INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | Vulnerability in Microsoft Internet Explorer could allow an attacker to execute arbitrary code on the user's system. |
| PLATFORM: | Internet Explorer 5.01 and IE 6 |
| DAMAGE: | A remote attacker could execute arbitrary code. |
| SOLUTION: | Apply current patches. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. A remote attacker could execute arbitrary code. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/q-154.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/advisory/917077.mspx |
| ADDITIONAL LINKS: |
US-CERT Vulnerability Note VU#876678 http://www.kb.cert.org/vuls/id/876678 Secunia Advisory:SA18680 http://secunia.com/advisories/18680 |
| CVE: | CVE-2006-1359 |
[***** Start Microsoft Security Advisory (917077) *****]
Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. In an e-mail based attack, customers would have to click a link to the malicious Web site or open an attachment that exploits the vulnerability. In both Web-based and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.
Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will either take the form of a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.
We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.
Note Customers who use the Microsoft Internet Explorer 7 Beta 2 Preview that was released on March 20, 2006 are not affected by the public reported vulnerability.
Mitigating Factors:
| • | In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. |
| • | This vulnerability could not be exploited automatically through e-mail or while viewing e-mail in the preview pane while using Outlook or Outlook Express Customers would have to click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability. |
| • | An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
sID='9l1-EYC';writePM(sID) |
startA('s'+sID)
OverviewendA() |
Purpose of Advisory: To provide customers with notification of the publicly disclosed vulnerability and provide additional guidance to our customers.
Advisory Status: Vulnerability confirmed, security update planned.
Recommendation: Review the suggested actions and configure as appropriate.
| References | Identification |
CVE Reference |
|
Microsoft Knowledge Base Article |
This advisory discusses the following software:
| Related Software |
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 |
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 |
Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1 |
Internet Explorer 6 for Microsoft Windows XP Service Pack 2 |
Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 |
Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems |
Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition |
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition |
sID='9l1-EDF';writePM(sID) |
startA('s'+sID)
Frequently Asked QuestionsendA() |
What is the scope of the advisory?
Microsoft has confirmed new public reports of a vulnerability that affects Internet Explorer, which is a component of Microsoft Windows. The vulnerability affects the software that is listed in the “Overview” section.
Is this a security vulnerability that requires Microsoft to issue a security update?
Yes. Microsoft will release an update for this issue in an upcoming security update release.
What causes this threat?
When Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects, system memory may be corrupted in such a way that an attacker could execute arbitrary code.
Specifically, the public postings discuss a potential behavior in Internet Explorer in the way that HTML objects may handle an unexpected createTextRange() method call to an HTML object. A Web page that is specially crafted to exploit this vulnerability will cause Internet Explorer to fail. As a result of this, system memory may be corrupted in such a way that an attacker could execute arbitrary code.
What is the createTextRange() method?
The createTextRange() method is a dynamic HTML (DHTML) method that is exposed by the DHTML Object Model.
For more information about DHTML methods, visit the MSDN Library Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site. This can also include Web sites that accept user-provided content or advertisements, Web sites that host user-provided content or advertisements, and compromised Web sites. These Web sites could contain malicious content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
Could this vulnerability be exploited through e-mail?
This vulnerability could not be exploited automatically through e-mail or while viewing e-mail in the preview pane while using Outlook or Outlook Express Customers would have to click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability.
| sID='9l1-EQG';writePM(sID) |
startA('s'+sID)
Suggested ActionsendA() |
| sID='9l2-ETG';writePM(sID) |
startA('s'+sID)
WorkaroundsendA() |
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
| sID='9l3-EXG';writePM(sID) |
startA('s'+sID)
Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zoneendA() |
You can help protect against this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:
1. |
In Internet Explorer, click Internet Options on the Tools menu. |
2. |
Click the Security tab. |
3. |
Click Internet, and then click Custom Level. |
4. |
Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. |
5. |
Click Local intranet, and then click Custom Level. |
6. |
Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK. |
7. |
Click OK two times to return to Internet Explorer. |
Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.
Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.
| sID='9l3-E1BAC';writePM(sID) |
startA('s'+sID)
Set Internet and Local intranet security zone settings to “High” to prompt before Active Scripting in these zonesendA() |
You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running Active Scripting. You can do this by setting your browser security to High.
To raise the browsing security level in Microsoft Internet Explorer, follow these steps:
1. |
On the Internet Explorer Tools menu, click Internet Options. |
2. |
In the Internet Options dialog box, click the Security tab, and then click the Internet icon. |
3. |
Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. |
Note If no slider is visible, click Default Level, and then move the slider to High.
Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.
Impact of Workaround: There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.
Restrict Web sites to only your trusted Web sites.
After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.
To do this, follow these steps:
1. |
In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. |
2. |
In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. |
3. |
If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. |
4. |
In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. |
5. |
Repeat these steps for each site that you want to add to the zone. |
6. |
Click OK two times to accept the changes and return to Internet Explorer. |
Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and “*.update.microsoft.com” (without the quotation marks). These are the sites that will host the update, and it requires an ActiveX Control to install the update.
Additional Suggested Actions
| • | Microsoft encourages users to exercise caution when they open e-mail messages and links in e-mail messages that come from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site. |
| • | Customers in the U.S. and Canada who believe they may have been affected by this vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site. |
| • | All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site. |
| • | Customers are encouraged to keep their antivirus software up to date. The Windows Defender (Beta 2) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that might take advantage of this vulnerability. |
| • | Protect Your PC We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site. |
| • | For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page. |
| • | Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. |
Resources:
| • | You can provide feedback by completing the form by visiting the following Web site. |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. |
| • | International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. |
| • | The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. |
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
| • | March 23, 2006: Advisory published |
[***** End Microsoft Security Advisory (917077) *****]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org