Microsoft Security Advisory (923762) Microsoft Security Advisory (923762): Long URLs to sites using HTTP 1.1 and compression Could Cause Internet Explorer 6 Service Pack 1 to Unexpectedly Exit Published: August 22, 2006
On August 15, 2006 Microsoft announced that it would be re-releasing MS06-042 Tuesday, August 22, 2006 to address an issue affecting Internet Explorer 6 Service Pack 1 customers discussed in Microsoft Knowledge Base Article 923762. Due to an issue discovered in final testing, Microsoft will not be re-releasing MS06-042 today. This update will be re-released for Internet Explorer 6 Service Pack 1 when it meets an appropriate level of quality for broad distribution.
Microsoft is also aware of public reports that this issue can lead to a buffer overrun condition for Internet Explorer 6 Service Pack 1 customers that have applied MS06-042. We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time. Microsoft is aggressively investigating the public reports. Only customers using Internet Explorer 6.0 SP1 are affected, all other customers should continue their deployments of MS06-042. Customers using Internet Explorer 6.0 SP 1 should continue their deployment of MS06-042 and follow the existing guidance provided in Knowledge Base article 923762 and the Suggested Actions section of this Security Advisory. General Information
Purpose of Advisory: To provide customers with initial notification of the the vulnerability and the status of a revised version of MS06-042 for Internet Explorer 6 Service Pack 1 customers.
Advisory Status: Under Investigation.
Recommendation: Please review the Suggested Actions and Knowledge Base article 923762 References Identification
Microsoft Knowledge Base Article
This advisory discusses the following software. Related Software
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 Top of sectionTop of section
Mitigating Factors for Long URL Buffer Overflow Vulnerability - CVE-2006-3869: •
This vulnerability only affects Internet Explorer 6 Service Pack 1 with MS06-042 updates applied. •
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site. •
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. •
The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.
By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed. Top of sectionTop of section
Workarounds for Long URL Buffer Overflow Vulnerability - CVE-2006-3869:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. •
Disable the HTTP 1.1 protocol in Internet Explorer.
This vulnerability only occurs when visiting websites using HTTP 1.1 and compression. To disable HTTP 1.1 within Internet Explorer follow these steps: •
In Internet Explorer, click Tools, click Internet Options, and then click the Advanced tab. •
Uncheck Use HTTP 1.1 and Use HTTP 1.1 through proxy connections. •
Click Ok. •
Impact of Workaround: Websites requiring use of the HTTP 1.1 protocol or proxies requiring the HTTP 1.1 protocol will no longer be accessible through Internet Explorer. Top of sectionTop of section
FAQ for Long URL Buffer Overflow Vulnerability - CVE-2006-3869:
What is the scope of the vulnerability? This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability? When Internet Explorer handles processes long URLs when navigating to websites using the HTTP 1.1 protocol and compression, it may corrupt system memory in such a way that an attacker could execute arbitrary code.
What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability? An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site. This can also include Web sites that accept user-provided content or advertisements, Web sites that host user-provided content or advertisements, and compromised Web sites. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability? Only Internet Explorer 6 Service Pack 1 systems are at risk to this vulnerability. This vulnerability requires a user to be logged on and visiting a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer 6 Service Pack 1 is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.
Has Microsoft received any reports that this vulnerability was being exploited? No. While Microsoft was aware of customers experiencing application compatibility issues as a result of this issue, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued. Top of sectionTop of section •
Customers who believe they may have been affected can contact Product Support Services. You can contact Product Support Services in the United States and Canada for help with security update issues or viruses at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled automatic updates will automatically receive all Windows Updates. For more information about security updates, visit http://www.microsoft.com/security/ •
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps at Protect Your PC Web site. •
For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page. Top of sectionTop of section
You can provide feedback by completing the form by visiting the following Web site. •
Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. •
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. •
The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
August 22, 2006: Advisory published