Email attachment vector for IE createTextRange() Remote Command Execution

Published: 2006-03-26
Last Updated: 2006-03-27 00:43:05 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Just for the sake of clarity, there is an email attachment vector for this exploit that's not widely reported. I have not seen any reports of it being used at this time. MS's bulletin, in the FAQ's, in "Could this vulnerability be exploited through e-mail?", says it can be exploited if one "open(s) an attachment that could exploit the vulnerability." ISS obliquely says attacks may occur by "...simply embedding the required logic in specially crafted HTML emails.".

Note - My Outlook Web Access runs in the Local intranet Zone, and MS's suggested workaround for this IE Zone is change the Local intranet setting to prompt or disable for Active Script, or just crank the zone security setting to high for prompting.

HTML attachments, the IE Local Machine Zone Lockdown

According to MS, "Web pages accessed from the local computer are placed in the Local Machine zone" and "The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer.". "In Windows XP Service Pack 2, all local files and content that is processed by Internet Explorer has additional security applied to it in the Local Machine zone.".

"Specifically, these settings are:

URLACTION_ACTIVEX_ RUN resolves to Disallow.
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY resolves to Disallow.
URLACTION_SCRIPT_ RUN resolves to Prompt.
URLACTION_CROSS_DOMAIN_ DATA resolves to Prompt.
URLACTION_BINARY_BEHAVIORS_BLOCK resolves to Disallow.
URLACTION_JAVA_PERMISSIONS resolves to Disallow.".

Since "
script in local HTML pages viewed inside of Internet Explorer prompts the user for permission to run", disallowing HTML attachments might be worth considering.

In addition, keeping gateway email AV sigs up to date is advisable. Drop us a note if you notice attacks coming at you via email. Thanks!
Keywords:
0 comment(s)

Comments


Diary Archives