[Dshield] An unfixed highly critical vulnerability discovered inMicrosoft Internet Explorer

Thor Larholm thor at pivx.com
Thu Apr 8 18:52:14 GMT 2004


The CHM and ms-its/itss vulnerabilities are being heavily exploited in
the wild, mainly because the exploits have been refined again and again
so you just have to replace an EXE without knowing anything else.
Abusing these through showHelp has resided to abusing these through
DHTML Scriptlets, but the underlying issue is the same.

NAV2004 just detect this particular instance of that exploit, it does
nothing to deter the actual vulnerability from being exploited. You can
circumvent the signature check just by HTML encoding a few characters
(and don't get me started on JS obfuscation, encryption or compression
;).

These are unpatched vulnerabilities. You should lock down the My
Computer zone to prevent them from working (Qwik-Fix did this back in
November). The recently released Bugbear.e worm also exploited this
vulnerability.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor at pivx.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 

-----Original Message-----
From: Peter Stendahl-Juvonen [mailto:peter.stendahl-juvonen at welho.com] 
Sent: Thursday, April 08, 2004 6:16 AM
To: DShield General DShield Discussion List
Subject: [Dshield] An unfixed highly critical vulnerability discovered
inMicrosoft Internet Explorer


An unfixed highly critical vulnerability discovered in Microsoft
Internet Explorer

FYI-

Wanted to ensure everyone concerned (MS IE 5.01, 5.5 and 6 users) on
this list is aware of this unfixed critical vulnerability:


Microsoft Internet Explorer does not properly validate source of CHM
components referenced by ITS protocol handlers

Overview: Microsoft Internet Explorer (IE) does not adequately validate
the source of script contained in compiled help (CHM) file components
that are referenced by the Microsoft InfoTech Storage (ITS) protocol
handlers. An attacker could exploit this vulnerability to execute script
in different security domains. By causing script to be run in the Local
Machine Zone, the attacker could execute arbitrary code with the
privileges of the user running IE.

http://www.kb.cert.org/vuls/id/323070


AU-2004.007 -- AusCERT Update - Vulnerability in Internet Explorer
Allows Program Execution

http://www.auscert.org.au/render.html?it=3990


Internet Explorer showHelp() Restriction Bypass Vulnerability

Critical: Highly critical 
Impact: Security Bypass
Where: From remote
Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6

http://secunia.com/advisories/10523/


When visited Secunia's web page (at the above address), I received the
following virus alert (issued by NAV2004):

Source: C:\Documents and Settings\username\Local Settings\Temporary
Internet Files\Content.IE5\0LU1UHY7\10523[1].htm 
Click for more information about this threat: Bloodhound.Exploit.6

Guess this is just Secunia's way of demonstrating the vulnerability's
existence on browsers concerned.

Since the virus was detected in browser's cache, access to the infected
file was denied and repair failed. After closing the browser a scan of
Temporary Internet Files, however show NO threats.


NAV2004-

Bloodhound.Exploit.6

Bloodhound.Exploit.6 is a heuristic detection for exploits of a
Microsoft Internet Explorer vulnerability, which was discovered in
February 2004. 

The vulnerability results from the incorrect handling of HTML files
embedded in CHM files. (CHM is the Microsoft-compiled HTML help format.)

This vulnerability is known to be used in the wild.

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.explo
it.6.html


- Pete


               "When we thought that we had all the answers,
                   suddenly all the questions changed." 
               Mario Benedetti (1920); Uruguayan writer.



_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list