Lucene search

Plebo Aesdi NaelVU:655100

HistoryJun 29, 2006 - 12:00 a.m.

Microsoft Internet Explorer fails to properly handle CLSID extensions

2006-06-2900:00:00

Plebo Aesdi Nael

www.kb.cert.org

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.969 High

EPSS

Percentile

99.7%

JSON

Overview

Microsoft Internet Explorer fails to properly handle directories with CLSID extensions. This may allow an attacker to bypass the warning dialog that Internet Explorer should display before executing downloaded code.

Description

CLSID

According to Microsoft MSDN, A CLSID is a “globally unique identifier (GUID) associated with an OLE class object.”

CLSID extensions

Prior to the update in Microsoft Security Bulletin MS04-024, a file could use a CLSID as a file extension and Windows Explorer would obey the CLSID when determining how to open the file. This can mislead the user into opening a dangerous file. After installing the update for MS04-024, Windows Explorer no longer obeys a CLSID as a file extension.

The problem

The MS04-024 update does not completely address the vulnerability. Directories can have a CLSID extension. Even with the MS04-024 update installed, Windows Explorer will treat a directory with a CLSID extension as a file of the type specified by the CLSID. Within the context of Windows Explorer, this can mislead the user with respect to what is on the local filesystem. However, within the context of Internet Explorer, this technique can be used to bypass the warning dialog that Internet Explorer should display before executing downloaded code. Publicly available proof-of-concept code uses an SMB share and requires the user to double-click within the browser window.

Impact

By convincing a user to access a specially crafted web page with Internet Explorer, an attacker may be able to execute arbitrary code with the privileges of the user.

Solution

Apply an update
This vulnerability is addressed in Microsoft Security Bulletin MS06-045. With this update, Windows Explorer (and in turn, Internet Explorer) will prompt before executing code specified by a directory with a CLSID extension.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Block or restrict access

Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block a commonly known attack vector.

Vendor Information

655100

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: June 29, 2006 Updated: August 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS06-045.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23655100 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

[[<a href=“http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj”>http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/ PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj</a>]](<[<a href=“http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj”>http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/ PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj</a>]>)
<http://secunia.com/advisories/20825/>
http://isc.sans.org/diary.php?storyid=1448&rss
<http://windowssdk.msdn.microsoft.com/en-us/library/ms691424.aspx>
<http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx>

Acknowledgements

This vulnerability was publicly disclosed by Plebo Aesdi Nael.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2006-3281
Severity Metric:	10.80 Date Public:

References

isc.sans.org/diary.php?storyid=1448&rss

secunia.com/advisories/20825/

windowssdk.msdn.microsoft.com/en-us/library/ms691424.aspx

www.microsoft.com/technet/security/bulletin/MS04-024.mspx

[<a href="lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj">http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/ PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj</a>]