7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.206 Low
EPSS
Percentile
96.3%
Microsoft Internet Explorer (IE) includes several local HTML resources that contain cross-site scripting vulnerabilities. These resources use the dialogArguments property of dialog frames insecurely, allowing an attacker to execute arbitrary script in the Local Machine Zone.
Microsoft Internet Explorer (IE) includes local HTML code that is used by the browser. These code resources can be accessed from IE using the “res://” protocol. A number of these resources use the dialogArguments property of modal dialog frames insecurely, accepting script from untrusted HTML documents such as Internet web pages and email messages. Due to a separate vulnerability in the way dialog methods validate the source of dialog frames (VU#728563), script injected into these local resources via dialogArguments is executed in the Local Machine Zone.
In VU#728563, IE fails to correctly identify the source of modal dialog frames opened with the Redirect method or IFRAME elements. In VU#711843, local HTML resources accept script from modal dialog frames via the dialogArguments property. As a result, script from an attacker’s web page can be injected into local HTML resources and the script will execute in the Local Machine Zone.
The following local HTML resources in IE 6.0 are vulnerable:
res://shdoclc.dll/privacypolicy.dlg
res://shdoclc.dll/{policyerror.htm,policylooking.htm,policynone.htm,policysyntaxerror.htm}
MS02-023 (Q321232) prevents attacks that use the Redirect method against these resources in IE 6.0.
This local HTML resource in IE 5.01, 5.5, and 6.0 is vulnerable:
res://shdoclc.dll/analyze.dlg
MS02-047 (Q323759) prevents attacks that use the Redirect method against this resource in IE 5.01 and 5.5. MS02-023 does the same for IE 6.0.
MS03-004 (Q810847) includes the functionality of the MS02-023 and MS02-047 patches and prevents attacks that use IFRAME elements against all of the local HTML resources listed above. IE 5.01 is not vulnerable.
Internet Explorer, Outlook, Outlook Express, Eudora, Lotus Notes, AOL, and any other applications that host the WebBrowser control are affected.
Further information is available in advisories by Thor Larholm (TL#002), GreyMagic Software (GM#001-AX), and Liu Die Yu (BadParent).
An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary script with privileges of the user in the security context of the Local Machine Zone. This technique could be used to read certain types of files in known locations on the user’s system. In conjunction with other vulnerabilities (VU#626395, VU#25249), the attacker could execute arbitrary commands on the user’s system.
Apply Patch
Apply 810847 or a more recent cumulative patch. See Microsoft Security Bulletin MS03-004 for more information.
Disable Active scripting
Active scripting is required to open a modal dialog frame and populate dialogArguments, which is a proven and well-publicized method of attack. At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other email client that uses Internet Explorer or the WebBrowser control to render HTML. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update
Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.
Update HTML Help
To protect against arbitrary command execution, install an updated version of HTML Help (811630). As described in Microsoft Security Bulletin MS03-015, the updated HHCtrl ActiveX control disables the Shortcut command in a compiled help file that has been opened with the showHelp method:
* _Only supported protocols [[http:](<http:>), [https:](<https:>), [file:](<file:>), [ftp:](<ftp:>), ms-its:, or mk:@MSITStore:] can be used with showHelp to open a web page or help (chm) file. _
* _The _[_shortcut_](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconshortcutov.asp>)_ function supported by HTML Help will be disabled when the help file is opened with showHelp This will not affect the shortcut functionality if the same CHM file is opened by the user manually by double-clicking on the help file, or by through an application on the local system using the HTMLHELP( ) API._
Note that the patches referenced in MS03-004 and MS03-015 completely disable the showHelp method. After installing either one of these patches, Internet Explorer will not be able to open help files.
Restrict HTML Help commands
711843
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 03, 2002 Updated: March 14, 2003
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see Microsoft Security Bulletins MS02-023 and MS02-047 and MS03-004. All of the vulnerable local HTML resources listed in VU#711843 are patched in IE 5.01, 5.5, and 6.0 by MS03-004.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23711843 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was publicly reported by Thor Larholm.
This document was written by Art Manion and Shawn Van Ittersum.
CVE IDs: | CVE-2002-0189 |
---|---|
Severity Metric: | 17.40 Date Public: |
cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0189
cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0691
cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1326
microsoft.com/technet/security/bulletin/MS02-047.asp
microsoft.com/technet/security/bulletin/MS03-004.asp
msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemwebhttpresponseclassredirecttopic.asp
msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmodaldialog.asp
msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmodelessdialog.asp
msdn.microsoft.com/workshop/author/dhtml/reference/objects/iframe.asp
msdn.microsoft.com/workshop/author/dhtml/reference/properties/dialogarguments.asp
msdn.microsoft.com/workshop/author/dhtml/sec_dhtml.asp
msdn.microsoft.com/workshop/author/om/doc_object.asp
msdn.microsoft.com/workshop/author/om/windows_frames_dialogs.asp
msdn.microsoft.com/workshop/author/om/windows_frames_dialogs.asp#sec_dialogs
msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp
msdn.microsoft.com/workshop/browser/webbrowser/browser_control_ovw_entry.asp
msdn.microsoft.com/workshop/security/szone/overview/overview.asp#default_zones
online.securityfocus.com/bid/4527
online.securityfocus.com/bid/5561
security.greymagic.com/adv/gm001-ax/
support.microsoft.com/support/kb/articles/Q182/5/69.ASP
www.iss.net/security_center/static/9938.php
www.microsoft.com/technet/security/bulletin/MS02-023.asp
www.pivx.com/larholm/adv/TL002/default.htm
www.securityfocus.com/bid/6205
www16.brinkster.com/liudieyu/BadParent/BadParent-CONTENT.txt