- Email: [email protected]
Rash of IE Vulnerabilities
vulnerability analysis
Rash of IE Vulnerabilities Thomas Kristensen CTO, Secunia Scandinavia The last month has revealed many new vulnerabilities in all kinds of systems in use at home and in corporations. In an attempt to hinder automatic file downloads and executions. Microsoft has implemented various counter measures. One of these steps is to separate browsing into separate security zones. In the local zone it is possible to "download" and execute executable files without warnings, in the Internet zone it requires user acceptance before a file is downloaded and another acceptance before a file is executed. However if a website launches a large number of frames requesting the same file then eventually Microsoft Internet Explorer will fail to keep track of this and without further notice download and execute the file. There is no update or effective countermeasure to this attack. For more details about Internet Explorer failing to handle multiple download requests: h t t p : / / w w w. s e c u n i a . c o m / a d v i sories/8807/ In April Microsoft issued an update for Internet Explorer which also fixed a vulnerability in the handling of security zones. This time the problem was an input validation error when invoking third party plug-ins. This allowed a malicious intruder to place plug-ins on the users system and execute them in the local zone — another effective way to circumvent Microsoft's "security model". For more details about Microsoft's Internet Explorer update, MS03-015: h t t p : / / w w w. s e c u n i a . c o m / a d v i sories/8649/ The last month really hasn't been too good for Microsoft. The last noteworthy Microsoft issue this month has been called the dumbest bug ever by some security researchers. The core of the problem is rather bizarre or rather plain dumb! By constructing a HTML document which doesn't contain a tag and then-
6
place an invalid tag where there is no "=" between the "type" parameter and the value Internet Explorer will simply crash due to a NULL pointer dereference bug. As this wasn't enough the NULL pointer dereference bug is caused in the "shlwapi.dll" library, which is also used in Explorer, Outlook, Outlook Express, Frontpage and possibly many other applications. All of these applications will also crash when Internet Explorer crashes due to this bug. For more details about the Internet Explorer crash bug: http://www.secunia. com/advisories/8642/ Although the most noteworthy vulnerabilities this month affects Microsoft, we have also seen a few other interesting security bugs.
The last noteworthy Microsoft issue this month has been called the dumbest bug ever by some security researchers. Another great example of how dangerous it can be to trust input was discovered in different multiple IMAP compatible email clients. The problem is that the client trusts data returned from the server, such as number of messages, size of messages, and that folder names are valid. While a vulnerability in the handling of this kind of input is difficult to exploit, it is still possible for a malicious server administrator, a hacked server or a malicious intruder to perform Man-in-the-Middle attacks to exploit this
kind of vulnerabilities. No firewall, anti-virus or content filtering application will protect against this kind of attack. The IMAP vulnerabilities are known to affect the following clients: c-client / UW-imapd • Eudora • Microsoft Outlook Express • Mozilla • Mutt • Pine • Sylpheed • Sylpheed-Claws • Ximian Evolution. Even here it affected Microsoft too. For more details see the following advisories; h t t p : / / w w w. s e c u n i a . c o m / a d v i sories/8810/ h t t p : / / w w w. s e c u n i a . c o m / a d v i sories/8359/ Linux also suffered a nasty little vulnerability in the handling and filtering of IP traffic. A feature which was supposed to speed up the routing of packets has been turned into a vulnerability allowing malicious hackers to cause a denial of service attack. The problem here is that the Linux Kernel caches routing information in a table allowing the kernel to do faster lookups and process packets at an increased speed. However, when data is stored in a table it is possible to cause very large amounts of data to be stored in the table as well as causing collision's during the storing process. When these collisions occur it consumes large amounts of CPU resources. Under certain conditions it has been possible to bring a Linux system to it knees with a mere 400 packets a second. For more details about the vulnerability and how to use the Linux firewall implementation "iptables" to prevent this attack see: http://www.secunia.com/advisories/8786/ Make sure that you keep your systems up-to-date with the latest patches to maintain good security.
Rash of IE Vulnerabilities Thomas Kristensen CTO, Secunia Scandinavia The last month has revealed many new vulnerabilities in all kinds of systems in use at home and in corporations. In an attempt to hinder automatic file downloads and executions. Microsoft has implemented various counter measures. One of these steps is to separate browsing into separate security zones. In the local zone it is possible to "download" and execute executable files without warnings, in the Internet zone it requires user acceptance before a file is downloaded and another acceptance before a file is executed. However if a website launches a large number of frames requesting the same file then eventually Microsoft Internet Explorer will fail to keep track of this and without further notice download and execute the file. There is no update or effective countermeasure to this attack. For more details about Internet Explorer failing to handle multiple download requests: h t t p : / / w w w. s e c u n i a . c o m / a d v i sories/8807/ In April Microsoft issued an update for Internet Explorer which also fixed a vulnerability in the handling of security zones. This time the problem was an input validation error when invoking third party plug-ins. This allowed a malicious intruder to place plug-ins on the users system and execute them in the local zone — another effective way to circumvent Microsoft's "security model". For more details about Microsoft's Internet Explorer update, MS03-015: h t t p : / / w w w. s e c u n i a . c o m / a d v i sories/8649/ The last month really hasn't been too good for Microsoft. The last noteworthy Microsoft issue this month has been called the dumbest bug ever by some security researchers. The core of the problem is rather bizarre or rather plain dumb! By constructing a HTML document which doesn't contain a tag and then-
6
place an invalid tag where there is no "=" between the "type" parameter and the value Internet Explorer will simply crash due to a NULL pointer dereference bug. As this wasn't enough the NULL pointer dereference bug is caused in the "shlwapi.dll" library, which is also used in Explorer, Outlook, Outlook Express, Frontpage and possibly many other applications. All of these applications will also crash when Internet Explorer crashes due to this bug. For more details about the Internet Explorer crash bug: http://www.secunia. com/advisories/8642/ Although the most noteworthy vulnerabilities this month affects Microsoft, we have also seen a few other interesting security bugs.
The last noteworthy Microsoft issue this month has been called the dumbest bug ever by some security researchers. Another great example of how dangerous it can be to trust input was discovered in different multiple IMAP compatible email clients. The problem is that the client trusts data returned from the server, such as number of messages, size of messages, and that folder names are valid. While a vulnerability in the handling of this kind of input is difficult to exploit, it is still possible for a malicious server administrator, a hacked server or a malicious intruder to perform Man-in-the-Middle attacks to exploit this
kind of vulnerabilities. No firewall, anti-virus or content filtering application will protect against this kind of attack. The IMAP vulnerabilities are known to affect the following clients: c-client / UW-imapd • Eudora • Microsoft Outlook Express • Mozilla • Mutt • Pine • Sylpheed • Sylpheed-Claws • Ximian Evolution. Even here it affected Microsoft too. For more details see the following advisories; h t t p : / / w w w. s e c u n i a . c o m / a d v i sories/8810/ h t t p : / / w w w. s e c u n i a . c o m / a d v i sories/8359/ Linux also suffered a nasty little vulnerability in the handling and filtering of IP traffic. A feature which was supposed to speed up the routing of packets has been turned into a vulnerability allowing malicious hackers to cause a denial of service attack. The problem here is that the Linux Kernel caches routing information in a table allowing the kernel to do faster lookups and process packets at an increased speed. However, when data is stored in a table it is possible to cause very large amounts of data to be stored in the table as well as causing collision's during the storing process. When these collisions occur it consumes large amounts of CPU resources. Under certain conditions it has been possible to bring a Linux system to it knees with a mere 400 packets a second. For more details about the vulnerability and how to use the Linux firewall implementation "iptables" to prevent this attack see: http://www.secunia.com/advisories/8786/ Make sure that you keep your systems up-to-date with the latest patches to maintain good security.