Microsoft Internet Explorer (IE) dynamic HTML (DHTML) mouse events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone. This vulnerability could allow an attacker to write arbitrary files to the local file system.
In IE, certain DHTML events monitor mouse actions and are permitted to call proprietary DHTML methods that manipulate window objects. This technique can be used to create "drag and drop" operations by moving a window under an object that has registered a mouse event.
In a publicly available exploit (HijackClick, 2003-09-10), a mouse event calls a script function that invokes methods to move and resize one browser window over another. The background window contains an object (in this case, the user's Favorites directory) instantiated by a reference to a ShellNameSpace ActiveX object. The result is a new bookmark (the address of the foreground window) added to the user's Favorites list (the object in the background window). Other objects expose the local file system in this manner, for example, the user's Startup folder (shell:startup).
The update issued in MS03-048 defeats this attack vector by denying mouse events access to certain proprietary window manipulation methods: window.resizeBy(), window.resizeTo(), window.moveBy(), and window.moveTo(). The patch does not, however, prevent mouse events from calling functions that reference these methods. Using a function to reference an otherwise inaccessible method has been termed "method caching" or "SaveRef." Method caching is used in a second exploit (HijackClickV2, 2003-11-25) to bypass the restriction imposed by the MS03-048 patch. A third exploit (HijackClick 3, 2004-07-12) uses the popup.show() method.
The first attack vector, demonstrated by HijackClick, is addressed in MS03-048, and is assigned CAN-2003-0823. The second attack vector, demonstrated by HijackClickV2, is addressed in MS04-004, and is assigned CAN-2003-1027. The third attack vector, demonstrated by HijackClick 3, is addressed by MS04-038 ("Script in Image Tag File Download Vulnerability") and Windows XP Service Pack 2, and is assigned CAN-2004-0841.
There seems to be one underlying vulnerability: Mouse events are allowed to manipulate windows to simulate a drag and drop operation. The user does not intentionally perform the operation, and receives no warning dialog. Simulated drag and drop operations can be used to copy arbitrary files from a browser window to the local file system. This is an indirect violation of the cross-domain security model, since script in one domain can transfer data into a different domain, including the Local Machine Zone.
By convincing a victim to click on a link in an HTML document (web page, HTML email), an attacker could write arbitrary files to a vulnerable system within the security context of the user running IE. These files could contain code that could be executed through other means. MS04-004 elaborates: "Although this code could not be executed through this vulnerability directly, the operating system might open the file if it is dropped to a sensitive location, or a user may click the file inadvertently, causing the attacker's code to be executed." One example of a "sensitive location" is the user's Startup folder (shell:startup).
In combination with a vulnerability in the way IE handles files for drag and drop operations (VU#526089), an attacker could write arbitrary files by convincing a user to click anywhere within the attacker's HTML document or on the scroll bar of the document window. Given the ability to spoof GUI elements, including the entire desktop (VU#490708), an attacker could easily convince a user to click on the attacker's HTML document.
Apply a patch
Apply the patch (834707) referenced in Microsoft Security Bulletin MS04-038 ("Script in Image Tag File Download Vulnerability").
Upgrade to Windows XP Service Pack 2
Service Pack 2 for Windows XP addresses all three attack vectors.
Disable Active scripting and ActiveX controls
For systems not running Windows XP SP2, disable Active scripting and ActiveX controls for untrusted sites. At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML). Instructions for disabling Active scripting and ActiveX controls can be found in the Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting and ActiveX controls in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting and ActiveX controls are disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.
Render email in plain text
Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly, however script will not be evaluated, thus preventing certain types of attacks.
Maintain updated antivirus software
Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, the graphical user interface (GUI), and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).
Vendor| Status| Date Notified| Date Updated
Microsoft Corporation| | 02 Feb 2004| 13 Oct 2004
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
This vulnerability and the first two attack vectors (HijackClick and HijackClickV2) were publicly reported by Liu Die Yu. The third vector, Hijack Click 3, was publicly reported by Paul. Thanks to Microsoft for information used in this document.
This document was written by Art Manion.