The Web    Google
IE Vulnerability Flagged

IE Vulnerability Flagged
April 9, 2004

The U.S. Computer Emergency Readiness Team (CERT) has published a security flaw that has no complete workaround, leaving PCs at risk even if protective steps are taken.

The vulnerability lets attackers trick the InfoTech Storage (ITS) protocol handlers in Microsoft's Internet Explorer (IE) to grab scripts from another domain (server) and gain the same privileges as those found in the victim's Local Machine Zone.

Microsoft is expected to release its monthly crop of security updates Tuesday. A spokesperson for the Redmond, Wash., software giant was not immediately available to say whether the CERT advisory vulnerability would be included, or if an August patch for a similar flaw addresses the problem.

Here's how the latest threat works: IE references an inaccessible or non-existent MIME encapsulation of aggregate HTML (MHTML) file using ITS and MHTML protocols; when it finds no Compiled HTML Help (CHM) file, ITS protocol handlers can be duped into accessing a CHM file from another domain.

If that CHM file was crafted by a cracker , it can contain scripts that can be executed from that other domain, violating the cross-domain security model. Using a specially crafted URL, CERT says attackers can access other Web sites and run those scripts, which can grab credit card numbers or crash a network.

Normally, using another Web browser like Opera or Netscape until the vulnerability has been fixed offers protection. But CERT says browsers that invoke IE to handle ITS protocol URLs could possibly create the same breach in a user's computer. It also affects any application that use the WebBrowser ActiveX control or IE HTML rendering engine (MSHTML) -- Outlook and Outlook Express are examples.

Disabling Active scripting and ActiveX controls "only reduces the functionality of scripts, applets, Windows components or other applications," the advisory said, which only stops certain types of attacks. Users or network administrators can, however, go into the registry entry "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\" and disable the "ms-its," "msitss," and "its,mk" values.

It's generally considered bad practice to announce vulnerabilities before the vendor has had a chance to fix the breach because it gives crackers a chance to get to the user before the security patch. However, CERT was likely inclined to do so because of two facts: the exploits already exist today, and Microsoft has been seemingly slow to correct the vulnerability.

The advisory states variants of the W32/Bugbear, the BloodHound.Exploit.6 and the Ibiza trojan all exploit the ITS Protocol Handler vulnerability. Anyone who keeps their anti-virus software up-to-date will likely be safe, though there's nothing to stop virus writers from modifying the code to circumvent the application.

But officials warn computer users' can be tricked into opening an HTML document -- either by visiting a site or clicking on hyperlinks in an HTML e-mail message -- and should "avoid clicking on unsolicited URLs received in emails, instant messages, Web forums or Internet relay chat (IRC) channels," the advisory states.

Microsoft of late has had problems with cross-domain vulnerabilities, especially this one. A patch for a similar vulnerability was first released in August.

  • 3/8: Kelvir-D an IM Worm
  • 10/27: Famus-C Worm Sends Private Data
  • 4/5: Mytob-W Worm Takes Remote Orders
  • 3/28: Mytob-N Worm,Trojan Hits IRC Users
  • New Spam Scam Exploits Pope's Death
  • 1/27: Rbot-AIX Worm Has Backdoor Functions
  • Cobalt RaQ 4 Security Flaw Detected
  • 9/8: Downloader-PG Brings in Trojan
  • 'Critical' Office 2003 Patch Released
  • 7/23: Psyme-AI Downloads, Executes Trojan
  • 4/14: Mytob-BA Worm Variant Spreading
  • Buy Security Camera