__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Vulnerability in the way HTML Objects Handle Unexpected Method Calls
[Microsoft Security Advisory (917077)]
March 24, 2006 20:00 GMT Number Q-154
______________________________________________________________________________
PROBLEM: Vulnerability in Microsoft Internet Explorer could allow an
attacker to execute arbitrary code on the user's system.
PLATFORM: Internet Explorer 5.01 and IE 6
DAMAGE: A remote attacker could execute arbitrary code.
SOLUTION: Apply current patches.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. A remote attacker could execute arbitrary
ASSESSMENT: code.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-154.shtml
ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/
917077.mspx
ADDITIONAL LINKS: US-CERT Vulnerability Note VU#876678
http://www.kb.cert.org/vuls/id/876678
Secunia Advisory:SA18680
http://secunia.com/advisories/18680
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2006-1359
______________________________________________________________________________
[***** Start Microsoft Security Advisory (917077) *****]
Microsoft Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
Published: March 23, 2006
Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. In an e-mail based attack, customers would have to click a link to the malicious Web site or open an attachment that exploits the vulnerability. In both Web-based and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.
Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will either take the form of a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.
We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.
Note Customers who use the Microsoft Internet Explorer 7 Beta 2 Preview that was released on March 20, 2006 are not affected by the public reported vulnerability.
Mitigating Factors:
•
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
•
This vulnerability could not be exploited automatically through e-mail or while viewing e-mail in the preview pane while using Outlook or Outlook Express Customers would have to click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability.
•
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
General Information
Overview
Purpose of Advisory: To provide customers with notification of the publicly disclosed vulnerability and provide additional guidance to our customers.
Advisory Status: Vulnerability confirmed, security update planned.
Recommendation: Review the suggested actions and configure as appropriate.
References Identification
CVE Reference
CVE-2006-1359
Microsoft Knowledge Base Article
917077
This advisory discusses the following software:
Related Software
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition
Top of sectionTop of section
Suggested Actions
Workarounds
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone
You can help protect against this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:
1.
In Internet Explorer, click Internet Options on the Tools menu.
2.
Click the Security tab.
3.
Click Internet, and then click Custom Level.
4.
Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
5.
Click Local intranet, and then click Custom Level.
6.
Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
7.
Click OK two times to return to Internet Explorer.
Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.
Impact of Workaround: There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.
Top of sectionTop of section
Set Internet and Local intranet security zone settings to “High” to prompt before Active Scripting in these zones
You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running Active Scripting. You can do this by setting your browser security to High.
To raise the browsing security level in Microsoft Internet Explorer, follow these steps:
1.
On the Internet Explorer Tools menu, click Internet Options.
2.
In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3.
Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.
Note If no slider is visible, click Default Level, and then move the slider to High.
Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.
Impact of Workaround: There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.
Restrict Web sites to only your trusted Web sites.
After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.
To do this, follow these steps:
1.
In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
2.
In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
3.
If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
4.
In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
5.
Repeat these steps for each site that you want to add to the zone.
6.
Click OK two times to accept the changes and return to Internet Explorer.
Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and “*.update.microsoft.com” (without the quotation marks). These are the sites that will host the update, and it requires an ActiveX Control to install the update.
Top of sectionTop of section
Top of sectionTop of section
Additional Suggested Actions
•
Microsoft encourages users to exercise caution when they open e-mail messages and links in e-mail messages that come from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.
•
Customers in the U.S. and Canada who believe they may have been affected by this vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.
•
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
•
Customers are encouraged to keep their antivirus software up to date. The Windows Defender (Beta 2) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that might take advantage of this vulnerability.
•
Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.
•
For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
•
Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Top of sectionTop of section
Resources:
•
You can provide feedback by completing the form by visiting the following Web site.
•
Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
•
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
•
The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
•
March 23, 2006: Advisory published
[***** End Microsoft Security Advisory (917077) *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
Q-144: ffmpeg
Q-145: Vulnerabilities in Microsoft Office
Q-146: Permissive Windows Services DACLs
Q-147: Macromedia Flash Player Update to Address Security Vulnerabilities
Q-148: Media Server BENGINE Service Job Log Format String Overflow
Q-150: unzip
Q-149: kernel-patch-vserver, util-vserver
Q-151: sendmail Security Update
Q-152: snmptrapfmt
Q-153: RealPlayer Security Update