5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.007 Low
EPSS
Percentile
79.5%
A vulnerability in the way Microsoft Internet Explorer (IE) handles window ornament parameters in dialog frames allows script from a dialog frame in one domain to execute in a different domain, including the Local Machine Zone. The script could read certain local files and data (i.e. cookies) from other web sites. In the presence of other vulnerabilities (VU#626395, VU#25249), the script could execute arbitrary commands.
Microsoft Internet Explorer provides two methods (showModalDialog and showModelessDialog) that can be used to display dialog box frames. Both methods require a URI parameter that specifies the source of the dialog frame’s content. The methods may optionally specify “windows ornaments” that control different aspects of the dialog frame’s appearance (position, dimensions, font settings, etc.).
A dialog frame is subject to the security restrictions of the DHTML Object Model: script executing in one frame cannot access data in a frame from a different domain or across a different protocol. The dialog methods may specify source URIs in a different domain than the parent frame, however the security restrictions should prevent script in one frame from accessing data in the other.
IE does not adequately validate window ornament parameters in dialog frames. Script included in windows ornament parameters in a dialog frame called from one domain is permitted to access data in a different domain as specified by the dialog frame’s source URI.
Internet Explorer, Outlook, Outlook Express, MSN Messenger, Eudora, Lotus Notes, Adobe PhotoDeluxe, AOL, and any other software that hosts the WebBrowser ActiveX control could be affected by this vulnerability.
Further information is available in examples by Thor Larholm (dialog style XSS) and Liu Die Yu (Poisonous Style).
An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could read data from a different domain, including the Local Machine Zone. The attacker could read cookies from other web sites and certain types of local files. The attacker’s HTML document would need to reside in a zone in which Active scripting was enabled.
In conjunction with other vulnerabilities (VU#626395, VU#25249), the attacker could execute arbitrary commands on the user’s system.
Apply Patch
Apply Q813489 or a more recent cumulative patch. See Microsoft Security Bulletin MS03-015 for more information.
Disable Active scripting
Active scripting is required to open a modal dialog frame. At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other email client that uses Internet Explorer or the WebBrowser control to render HTML. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.
Update HTML Help
To protect against arbitrary command execution, install an updated version of HTML Help (811630). As described in Microsoft Security Bulletin MS03-015, the updated HHCtrl ActiveX control disables the Shortcut command in a compiled help file that has been opened with the showHelp method:
* _Only supported protocols [[http:](<http:>), [https:](<https:>), [file:](<file:>), [ftp:](<ftp:>), ms-its:, or mk:@MSITStore:] can be used with showHelp to open a web page or help (chm) file. _
* _The _[_shortcut_](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconshortcutov.asp>)_ function supported by HTML Help will be disabled when the help file is opened with showHelp This will not affect the shortcut functionality if the same CHM file is opened by the user manually by double-clicking on the help file, or by through an application on the local system using the HTMLHELP( ) API._
Note that the patches referenced in MS03-004 and MS03-015 completely disable the showHelp method. After installing either one of these patches, Internet Explorer will not be able to open help files.
Restrict HTML Help commands
244729
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: May 05, 2003
Affected
Please see Microsoft Security Bulletin MS03-015.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23244729 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was publicly reported by Liu Die Yu.
This document was written by Art Manion.
CVE IDs: | CVE-2003-0116 |
---|---|
Severity Metric: | 16.73 Date Public: |
jscript.dk/2002/11/sec/diemodalstyleXSS.html
liudieyuinchina.vip.sina.com/PoisonousSTYLEforDialog/PoisonousSTYLEforDialog-Content.txt
liudieyuinchina.vip.sina.com/PoisonousSTYLEforDialog/PoisonousSTYLEforDialog-MyPage.htm
msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmodaldialog.asp
msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmodelessdialog.asp
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-015.asp
www.securityfocus.com/archive/1/301945/2002-11-29/2002-12-05/0
www16.brinkster.com/liudieyu/PoisonousSTYLEforDialog/PoisonousSTYLEforDialog-Content.txt
www16.brinkster.com/liudieyu/PoisonousSTYLEforDialog/PoisonousSTYLEforDialog-MyPage.htm