Microsoft Internet Explorer does not adequately validate references to cached objects and methods

Overview

Microsoft Internet Explorer does not adequately validate references to cached objects and methods across domains and security zones. The impact is similar to that of a cross-site scripting vulnerability, allowing an attacker to access data in other sites, including the Local Computer zone.

Description

Microsoft Internet Explorer features the ability to process scripts contained in HTML documents. This feature is known as Active scripting, and Internet Explorer supports several scripting languages, including VBScript and JScript. JScript is similar to Netscape’s JavaScript and both languages played some part in the development of ECMAScript (ECMA-262). For security reasons, a script loaded from one site should not be able to access resources on another site, including the local client. In JavaScript, the Same Origin Policy protects clients by ensuring that “when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame.” Internet Explorer implements a similar policy, adding the restriction that scripts are not allowed to access properties or objects across security zones.

As reported by GreyMagic Software and Liu Die Yu, Internet Explorer does not adequately validate references to certain cached objects and methods across different domains and security zones. A script from a potentially malicious site executing in one domain and security zone is able to access resources in another domain and zone, including the Local Computer zone, via the DHTML Document Object Model interface.

Outlook, Outlook Express, AOL, MSN, Eudora, Lotus Notes, and any other software that uses the WebBrowser ActiveX control could be affected by this vulnerability.

Note that in order for this vulnerability to be exploited, Active scripting must be enabled in the security zone in which the HTML document is rendered.

More information is available in Microsoft Security Bulletin MS02-068.

---

Impact

By convincing a user to follow a URL or read an HTML email message containing malicious script, and attacker could take any action with the privileges of the user executing the script. This could include opening new browser windows to different sites in different security zones, reading or modifying information in open browser windows, reading files on the local file system, and executing commands that are in a location known to the attacker. An attacker who is able to obtain cookies used for authentication may be able to impersonate a legitimate user and obtain sensitive data such as passwords or credit card information. By leveraging features of the Microsoft HTML Help system (VU#25249), an attacker could execute commands with parameters or cause arbitrary files to be downloaded to a known location on the local system, subject to the user’s privileges.

---

Solution

Apply Patch

Apply the patch referenced in Microsoft Security Bulletin MS03-015.

A number of object and method caching vulnerabilities were addressed by MS02-066. The external method caching vulnerability was addressed by MS02-068, which supersedes MS02-066. As of May 2003, the clipboardData method caching vulnerability has not been addressed. Both the external and clipboardData vulnerabilities affect Internet Explorer version 6.0 SP1.

---

Disable Active scripting

At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, and any other software that uses Internet Explorer to render HTML. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ.

Apply Outlook Email Security Update

The Outlook Email Security Update configures Outlook 2000 and Outlook 98 to use the Restricted sites zone to open email. By default, Active scripting is disabled in the Restricted sites zone. Outlook Express 6.0 and Outlook 2002 include the functionality provided by the Outlook Security Update.
Outlook 2000:
<http://office.microsoft.com/downloads/2000/Out2ksec.aspx&gt;

Outlook 98:
<http://office.microsoft.com/downloads/9798/Out98sec.aspx&gt;
Restrict HTML Help commands

Restrict the execution of the Shortcut and WinHelp HTML Help commands to specified folders, or disable the commands entirely. This will prevent malicious scripts from downloading arbitrary files and executing arbitrary commands with parameters via HTML Help. It will also limit the ability of HTML Help to open URLs and execute commands.

<http://support.microsoft.com/?kbid=810687&gt;
Microsoft has also released an updated version of HTML Help (811630) that is available via Windows Update:

<http://support.microsoft.com/default.aspx?scid=KB;en-us;q811630&gt;
Filter Script Code

It may be possible to use an application layer filter to detect and block or disable script code within HTML data.

---

Vendor Information

162097

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: December 12, 2002 Updated: June 18, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please reference Microsoft Security Bulletin MS02-068. As of May 2003, the clipboardData method caching vulnerability has not been addressed.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23162097 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://security.greymagic.com/adv/gm012-ie/&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS02-066.asp&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS02-068.asp&gt;
• <http://support.microsoft.com/?kbid=810687&gt;
• <http://www.securityfocus.com/bid/6028&gt;
• <http://www.iss.net/security_center/static/10433.php&gt;
• <http://developer.netscape.com/docs/manuals/js/client/jsguide/sec.htm#1015705&gt;
• <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp&gt;
• <http://www.w3.org/DOM/&gt;
• <http://support.microsoft.com/default.aspx?scid=KB;en-us;q811630&gt;
• <http://msdn.microsoft.com/workshop/author/om/doc_object.asp&gt;
• <http://liudieyuinchina.vip.sina.com/SaveRef/SaveRef-Content.txt&gt;
• <http://liudieyuinchina.vip.sina.com/SaveRef/SaveRef-MyPage.HTM&gt;
• <http://liudieyuinchina.vip.sina.com/SaveRef/SaveRef-MyPage-2.HTM&gt;
• <http://liudieyuinchina.vip.sina.com/SaveRef_DocumentWrite/SaveRef_DocumentWrite-Content.txt&gt;
• <http://liudieyuinchina.vip.sina.com/SaveRef_DocumentWrite/SaveRef_DocumentWrite-MyPage.htm&gt;
• <http://jscript.dk/2002/10/sec/SaveRefLocalFile.html&gt;

Acknowledgements

GreyMagic Software and Liu Die Yu publicly reported multiple instances of this vulnerability.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2002-1262
Severity Metric:	34.78 Date Public: