Microsoft Internet Explorer (IE) fails to properly validate redirected functions. The impact is similar to that of a cross-site scripting vulnerability, which allows an attacker to access data in other sites, including the Local Machine Zone.
IE is vulnerable to a cross-domain violation that involves redirected or cached functions. Rather than calling a script function directly, it is possible for one object to cache a reference to a function that resides in a different object, such as an IFRAME or a popup window. When the domain of the parent object (containing the cached reference) changes, IE incorrectly determines the source of the function based on the new domain of the cached reference. The function, contained in the object in the original domain, is executed in the context of the parent object (containing the cached reference), in the new domain. Because the object that invokes the script may be in a different domain than the object in which the script executes, the cross-domain security model is violated.
MS04-038 refers to this vulnerability as Similar Method Name Redirection Cross Domain Vulnerability. The vulnerability is similar to VU#162097 but uses a slightly different method to achieve the same results.
By convincing a user to follow a URL or read an HTML email message containing malicious script, an attacker could take any action with the privileges of the user executing the script. This could include opening new browser windows to different sites in different security zones, reading or modifying information in open browser windows, reading files on the local file system, and executing commands that are in a location known to the attacker. By leveraging capabilities provided by technologies such as ActiveX controls and the HTML Help system, an attacker could execute arbitrary code.
An attacker who is able to obtain cookies used for authentication may be able to impersonate a legitimate user and obtain sensitive data such as passwords or credit card information.
Apply a patch
Apply the patch referenced in MS04-038.
Disable Active scripting
At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control (WebOC) or the IE HTML rendering engine (MSHTML). Instructions for disabling Active scripting can be found in the Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting and ActiveX controls in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting and ActiveX controls are disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.
Render email in plain text
Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly, however script will not be evaluated, thus preventing certain types of attacks.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).
Vendor| Status| Date Notified| Date Updated
Microsoft Corporation| | -| 19 Oct 2004
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
This vulnerability was reported by Paul from GreyHats Security Group
This document was written by Will Dormann and Art Manion.