[SECURITY-L] CAIS-Alerta: Exploracao de Vulnerabilidade do Internet Explorer (IN-2003-04)

Qui Out 2 09:21:49 -03 2003

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Exploracao de Vulnerabilidade do Internet Explorer
 (IN-2003-04)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Wed, 1 Oct 2003 17:51:47 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----

Prezados,

O CAIS esta' repassando o CERT Incident Note IN-2003-04, Exploitation of
Internet Explorer Vulnerability, tratando do aumento de atividade hacker
baseada na exploracao da vulnerabilidade do Microsoft Internet Explorer
que permite ao atacante executar codigo arbitrario na maquina
comprometida.

De acordo com o CERT/CC, os atacantes estao explorando a vulnerabilidade
relatada no Vulnerability Note VU#865940, para obter acesso a sistemas e
fazer com que estes disparem ataques DoS ou se conectem por dial-up em
servicos que podem gerar diversos prejuizos, inclusive financeiros, para
os usuarios.

O Incident Note em anexo apresenta algumas solucoes de contorno para a
vulnerabilidade em questao, ja que as correcoes disponibilizadas pelo
fabricante nao sao suficientes para corrigir _totalmente_ o problema.

Segue a lista de alertas e referencias adicionais relacionados ao assunto
tratado no referido Incident Note:

	. Alerta repassado pelo CAIS: Microsoft Security Bulletin MS03-032
	  "Patch Acumulativo para o Internet Explorer (822925)"
	  http://www.rnp.br/cais/alertas/2003/MS03-032.html

	. Alerta repassado pelo CAIS: CERT Advisory CA-2003-22
	  "Multiple Vulnerabilities in Microsoft Internet Explorer"
	   http://www.rnp.br/cais/alertas/2003/CA200322.html

	. CERT Vulnerability Note VU#865940
	  http://www.kb.cert.org/vuls/id/865940

Maiores informacoes podem ser encontradas em:

	http://www.cert.org/incident_notes/IN-2003-04.html

O CAIS relembra aos administradores e usuarios a necessidade de manterem
seus sistemas e aplicativos sempre atualizados, de acordo com as
informacoes e correcoes disponibilizadas pelos respectivos fabricantes.
Vale ressaltar a importancia de manter um anti-virus instalado e
atualizado.

Finalmente, como a questao tratada neste alerta ainda nao possui solucao
conhecida, o CAIS estara acompanhando o desenrolar do assunto, mantendo-os
informados a respeito.

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################

CERT® Incident Note IN-2003-04

The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

Exploitation of Internet Explorer Vulnerability

Release Date: October 1, 2003

Overview

The CERT/CC has received reports indicating that attackers are actively
exploiting the Microsoft Internet Explorer vulnerability described in
VU#865940.
Description

Reports to the CERT/CC indicate that attackers are leveraging the
vulnerability described in VU#865940 to cause victim systems to perform
various tasks. These attacks include the installation of tools for
launching distributed denial-of-service (DDoS) attacks and the use of the
victim system's modem to dial pay-per-minute services thereby incurring
significant expense to users. By convincing a user running a vulnerable
version of Microsoft Internet Explorer (IE) to view an HTML document
(e.g., a web page or HTML email), a remote attacker could execute
arbitrary code with the privileges of the user.

The vulnerability described in VU#865940 exists due to an interaction
between IE's MIME type processing and the way it handles HTML application
(HTA) files embedded in OBJECT tags. When an HTA file is referenced by the
DATA attribute of an OBJECT element, and the web server returns the
Content-Type header set to application/hta, IE may execute the HTA file
directly, without user intervention. The HTML used to reference the HTA
file can be created in at least three ways:

   1. The HTML can be static
   2. The HTML can be generated by script
(<http://lists.netsys.com/pipermail/full-disclosure/2003-September/009639.html>)
   3. The HTML can be generated by Data Binding an XML source to an HTML
consumer
(<http://lists.netsys.com/pipermail/full-disclosure/2003-September/009665.html>)

The extension of the HTA file does not affect this behavior, for example
<OBJECT DATA="somefile.jpg"> (where somefile.jpg is a text file containing
HTML code). IE security zone settings for ActiveX controls may prevent an
HTA from being executed in this manner.

Additional details on VU#865940 can be found in the Vulnerability Note.

Any program that uses the WebBrowser ActiveX control or the IE HTML
rendering engine (MSHTML) may be affected by this vulnerability. Outlook
and Outlook Express are affected, however recent versions of these
programs open mail in the Restricted sites zone where ActiveX controls and
plug-ins are disabled by default.

Although Microsoft has released a cumulative patch for Internet Explorer
(see MS03-032) that stops HTAs from executing in one case in which static
HTML is used to create an OBJECT element referencing the HTA, the patch
does not prevent HTAs from executing in the cases when the requisite HTML
is generated by script or by Data Binding. We have confirmed reports of
attackers exploiting the Data Binding method.

Solutions

The CERT/CC is unaware of a complete solution for this vulnerability.

Apply patch

The cumulative patch (822925) referenced in Microsoft Security Bulletin
MS03-032 (released on 2003-08-20) stops HTAs from executing in one case in
which static HTML is used to create an OBJECT element referencing the HTA
(1). The patch does not prevent HTAs from executing in at least two other
cases in which the requisite HTML is generated by script (2) or by Data
Binding (3). The CERT/CC recommends that users and administrators take
additional steps to protect against exploitation via the latter methods.
Additional steps for users

Disable ActiveX controls and plug-ins

It appears that disabling the "Run ActiveX controls and plug-ins" setting
will prevent OBJECT elements from being instantiated, thus preventing
exploitation of this vulnerability. Disable "Run ActiveX controls and
plug-ins" in the Internet zone and any zone used to read HTML email. Note
that there may be other attack vectors that are not governed by the "Run
ActiveX controls and plug-ins" setting.

Apply the Outlook Email Security Update

Another way to effectively disable ActiveX controls and plug-ins in
Outlook is to install the Outlook Email Security Update. The update
configures Outlook to open email messages in the Restricted Sites Zone,
where Active scripting is disabled by default. In addition, the update
provides further protection against malicious code that attempts to
propagate via Outlook. The Outlook Email Security Update is available for
Outlook 98 and Outlook 2000. The functionality of the Outlook Email
Security Update is included in Outlook 2002 and Outlook Express 6.

Maintain updated antivirus software

Antivirus software with updated virus definitions may identify and prevent
some exploit attempts. Variations of exploits or attack vectors may not be
detected. Do not rely on antivirus software to defend against this
vulnerability. The CERT/CC maintains a partial list of antivirus vendors.
Additional steps for system administrators
The following steps are recommended for system administrators and advanced
users.

Unmap HTA MIME type

Deleting or renaming the following registry key prevents HTAs from
executing in the three cases listed above:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content
Type\application/hta

Note that there may be other attack vectors that do not rely on this MIME
setting.

Block Content-Type headers

Use an application layer firewall, HTTP proxy, or similar technology to
block or modify HTTP Content-Type headers with the value
"application/hta". This technique may not work for encrypted HTTP
connections and it may break applications that require the
"application/hta" Content-Type header.
Block mshta.exe

Use a host-based firewall to deny network access to the HTA host:
%SystemRoot%\system32\mshta.exe. Examining network traces of known attack
vectors, it seems that the exploit HTML/HTA code is accessed three times,
twice by IE and once by mshta.exe. The HTA is instantiated at some point
before the third access attempt. Blocking mshta.exe prevents the third
access attempt, which appears prevent the exploit code from being loaded
into the HTA. There may be other attack vectors that circumvent this
workaround. For example, a vulnerability that allowed data in the browser
cache to be loaded into the HTA could remove the need for mshta.exe to
access the network. This technique may break applications that require
HTAs to access the network. Also, specific host-based firewalls may or may
not properly block mshta.exe from accessing the network.

Recovering from a system compromise

If you believe a system under your administrative control has been
compromised, please follow the Steps for Recovering from a UNIX or NT
System Compromise.

Reporting

The CERT/CC is tracking activity related to this worm as CERT#35432.
Relevant artifacts or activity can be sent to cert em cert.org with the
appropriate CERT# in the subject line. Authors: Allen Householder and Art
Manion
This document is available from:
http://www.cert.org/incident_notes/IN-2003-04.html
CERT/CC Contact Information

Email: cert em cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
    CERT Coordination Center
    Software Engineering Institute
    Carnegie Mellon University
    Pittsburgh PA 15213-3890
    U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our
public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information

CERT publications and other security information are available from our
web site

http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins, send
email to majordomo em cert.org. Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent
and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon
University makes no warranties of any kind, either expressed or implied as
to any matter including, but not limited to, warranty of fitness for a
particular purpose or merchantability, exclusivity or results obtained
from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
Conditions for use, disclaimers, and sponsorship information