Microsoft Internet Explorer does not properly validate source of URL stored in Travel Log

Overview

Microsoft Internet Explorer (IE) does not properly determine the source of script used in URLs stored in the “Travel Log.” An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.

Description

IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. From Microsoft Security Bulletin MS04-004:

One of the principal security functions of a browser is to ensure that browser windows that are under the control of different Web sites cannot interfere with each other or access each other’s data, while allowing windows from the same site to interact with each other. To differentiate between cooperative and uncooperative browser windows, the concept of a “domain” has been created. A domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot. The cross-domain security model is the part of the security architecture that keeps windows from different domains from interfering with each other.
IE can evaluate script contained in a URL. For example, either of the following URLs will display an alert dialog containing the text “Hello world.”:

> `javascript:eval(‘alert(“Hello world.”)’)

javascript:alert(“Hello world.”)`

This URL will display an alert dialog with the contents of the HTTP cookie for the current site:

> javascript:alert(document.cookie)

The cross-domain security model should not allow script from one domain to read or modify data in a different domain using this type of “script URL”.

IE hosts an instance of the WebBrowser ActiveX control, which includes technology called the “Travel Log.” From MS04-004:

Internet Explorer’s travel log is an interface that maintains a navigation stack for the WebBrowser control. This stack is used by Internet Explorer to maintain a list of recently visited sites. For example, the History tab in Internet Explorer is built based on information from the travel log.
The IE cross-domain security model does not properly validate the source domain of the URLs stored on the travel log stack. Script in a URL stored in the travel log can be executed in the context of a different domain, including the Local Machine Zone.

The MS03-048 patch prevents script URLs from being directly stored in the travel log. It still possible, however, to use other techniques, such as frames (BackToFramedJpu) or certain DHTML methods (Andreas Sandblad #12), to store script URLs in the travel log. These two attack vectors are blocked by the MS04-004 patch.

An attacker could exploit this vulnerability using a crafted HTML document containing script. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm).

Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected; however, recent versions of these programs open mail in the Restricted Sites Zone where ActiveX controls and Active scripting are disabled by default.

---

Impact

By convincing a victim to view an HTML document (web page, HTML email), an attacker could evaluate script in a different security domain than the one containing the attacker’s document. If the script is evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites (read cookies/content, modify/create content, etc.).

---

Solution

Apply patch
Apply the patch (832894) referenced in Microsoft Security Bulletin MS04-004 or a more recent IE cumulative patch.

---

Disable Active scripting and ActiveX controls

Disable Active scripting and ActiveX controls for untrusted sites. At a minimum, disable Active scripting in the Internet Zone and the zone used by Outlook, Outlook Express, or any other software that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML). Instructions for disabling Active scripting and ActiveX controls can be found in the CERT/CC Malicious Web Scripts FAQ.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting and ActiveX controls in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting and ActiveX controls are disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.

Render email in plain text

Configure email client software (mail user agent [MUA]) to render email messages in plaint text. Instructions to configure Outlook 2002 and Outlook Express 6 are available in Microsoft Knowledge Base Articles 307594 and 291387, respectively. HTML-formatted email messages may not appear properly, however script will not be evaluated, thus preventing certain types of attacks.

Maintain updated antivirus software

Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability. The CERT/CC maintains a partial list of antivirus vendors.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

---

Vendor Information

784102

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: November 25, 2003 Updated: February 02, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS04-004.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23784102 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/archive/1/345617&gt;
• <http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu/BackToFramedJpu-Content.htm&gt;
• <http://www.securityfocus.com/archive/1/352460&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS04-004.asp&gt;
• <http://msdn.microsoft.com/workshop/browser/travellog/travellog.asp&gt;
• <http://msdn.microsoft.com/workshop/browser/webbrowser/browser_control_ovw_entry.asp&gt;
• <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp&gt;
• <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp#SecurityZones&gt;
• <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp#default_zones&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/navigateandfind.asp&gt;
• <http://support.microsoft.com/?kbid=307594&gt;
• <http://support.microsoft.com/?kbid=291387&gt;
• <http://support.microsoft.com/?kbid=831167&gt;
• <http://xforce.iss.net/xforce/xfdb/13846&gt;
• <http://www.securityfocus.com/bid/9109&gt;
• <http://www.secunia.com/advisories/10289/&gt;

Acknowledgements

This vulnerability was publicly reported by Liu Die Yu. Thanks to Microsoft for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-1026
Severity Metric:	41.01 Date Public: