HTTP MS IE MOTW Local Zone Access
Severity: Medium
This attack could pose a moderate security threat. It does not require immediate action.
Description
This signature detects an attempt to exploit a vulnerability in Internet Explorer.
Additional Information
The Microsoft cumulative Internet Explorer patch (MS04-038) attempted to limit what files may be dragged and dropped onto the local computer from the Internet Zone to prevent executable objects from being placed on the file system in this manner.
However, a number of file types are still permitted for drag and drop operations. It has been demonstrated that it is possible to embed hostile HTML and script code in one of these file types, remove the file extension and then allow the operating system to dynamically determine the file type based on its contents.
This will effectively allow hostile script to be executed in the Local Zone on the affected computer. While the Local Zone has been locked down in Internet Explorer 6 SP2 and Windows XP SP2, if combined with other vulnerabilities, this could aid in execution of arbitrary code on the client computer.
Affected:
Microsoft Internet Explorer 5.0.1, 5.0.1 SP1, 5.0.1 SP2, 5.0.1 SP3, 5.0.1 SP4, 5.5, 5.5 SP1, 5.5 SP2, 6.0, 6.0 SP1, 6.0 SP2
Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP Home SP1, SP2
Microsoft Windows XP Media Center Edition SP1, SP2
Microsoft Windows XP Professional SP1, SP2
Microsoft Windows XP Tablet PC Edition SP1, SP2
Nortel Networks IP softphone 2050
Nortel Networks Mobile Voice Client 2050
Nortel Networks Optivity Telephony Manager (OTM)
Nortel Networks Symposium Web Center Portal (SWCP)
Nortel Networks Symposium Web Client
Response
Solution:
Microsoft has made patches available for this issue in MS045-038.
Workaround:
Microsoft have outlined the following steps that may be employed to successfully workaround this vulnerability.
Prior to implementing the workaround, the vendor advises that all affected customers apply the MS04-038 cumulative Security Update for Internet Explorer. A link to this update can be found in the reference section of this BID.
Once the update has been successfully installed, the vendor recommends that 'Drag and drop or copy and paste files' functionality in the Local Intranet and Internet zones be disabled. This can be accomplished as follows:
1. In Internet Explorer, select Internet Options on the Tools menu, and then select the Security tab.
2. In the 'Select a Web content zone to specify its security settings' box, select Internet, and then select Custom Level.
3. In the Settings box, under 'Miscellaneous', locate the 'Drag and drop or copy and paste files' option.
4. Under 'Drag and drop or copy and paste files', select 'Disable', and then click 'OK'.
5. Click 'Yes' and then click 'OK' two times.
6. Repeat these steps for the local intranet zone.
Further information can be found in the referenced vendor document "How to help protect against the Internet Explorer Click and Scroll security issue".
The existing exploit for this issue may be mitigated by setting the kill bit on the Shell.Explorer ActiveX component which has the following GUID:
{8856F961-340A-11D0-A96B-00C04FD705A2}
Further instructions on setting the kill bit for ActiveX components can be found at the following location:
How to Stop an ActiveX Control from Running in Internet Explorer
It should be noted that this does not address the actual vulnerability itself but only limits use of one of the components needed in the existing exploit.
Possible False Positives
In some instances, this signature may false positive on websites discussing this vulnerability or sites containing sample code.
Additional References
|
