Enterprise Software

Nasty IFRAME flaw in Internet Explorer rated "extremely critical"

This edition of The Locksmith breaks down the details on a critical new Internet Explorer IFRAME flaw.

A new critical vulnerability in Internet Explorer 6.0 has been exposed. Exploits for the flaw have already published. However, while it's possible to mitigate damage from this flaw, no complete method of protection is currently available.

Details

US-CERT has released a vulnerability report, VU#842160, concerning the newly disclosed exploit in Internet Explorer 6.0. The problem is tied to a buffer overflow caused by poor boundary error handing in <FRAME> and/or <IFRAME> HTML tags and is very serious, both because it can allow a remote attacker to run arbitrary code on the compromised system and also because the exploit was published in some hacker chats before being reported by security firms.

US-CERT describes the problem as follows: "A heap buffer overflow vulnerability exists in the way IE handles the SRC and NAME attributes of FRAME and IFRAME elements. Publicly available exploit code uses JavaScript to prepare heap memory with blocks that consist of NOP slides and shell code. After mishandling overly long SRC and NAME attributes, IE de-references a memory address that may fall within one of the prepared heap blocks, running through the NOP slide and executing the attacker's shell code. Without the ability to prepare the heap blocks, attacks become significantly more difficult."

A Microsoft spokesperson responded by telling me that "Microsoft is investigating new public reports of a possible vulnerability in Internet Explorer. We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports."

Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."

The Redmond software giant also expressed concern that this was made public in an irresponsible way rather than notifying the vendor in private first, "potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

AUS-CERT (Australia CERT), US-CERT, and Secunia all published this vulnerability, but not until after exploits had been circulating in the hacker community, so while it is desirable to notify vendors first, once the proof of concept has been published on the Net, many users feel it is vital that security sites get the news out as soon as possible so that IT professionals can take needed precautions.

Microsoft concluded their comments to me as follows, "Customers who believe they may have been affected can contact Product Support Services. You can contact Product Support Services in North America for help with security update issues or viruses at no charge by using the PC Safety line (1-866-PCSAFETY) and international customers by using any method found at: http://support.microsoft.com."

Applicability

Secunia specifically reports that this vulnerability is found in IE 6.0 running on Windows 2000 and on Windows XP (even XP with Service Pack 1 installed), but the Secunia report (as well as the US-CERT report) also states that XP SP2 is not vulnerable.

US-CERT also warns that the same vulnerability may exist in any other application that uses the WebBrowser ActiveX control, such as Microsoft Outlook, Outlook Express, AOL, and Lotus Notes.

AUS-CERT verifies that XP SP2 is not vulnerable to this particular exploit, which has been published as a proof of concept, but warns that in the future more sophisticated attacks on the same flaw may find that XP SP2 is vulnerable.

Risk level – Very serious to critical


Secunia labels this issue "extremely critical." Exploiting this vulnerability will probably cause IE to crash but a fully successful attack would also allow the attacker to execute arbitrary code on the system. Antivirus software is unlikely to catch this threat.

Mitigating factors

Windows XP with SP2 installed is apparently not vulnerable, so if you install SP2 on your Windows XP systems then you may be able to avoid this threat.

The attacker would have to attract victims to a malicious Web site or get them to open an HTML e-mail, both of which are practices that you should train your users to be very cautious about.

Fix – Partial

There is no complete solution to this problem yet, according to both Secunia and US-CERT reports, but it's obvious that opening all e-mail in plain text mode will eliminate the major attack vector. You can also disable active scripting and update Windows XP to SP2. AUS-CERT also suggests the use of an alternative Web browser as a solution.

Final word

This report certainly makes me feel less foolish for having swapped out a new hard drive and doing a clean install of Windows XP Pro, then installing SP2 on it two weeks ago. That is now my main working system unless or until I run into problems with SP2. (So far, so good – I've encountered no real problems with SP2, although I know others are having serious problems.)


Also watch for …

  • Cisco hackers known as the Source Code Club are now offering source code for Cisco PIX firewall version 6.3.1 for $24,000, as told in this News.com report.
  • The National Security Agency's Systems and Network Attack Center division has published a 109-page document that covers secure installation of Apple Computer's Mac OS X Version 10.3.x (Panther – mostly BSD Unix). The server version isn't as secure as the end-user installation when you use the default settings, so this is an important tool for administrators responsible for a locally administered OS X network.

Editor's Picks

Free Newsletters, In your Inbox