US-CERT Technical Cyber Security Alert TA04-033A -- Multiple Vulnerabilities in Microsoft Internet Explorer

National Cyber Alert System

Technical Cyber Security Alert TA04-033A

Multiple Vulnerabilities in Microsoft Internet Explorer

Original issue date: February 02, 2004
Last revised: February 17, 2004
Source: US-CERT

Systems Affected

Microsoft Windows systems running

Internet Explorer 5.01
Internet Explorer 5.50
Internet Explorer 6

Previous, unsupported, versions of Internet Explorer may also be affected.

Overview

Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code with the privileges of the user running IE.

I. Description

Microsoft Security Bulletin MS04-004 describes three vulnerabilities in Internet Explorer. These vulnerabilities are listed below. More detailed information is available in the individual vulnerability notes. Note that in addition to IE, any applications that use the IE HTML rendering engine to interpret HTML documents may present additional attack vectors for these vulnerabilities.

VU#784102 - Microsoft Internet Explorer does not properly validate source of URL stored in Travel Log
A cross-domain scripting vulnerability exists in the Travel Log functionality of Internet Explorer. This vulnerability could allow a remote attacker to execute arbitrary script in a different domain, including the Local Machine Zone.
(Other resources: CAN-2003-01026)

VU#413886 - Microsoft Internet Explorer allows mouse events to manipulate window objects
Internet Explorer allows remote attackers to direct drag and drop behaviors and other mouse click actions by using method caching (SaveRef) to access the window.moveBy method.
(Other resources: CAN-2003-01027)

VU#652278 - Microsoft Internet Explorer does not properly display URLs
Microsoft Internet Explorer does not properly display the location of HTML documents. An attacker could exploit this behavior to mislead users into revealing sensitive information.
(Other resources: CAN-2003-01025)

II. Impact

These vulnerabilities have different impacts, ranging from disguising the true location of a URL to executing arbitrary commands or code. Please see the individual vulnerability notes for specific information. The most serious of these vulnerabilities (VU#784102) could allow a remote attacker to execute arbitrary code with the privileges of the user running IE. The attacker could exploit this vulnerability by convincing the user to access a specially crafted HTML document, such as a web page or HTML email message. No user intervention is required beyond viewing the attacker's HTML document with IE.

III. Solutions

Apply a patch

Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-004.

Note: The fix included in MS04-004 for VU#652278 removes support for the "http(s)://username:password@www.example.com" URL format. This change, along with workarounds for users and administrators, is covered in Microsoft Knowledge Base Article 834489.

The MS04-004 patch also modifies the way IE 6 resends HTTP POST requests. In some cases, this change could manifest as authentication failures and HTTP 500 error messages. See Microsoft Knowledge Base Article 831167 for more information.

Appendix A. Vendor Information

This section contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.