IE MIME table flaw opens door to hackers

In days past, if you didn't open an executable attachment, you were safe from malicious e-mail. However, a new vulnerability in Internet Explorer can allow attachments to run if you open an HTML e-mail or visit a Web site that uses a new MIME flaw.

Following close on the revelation that Internet Explorer 5 can disclose the location of cache files to hackers comes the news of a major flaw in the way IE deals with Multipurpose Internet Mail Extension (MIME), the most widely used e-mail file format.

The problem
As described in Microsoft security bulletin MS01-020, by falsifying a MIME header, a hacker could cause an HTML e-mail with an executable attachment to automatically run when you open the e-mail.

This is due to a flaw in the way IE deals with a few unusual MIME file types.

Danger level—extreme
Since this flaw allows any knowledgeable hacker to essentially run any code he or she wants on your system, this is a major security threat. On most systems (depending on the permissions the legitimate user has), this would allow the hacker to add, delete, or modify files or even reformat the entire hard drive, because the code can do anything the local user can do.

To wreak such havoc, the hacker needs to convince the user to either open an HTML e-mail or visit a Web site that contains the malicious code.

There will be no warning dialog box displayed before the HTML code is rendered or the malicious code downloaded and executed!

As Microsoft points out:
“An attacker could use this vulnerability in either of two scenarios. She could host an affected HTML e-mail on a Web site and try to persuade another user to visit it, at which point script on a Web page could open the mail and initiate the executable. Alternatively, she could send the HTML mail directly to the user. In either case, the executable attachment, if it ran, would be limited only by [the] user’s permissions on the system.”

If you run IE 5.01 or IE 5.5, this threatens your systems. Earlier versions of IE may also be vulnerable, but Microsoft doesn’t test or report on them. It’s very likely that all versions of IE 4 are at risk.

If you’ve updated IE 5.01 by installing IE 5.01 Service Pack 2, you’re safe and don’t require the patch, but if you have only installed IE 5.01 SP1, IE 5.01 is still vulnerable. IE 5.5 installations are vulnerable even if they have IE 5.5 SP 1.

It’s important to remember that this vulnerability applies even if you use Outlook or Outlook Express to manage your e-mail because these programs use IE to render any HTML code in e-mails.

The fix
Disabling file downloads would block this problem, but that’s not the default in any IE security zone. (See below for an explanation of security zones.)

Not accepting HTML e-mail and refusing to visit untrusted Web sites would also work, but since e-mail sender addresses can be hijacked, you would need to block all HTML e-mails, not just those from untrusted sources.

The only practical fix is to download and install the Microsoft patch as described in MS01-020.

Understanding the threat
IE must be able to open “safe” HTML file types in order to correctly display Web pages and HTML e-mail. This is the whole purpose of Explorer, and the software contains security settings that allow the software to automatically display text files, play video clips, etc., all of which are safe to open.

MIME is the most common method of encoding binary files as e-mail attachments, and to correctly interpret HTML code segments, MIME first specifies just what the file contains.

Executable code is not normally permitted to automatically run, but the danger with this recently discovered flaw is that by manipulating the MIME header, a hacker can trick Explorer into opening malicious code masquerading as one of the less common but still “safe” MIME types.

The patch corrects the problem by altering IE’s MIME table to block e-mail attachments and Web sites that automatically download and execute programs.

Even with the patch installed, IE will still automatically begin the download of files as a default setting—but the vital difference is that this will bring up the usual permission dialog box requiring the user to specify a location to save the file and to give explicit permission to perform the download. Even if the file is downloaded, it will not execute automatically.

This is exactly what happens when you go to a Web site to download files, except that it begins automatically. Since nothing can actually happen unless the user gives specific permission to download the file, this is not a security flaw; it is normal operation.

Note that if you attempt to install the patch on unsupported versions of IE, the program will report that the patch is not needed—but this is a false message generated because the patch doesn’t support IE 4.x. Microsoft recommends that all users upgrade to IE 5 so security patches can be properly applied.

Security zones
Starting with IE 4, Microsoft’s browser divides the Internet into various security zones. Different zones have different security settings, and users can assign various Web sites to different zones, automatically granting or denying them various permissions, such as the ability to download files or run ActiveX.

Although this MIME attack could be defeated by configuring security zones so that they won’t download files, this is not the default setting for any security zone.

The various zones and default IE security settings are as follows:
  • Intranet (medium security)
  • Trusted Sites (low security)
  • Restricted Sites (high security)
  • Internet Zone—essentially unknown sites (medium security)
  • Local Zone—which includes files on your local computer (no restrictions)

Configuring IE security consists of either accepting these default zone settings or altering the default settings (by clicking Tools | Internet Options | Security). You can change the global security level for any zone or make detailed adjustments to the permissions granted. This detailed configuration process includes about 80 settings. The process is simple, but deciding which settings to change is extremely complex. The second step in configuring IE security is to assign individual or classes of Web sites to the various zones.

Bottom line: Everyone who reads HTML mail or uses a Web browser should have this patch applied on their machine.

How will you apply this patch on your network?
We look forward to getting your input and hearing your experiences regarding this important security topic. Join the discussion below or send the editor an e-mail.


Editor's Picks