7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.077 Low
EPSS
Percentile
94.2%
Microsoft Internet Explorer (IE) fails to properly validate redirected functions. The impact is similar to that of a cross-site scripting vulnerability, which allows an attacker to access data in other sites, including the Local Machine Zone.
IE features Active scripting, the ability to process scripts contained in HTML documents. IE supports several scripting languages, including VBScript and JScript. JScript is similar to Netscape’s JavaScript and both languages played some part in the development of ECMAScript (ECMA-262). For security reasons, a script loaded from one site should not be able to access resources on another site, including the local client. In JavaScript, the Same Origin Policy protects clients by ensuring that “when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame.” IE implements a similar policy, adding the restriction that scripts are not allowed to access properties or objects across security zones.
IE is vulnerable to a cross-domain violation that involves redirected or cached functions. Rather than calling a script function directly, it is possible for one object to cache a reference to a function that resides in a different object, such as an IFRAME or a popup window. When the domain of the parent object (containing the cached reference) changes, IE incorrectly determines the source of the function based on the new domain of the cached reference. The function, contained in the object in the original domain, is executed in the context of the parent object (containing the cached reference), in the new domain. Because the object that invokes the script may be in a different domain than the object in which the script executes, the cross-domain security model is violated.
MS04-038 refers to this vulnerability as Similar Method Name Redirection Cross Domain Vulnerability. The vulnerability is similar to VU#162097 but uses a slightly different method to achieve the same results.
By convincing a user to follow a URL or read an HTML email message containing malicious script, an attacker could take any action with the privileges of the user executing the script. This could include opening new browser windows to different sites in different security zones, reading or modifying information in open browser windows, reading files on the local file system, and executing commands that are in a location known to the attacker. By leveraging capabilities provided by technologies such as ActiveX controls and the HTML Help system, an attacker could execute arbitrary code.
An attacker who is able to obtain cookies used for authentication may be able to impersonate a legitimate user and obtain sensitive data such as passwords or credit card information.
Apply a patch
Apply the patch referenced in MS04-038.
Disable Active scripting
At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control (WebOC) or the IE HTML rendering engine (MSHTML). Instructions for disabling Active scripting can be found in the Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting and ActiveX controls in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting and ActiveX controls are disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.
Render email in plain text
Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly, however script will not be evaluated, thus preventing certain types of attacks.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).
207264
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: October 19, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see MS04-038
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23207264 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by Paul from GreyHats Security Group
This document was written by Will Dormann and Art Manion.
CVE IDs: | CVE-2004-0727 |
---|---|
Severity Metric: | 59.06 Date Public: |