Microsoft Internet Explorer HTML rendering engine contains buffer overflow processing SRC attribute of HTML <EMBED> directive

Overview

The Microsoft Internet Explorer HTML rendering engine contains a vulnerability in its handling of the SRC attribute of the HTML <EMBED> directive. An attacker who is able to convince a user to read a malicious HTML file may be able to crash Internt Explorer or execute arbitrary code with the user’s privileges.

Description

Web pages and HTML email messages typically contain HTML text, but may include other documents using the <EMBED> directive. For example, a MIDI sound file might be embedded in a web page with the following HTML code:

<EMBED SRC="/path/sound.mid" AUTOSTART="true">

SECURITY.NNOV has reported that the Internet Explorer HTML rendering engine (mshtml.dll) does not properly handle the SRC attribute of the <EMBED> directive. An HTML document, such as a web page or HTML email message, containing a crafted SRC attribute can trigger a buffer overflow, executing code with the privileges of the user running the rendering engine. Microsoft Internet Explorer, Outlook, Outlook Express, compiled HTML help files (.chm), and other email clients and applications that use the Internet Explorer HTML rendering engine may be vulnerable. Note that Internet Explorer for Macintosh and Internet Explorer for Unix are not vulnerable.

This vulnerability is also addressed in CERT Advisory CA-2002-04.

---

Impact

By convincing a user to view a malicious HTML document, an attacker could cause the Internet Explorer HTML rendering engine to crash or execute arbitrary code. This technique could be used to distribute viruses, worms, or other malicious code. Any code executed through this vulnerability would run with the privileges of the user who viewed the HTML document.

---

Solution

Apply Patch
Apply the appropriate patch as referenced in Microsoft Security Advisory MS02-005.

---

Disable “Run ActiveX Controls and Plugins”

In Internet Explorer, a plugin is used to view, play, or otherwise process embedded documents. The execution of embedded documents is controlled by the “Run ActiveX Controls and Plugins” security option. Disabling this option will prevent embedded documents from being processed, and therefore prevent this vulnerability from being exploited. At a minimum, disable the “Run ActiveX Controls and Plugins” security option in the Internet zone and the zone used by Outlook or Outlook Express. Instructions on how to set the security level for the Internet zone to “High” can be found in the CERT/CC Malicious Web Scripts FAQ. In the “High” security level, the “Run ActiveX Controls and Plugins” security option is disabled.

From MS02-005:

The vulnerability could not be exploited if the “Run ActiveX Controls and Plugins” security option were disabled in the Security Zone in which the page was rendered. This is the default condition in the Restricted Sites Zone, and can be disabled manually in any other Zone.
Apply Outlook Email Security Update

Outlook 2002 and Outlook Express 6, and Outlook 98 and 2000 with the Outlook Email Security Update applied, open email messages in the Restricted Sites Zone. The “Run ActiveX Controls and Plugins” security option is disabled by default in the Restricted Sites Zone.

---

Vendor Information

932283

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

AOL Time Warner __ Affected

Notified: March 05, 2002 Updated: March 29, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

In testing, the CERT/CC found that AOL 7.0 software may install a customized version of Internet Explorer 5.5 (5.50.4134.600IS). This version of Internet Explorer does not seem to be vulnerable. However, AOL 7.0 software on a system running Internet Explorer 5.5 SP2 (5.50.4807.2300) does appear to be vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23932283 Feedback>).

Microsoft __ Affected

Notified: December 20, 2001 Updated: March 05, 2002

Status

Affected

Vendor Statement

Microsoft has released Security Bulletin MS02-005 and Knowledge Base Article Q317731.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Internet Explorer for Macintosh and Internet Explorer for Unix are not vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23932283 Feedback>).

Cyrusoft __ Not Affected

Notified: February 22, 2002 Updated: February 25, 2002

Status

Not Affected

Vendor Statement

Our email client Mulberry does not use the core HTML rendering engine library for its HTML display, and so is not affected by the bug in that library. Having looked at the details of this alert I can also confirm that our own HTML rendering engine is not affected by this, as it ignores the relevant tags.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23932283 Feedback>).

Lotus Unknown

Notified: February 22, 2002 Updated: February 25, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23932283 Feedback>).

QUALCOMM Unknown

Notified: February 22, 2002 Updated: February 25, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23932283 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.cert.org/advisories/CA-2002-04.html&gt;
• <http://www.security.nnov.ru/advisories/mshtml.asp&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS02-005.asp&gt;
• <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317731&gt;
• <http://www.securityfocus.com/bid/4080&gt;
• <http://www.iss.net/security_center/static/8116.php&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/embed.asp&gt;
• <http://developer.netscape.com/docs/manuals/htmlguid/tags14.htm#1286379&gt;

Acknowledgements

The CERT/CC thanks ERRor and DarkZorro of domain Hell and 3APA3A of SECURITY.NNOV for reporting this issue to us.

This document was written by Art Manion and Ian A. Finlay.

Other Information

CVE IDs:	CVE-2002-0022
CERT Advisory:	CA-2002-04 Severity Metric: