what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ms01-20

ms01-20
Posted Apr 7, 2001

Microsoft Security Advisory MS01-020 - A flaw in IE in handling unusual MIME types allows remote code execution via HTML email messages or when a user views a web page. Microsoft FAQ on this issue available here.

tags | remote, web, code execution
SHA-256 | 2348394d3873358f0f8d53efde2e12db0e0eea695122fa08a9ffb48e3c07c9a8

ms01-20

Change Mirror Download
   Microsoft Security Bulletin (MS01-020)

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment

Originally posted: March 29, 2001

Summary

Who should read this bulletin: Customers using Microsoft® Internet Explorer.

Impact of vulnerability: Run code of attackers choice.

Recommendation: Customers using IE should install the patch immediately.

Affected Software:
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5

Note: Internet Explorer 5.01 Service Pack 2 is not affected by this vulnerability.

Technical details

Technical description:
Because HTML e-mails are simply web pages, IE can render them and open binary attachments
in a way that is appropriate to their MIME types. However, a flaw exists in the type of
processing that is specified for certain unusual MIME types. If an attacker created an
HTML e-mail containing an executable attachment, then modified the MIME header information
to specify that the attachment was one of the unusual MIME types that IE handles
incorrectly, IE would launch the attachment automatically when it rendered the e-mail.

An attacker could use this vulnerability in either of two scenarios. She could host an
affected HTML e-mail on a web site and try to persuade another user to visit it, at which
point script on a web page could open the mail and initiate the executable. Alternatively,
she could send the HTML mail directly to the user. In either case, the executable
attachment, if it ran, would be limited only by users permissions on the system.

Mitigating factors:
* The vulnerability could not be exploited if File Downloads have been disabled in the
Security Zone in which the e-mail is rendered. This is not a default setting in any zone,
however.

Vulnerability identifier: CAN-2001-0154

Tested Versions:
Microsoft tested IE 5.01 and IE 5.5 to assess whether they are affected by this
vulnerability. Previous versions are no longer supported and may or may not be affected by
this vulnerability.

Frequently asked questions

Whats the scope of the vulnerability? This vulnerability could enable an attacker to
potentially run a program of her choice on the machine of another user. Such a program
would be capable of taking any action that the user himself could take on his machine,
including adding, changing or deleting data, communicating with web sites, or reformatting
the hard drive.

In order for the attacker to successfully attack the user via this vulnerability, she
would need to be able to persuade the user to either browse to a web site she controlled
or open an HTML e-mail that she had sent.

What causes the vulnerability?
If an HTML mail contains an executable attachment whose MIME type is incorrectly given as
one of several unusual types, a flaw in IE will cause the attachment to be executed
without displaying a warning dialogue.

Why is IE used to process HTML mails? I thought mail programs like Outlook and Outlook
Express were in charge of displaying mails.
In general, they are. Mail clients handle creating, sending, receiving and displaying
e-mail. There is one exception, however they rely on IE to perform a process called
rendering if the mail is an HTML mail. Rendering is the process of processing and
displaying a web page. HTML mails are rendered by IE because they are essentially web
pages sent as mails. The flaw in this case involves how IE renders HTML mails.

Whats the problem with how IE renders HTML mails?
If a mail contains an attachment, IE should provide the ability to open the attachment
when it renders the message. The precise meaning of open depends on the type of file. If
the attachment is a text file, IE should provide the ability to read it; if its a video
clip, IE should provide the ability to view it; if its a graphics file, IE should provide
the ability to display it; and so on.

Some types of attachments, such as executable files, are inherently dangerous. In these
cases, IE should only open the attachment if the user expressly asks to do so, and
confirms that he wants to open it. The flaw, however, enables this safeguard to be
circumvented by specifying an incorrect MIME type in the e-mail.

Whats a MIME type?
Lets start with what MIME is. MIME is an acronym for Multipurpose Internet Mail
Extensions. Its a widely used Internet standard for encoding binary files as e-mail
attachments. When an e-mail contains a binary attachment, it must specify what type of
file the attachment is, so the mail program can interpret it correctly.

In the case of this vulnerability, IE doesnt correctly handle certain types of fairly
unusual MIME types. If an attacker created an e-mail message containing an executable
attachment, and specified that it was one of these MIME types, IE would execute the
attachment rather than prompting the user.

Would IE always execute the attachment?
No. IE would only execute the attachment if File Downloads were enabled in the Security
Zone that the e-mail was opened in. However, File Downloads are enabled in all zones by
default.

What would this vulnerability enable an attacker to do?
If an attacker created an e-mail that exploits this vulnerability, she could use it in an
attempt to run the executable attachment on another users computer. She could try to do
this through either of two scenarios. First, she could host the HTML mail on her web site,
and try to persuade the user to visit it. Second, she could send the email directly to the
user.

What kind of actions could the attachment take if it ran?
The attachment would be able to take any action that the user himself could take on his
system. If he were an unprivileged user, it might be able to do very little. However, if
the user were an administrator on his system, the attachment would be able to do virtually
anything, including reformatting the hard drive.

Could an e-mail accidentally be created that would exploit this vulnerability?
No. To create such an e-mail, an attacker would need to create an e-mail containing an
executable attachment, then deliberately edit the MIME headers in the mail to be one of
the affected types.

What does the patch do?
The patch eliminates the vulnerability by correcting the table of MIME types and their
associated actions in IE. This has the effect of preventing emails from being able to
automatically launch executable attachments.

I've already installed IE 5.01 Service Pack 2. Do I need to install the patch?
No. The fix for this issue is included in IE 5.01 Service Pack 2. If you've already
installed it, you do not need to install the patch.

I heard that even after applying this patch, an e-mail could start a file download
automatically. Is this true?
Yes. However, this is not related to this vulnerability, and doesnt pose a security risk.
Its always possible for an e-mail to start a file download, and of course the author of
the mail can give the file a name that sounds innocuous. However, the file download cannot
actually begin unless and until the user selects a location to which it should be
downloaded, and clicks the OK button.

As a general rule, it is probably worth questioning the trustworthiness of any e-mail that
automatically starts a file download. The best action is to simply click the Cancel button
in the dialogue.

Patch availability

Download locations for this patch
* http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

Additional information about this patch

Installation platforms:
This patch can be installed on systems running Internet Explorer 5.01 Service Pack 1 or
Internet Explorer 5.5 Service Pack 1.

Inclusion in future service packs:
The fix for this issue is included in Internet Explorer 5.01 Service Pack 2 and will be
included in Internet Explorer 5.5 Service Pack 2.

Verifying patch installation:
* To verify that the patch has been installed on the machine, open IE, select Help, then
select About Internet Explorer and confirm that Q290108 is listed in the Update Versions
field.
* To verify the individual files, use the patch manifest provided in Knowledge Base article
Q290108

Caveats:
If the patch is installed on a system running a version of IE other than the one it is
designed for, an error message will be displayed saying that the patch is not needed. This
message is incorrect, and customers who see this message should upgrade to a supported
version of IE and re-install the patches.

Localization:
Localized versions of this patch are under development. When completed, they will be
available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be most easily
found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
* All patches available via WindowsUpdate also are available in a redistributable form from
the WindowsUpdate Corporate site.

Other information:

Acknowledgments

Microsoft thanks Juan Carlos Cuartango (http://www.kriptopolis.com) for reporting this
issue to us and working with us to protect customers.

Support:
* Microsoft Knowledge Base article Q290108 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can be
found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product Support Services. There is no
charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose. In no
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not
apply.

Revisions:
* V1.0 (March 29, 2001): Bulletin Created.

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close