Microsoft Internet Explorer does not safely handle multiple file download requests

Overview

A problem in the way Microsoft Internet Explorer handles a large number of file download requests could result in the execution of arbitrary code on a vulnerable system.

Description

When Internet Explorer (IE) follows a link to an executable file (.exe), a dialog window is displayed that prompts the user to open the file, save the file, or cancel the operation. When handling a sufficiently large number of file download requests, IE eventually fails to display the dialog window and executes the specified file without user intervention. A dialog is displayed for each download request, and it may be possible to terminate the IE process before the file is executed. Publicly available examples use large numbers of frames (FRAME or IFRAME elements) to generate download requests.

Other software that uses the WebBrowser ActiveX control may be affected.

Microsoft has addressed this vulnerability in Microsoft Security Bulletin MS03-020.

---

Impact

An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary code with the privileges of the user. Resource exhaustion caused by the large number of download requests could also cause a denial of service.

---

Solution

Apply Patch
Apply Q818529 or a more recent cumulative patch. See Microsoft Security Bulletin MS03-020 for more information.

---

Disable File Downloads

To manually disable file downloads for the current user:

Tools –> Internet Options –> Security tab –> (select zone) –> Custom Level –> Downloads –> File download –> Disable
The file download option is set on a per-user, per-zone basis. The following registry value controls the file download setting for the current user in the Internet Zone:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1803
Setting this value to 3 disables file downloads in the Internet Zone for the currently logged on user. Details about security zone registry settings can be found in Microsoft Knowledge Base Article 182569. More information about IE security zones is available in Introduction to URL Security Zones.

Configure Outlook and Outlook Express to open email messages in the Restricted Sites Zone, where file downloads are disabled by default. This change can be made manually or as part of the Outlook Email Security Update for Outlook 98 and Outlook 2000. Outlook 2002 and Outlook Express 6 use the Restricted Sites Zone and by default.

Note that a different vulnerability could allow the file download restriction in Outlook and Outlook Express to be bypassed. If file downloads are disabled in the zone used by Outlook and Outlook Express but enabled in the zone containing the attacker’s executable file, a specially crafted email message could generate enough download requests to execute the attacker’s file. It is important to disable file downloads in both the zone used by Outlook and Outlook Express and the zone(s) used by IE to browse untrusted sites.

---

Vendor Information

251788

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: May 13, 2003 Updated: June 04, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS03-020.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23251788 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/archive/1/320981/2003-05-06/2003-05-12/0&gt;
• <http://www.securityfocus.com/archive/1/321532/2003-05-13/2003-05-19/0&gt;
• <http://www.securityfocus.com/archive/1/321662/2003-05-13/2003-05-19/0&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS03-020.asp&gt;
• <http://support.microsoft.com/default.aspx?scid=kb;en-us;818529&gt;
• <http://support.microsoft.com/?kbid=182569&gt;
• <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp&gt;
• <http://www.secunia.com/advisories/8807/&gt;
• <http://www.securityfocus.com/bid/7539&gt;

Acknowledgements

This vulnerability was publicly reported by Marek Bialoglowy.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0309
Severity Metric:	51.84 Date Public: