A new critical vulnerability in Internet Explorer 6.0 has
been exposed. Exploits for the flaw have already published. However, while it’s
possible to mitigate damage from this flaw, no complete method of protection is
currently available.


US-CERT has released a
vulnerability report, VU#842160,
concerning the newly disclosed exploit in Internet Explorer 6.0. The problem is
tied to a buffer overflow caused by poor boundary error handing in
<FRAME> and/or <IFRAME> HTML tags and is very serious, both because
it can allow a remote attacker to run arbitrary code on the compromised system
and also because the exploit was published in some hacker chats before being
reported by security firms.

US-CERT describes the problem as follows: “A heap buffer
overflow vulnerability exists in the way IE handles the SRC and NAME attributes
of FRAME and IFRAME elements. Publicly available exploit code uses JavaScript
to prepare heap memory with blocks that consist of NOP slides and shell code.
After mishandling overly long SRC and NAME attributes, IE de-references a
memory address that may fall within one of the prepared heap blocks, running
through the NOP slide and executing the attacker’s shell code. Without the
ability to prepare the heap blocks, attacks become significantly more

A Microsoft spokesperson responded by telling me that
“Microsoft is investigating new public reports of a possible vulnerability in
Internet Explorer. We have not been made aware of any active exploits of the
reported vulnerabilities or customer impact at this time, but we are
aggressively investigating the public reports.”

Microsoft will take the appropriate action to protect our
customers, which may include providing a fix through our monthly release
process or an out-of-cycle security update, depending on customer needs.”

The Redmond software giant also expressed concern that this
was made public in an irresponsible way rather than notifying the vendor in
private first, “potentially putting computer users at risk. We continue to
encourage responsible disclosure of vulnerabilities. We believe the commonly
accepted practice of reporting vulnerabilities directly to a vendor serves
everyone’s best interests, by helping to ensure that customers receive
comprehensive, high-quality updates for security vulnerabilities with no
exposure to malicious attackers while the patch is being developed.”

AUS-CERT (Australia CERT), US-CERT, and Secunia all published
this vulnerability, but not until after exploits had been circulating in the hacker
community, so while it is desirable to notify vendors first, once the proof of
concept has been published on the Net, many users feel it is vital that
security sites get the news out as soon as possible so that IT professionals
can take needed precautions.

Microsoft concluded their comments to me as follows,
“Customers who believe they may have been affected can contact Product Support
Services. You can contact Product Support Services in North America for help
with security update issues or viruses at no charge by using the PC Safety line
(1-866-PCSAFETY) and international customers by using any method found at: http://support.microsoft.com.”


Secunia specifically reports that this vulnerability
is found in IE 6.0 running on Windows 2000 and on Windows XP (even XP with Service
Pack 1 installed), but the Secunia report (as well as the US-CERT report) also
states that XP SP2 is not vulnerable.

US-CERT also warns that the same vulnerability may exist in
any other application that uses the WebBrowser ActiveX control, such as Microsoft
Outlook, Outlook Express, AOL, and Lotus Notes.

AUS-CERT verifies
that XP SP2 is not vulnerable to this particular exploit, which has been
published as a proof of concept, but warns that in the
future more sophisticated attacks on the same flaw may find that XP SP2 is

Risk level – Very serious to critical

Secunia labels this issue “extremely critical.” Exploiting
this vulnerability will probably cause IE to crash but a fully successful
attack would also allow the attacker to execute arbitrary code on the system. Antivirus
software is unlikely to catch this threat.

Mitigating factors

Windows XP with SP2 installed is apparently not vulnerable,
so if you install SP2 on your Windows XP systems then you may be able to avoid
this threat.

The attacker would have to attract victims to a malicious
Web site or get them to open an HTML e-mail, both of which are practices that
you should train your users to be very cautious about.

Fix – Partial

There is no complete solution to this problem yet, according
to both Secunia and US-CERT reports, but it’s obvious that opening all e-mail
in plain text mode will eliminate the major attack vector. You can also disable
active scripting and update Windows XP to SP2. AUS-CERT also suggests the use
of an alternative Web browser as a solution.

Final word

This report certainly makes me feel less foolish for having
swapped out a new hard drive and doing a clean install of Windows XP Pro, then
installing SP2 on it two weeks ago. That is now my main working system unless
or until I run into problems with SP2. (So far, so good – I’ve encountered no
real problems with SP2, although I know others are having serious problems.)

Also watch for …

  • Cisco
    hackers known as the Source Code Club are now offering source code for Cisco
    PIX firewall version 6.3.1 for $24,000, as told in this News.com report.
  • The
    National Security Agency’s Systems and Network Attack Center division has
    published a 109-page document
    that covers secure installation of Apple Computer’s Mac OS X Version
    10.3.x (Panther – mostly BSD Unix). The server version isn’t as secure as
    the end-user installation when you use the default settings, so this is an
    important tool for administrators responsible for a locally administered
    OS X network.