic Updates". To enable Automatic Updates, go to Control Panel --> Performance and Maintenance --> System, and then click the Automatic Updates tab. X-Force recommends that users enable the second option, which will notify the user when updates are ready to download and again when the updates are ready to install. For more information, visit: http://windowsupdate.microsoft.com There are viable workarounds to help mitigate the risk of this vulnerability and other client-side vulnerabilities. Users should consider enabling Security Zones within Internet Explorer, Outlook, and Outlook Express. All Microsoft Office users should also install the latest Microsoft Office Product Updates. The Microsoft Email Security Update will change default settings of how potentially malicious emails are handled within Microsoft email clients. Visit the Microsoft Office Product Update Web site for more information: http://office.microsoft.com/productupdates/ Additional Information: Advisory - buffer overflow in mshtml.dll, http://www.security.nnov.ru/advisories/mshtml.asp CERT Advisory CA-2002-04: Buffer Overflow in Microsoft Internet Explorer, http://www.cert.org/advisories/CA-2002-04.html CERT Vulnerability Note VU#932283, http://www.kb.cert.org/vuls/id/932283 Microsoft Security Bulletin MS02-005, http://www.microsoft.com/technet/security/bulletin/MS02-005.asp Microsoft Knowledge Base Article Q317731, http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731 ISS X-Force Database, http://www.iss.net/security_center/static/8116.php ISS Download Center, http://www.iss.net/download ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email [EMAIL PROTECTED] for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBPHq+3zRfJiV99eG9AQHT+wP/ToN2RRfshALr6RAyLhEHgNI1zgxKAZpy pgOJMOGCOGp+nwIDByIQ4f3e8fEMu9lVyR+QRgu3Mbtuptfpg1Xt5g8C4IgfVRyf LPmKotrloreNa4SauZFaG7FDm1p97kIG8Xnda4pZa0zA0STvsDtJxtLDRtj3BCnQ GRau1L7IKYA= =m17W -----END PGP SIGNATURE-----
