Microsoft Internet Explorer does not properly handle function redirection

Overview

Microsoft Internet Explorer (IE) fails to properly validate redirected functions. The impact is similar to that of a cross-site scripting vulnerability, which allows an attacker to access data in other sites, including the Local Machine Zone.

Description

IE features Active scripting, the ability to process scripts contained in HTML documents. IE supports several scripting languages, including VBScript and JScript. JScript is similar to Netscape’s JavaScript and both languages played some part in the development of ECMAScript (ECMA-262). For security reasons, a script loaded from one site should not be able to access resources on another site, including the local client. In JavaScript, the Same Origin Policy protects clients by ensuring that “when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame.” IE implements a similar policy, adding the restriction that scripts are not allowed to access properties or objects across security zones.

IE is vulnerable to a cross-domain violation that involves redirected or cached functions. Rather than calling a script function directly, it is possible for one object to cache a reference to a function that resides in a different object, such as an IFRAME or a popup window. When the domain of the parent object (containing the cached reference) changes, IE incorrectly determines the source of the function based on the new domain of the cached reference. The function, contained in the object in the original domain, is executed in the context of the parent object (containing the cached reference), in the new domain. Because the object that invokes the script may be in a different domain than the object in which the script executes, the cross-domain security model is violated.

MS04-038 refers to this vulnerability as Similar Method Name Redirection Cross Domain Vulnerability. The vulnerability is similar to VU#162097 but uses a slightly different method to achieve the same results.

---

Impact

By convincing a user to follow a URL or read an HTML email message containing malicious script, an attacker could take any action with the privileges of the user executing the script. This could include opening new browser windows to different sites in different security zones, reading or modifying information in open browser windows, reading files on the local file system, and executing commands that are in a location known to the attacker. By leveraging capabilities provided by technologies such as ActiveX controls and the HTML Help system, an attacker could execute arbitrary code.

An attacker who is able to obtain cookies used for authentication may be able to impersonate a legitimate user and obtain sensitive data such as passwords or credit card information.

---

Solution

Apply a patch
Apply the patch referenced in MS04-038.

---

Disable Active scripting

At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control (WebOC) or the IE HTML rendering engine (MSHTML). Instructions for disabling Active scripting can be found in the Malicious Web Scripts FAQ.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting and ActiveX controls in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting and ActiveX controls are disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.

Render email in plain text

Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly, however script will not be evaluated, thus preventing certain types of attacks.

Maintain updated antivirus software

Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

---

Vendor Information

207264

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: October 19, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MS04-038

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23207264 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm&gt;
• <http://web.archive.org/web/20050221020004/http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm&gt;
• <http://www.microsoft.com/technet/security/bulletin/ms04-038.mspx&gt;
• <http://secunia.com/advisories/12048/&gt;

Acknowledgements

This vulnerability was reported by Paul from GreyHats Security Group

This document was written by Will Dormann and Art Manion.

Other Information

CVE IDs:	CVE-2004-0727
Severity Metric:	59.06 Date Public: