5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%
Microsoft Internet Explorer fails to properly handle directories with CLSID extensions. This may allow an attacker to bypass the warning dialog that Internet Explorer should display before executing downloaded code.
CLSID
According to Microsoft MSDN, A CLSID is a “globally unique identifier (GUID) associated with an OLE class object.”
CLSID extensions
Prior to the update in Microsoft Security Bulletin MS04-024, a file could use a CLSID as a file extension and Windows Explorer would obey the CLSID when determining how to open the file. This can mislead the user into opening a dangerous file. After installing the update for MS04-024, Windows Explorer no longer obeys a CLSID as a file extension.
The problem
The MS04-024 update does not completely address the vulnerability. Directories can have a CLSID extension. Even with the MS04-024 update installed, Windows Explorer will treat a directory with a CLSID extension as a file of the type specified by the CLSID. Within the context of Windows Explorer, this can mislead the user with respect to what is on the local filesystem. However, within the context of Internet Explorer, this technique can be used to bypass the warning dialog that Internet Explorer should display before executing downloaded code. Publicly available proof-of-concept code uses an SMB share and requires the user to double-click within the browser window.
By convincing a user to access a specially crafted web page with Internet Explorer, an attacker may be able to execute arbitrary code with the privileges of the user.
Apply an update
This vulnerability is addressed in Microsoft Security Bulletin MS06-045. With this update, Windows Explorer (and in turn, Internet Explorer) will prompt before executing code specified by a directory with a CLSID extension.
Do not follow unsolicited links
In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
Block or restrict access
Block outgoing connections on ports 139/tcp
, 139/udp
, 445/tcp
, and 445/udp
at your network perimeter. Doing so will prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block a commonly known attack vector.
655100
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 29, 2006 Updated: August 08, 2006
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see Microsoft Security Bulletin MS06-045.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23655100 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was publicly disclosed by Plebo Aesdi Nael.
This document was written by Will Dormann.
CVE IDs: | CVE-2006-3281 |
---|---|
Severity Metric: | 10.80 Date Public: |
isc.sans.org/diary.php?storyid=1448&rss
secunia.com/advisories/20825/
windowssdk.msdn.microsoft.com/en-us/library/ms691424.aspx
www.microsoft.com/technet/security/bulletin/MS04-024.mspx
[<a href="lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj">http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/ PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj</a>]