III. Solution
Apply the patch from Microsoft
Apply the patch from Microsoft, available at:
-
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
As noted in the 'Caveats' section of the Microsoft advisory, end
users must apply this patch to supported versions of Microsoft's
browser. This means IE must be upgraded to IE 5.01 Service Pack 1 or
IE 5.5 Service Pack 1 before users can apply this patch. Users who
have not previously upgraded will incorrectly receive a message
stating that they do not need to apply this patch, even though they
are vulnerable. Users are advised to upgrade to IE 5.5 SP1, IE 5.01
SP1 or SP2 (which has this patch incorporated in it) and apply the
appropriate patch.
An excerpt from MS01-020:
Caveats:
If the patch is installed on a system running a version of IE other
than the one it is designed for, an error message will be displayed
saying that the patch is not needed. This message is incorrect, and
customers who see this message should upgrade to a supported version
of IE and re-install the patches.
Cyrusoft International, Inc.
Mulberry does not use Internet Explorer to render HTML within Mulberry
itself and is not vulnerable to these kinds of problems. Users can save
HTML attachments to disk and then view those in browsers susceptible to
this problem, but this requires the direct intervention of the user to
explicitly save to disk - simply viewing HTML in Mulberry does not expose
users to these kinds of problems.
Our HTML rendering is a basic styled-text only renderer that does not
execute any form of scripts. This is true on all the platforms we support:
Win32, Mac OS (Classic & X), Solaris, linux.
An official statement about this is available on our website at:
-
http://www.cyrusoft.com/mulberry/htmlsecurity.html
Lotus Development Corporation
Notes doesn't use IE to display HTML formatted email.
If a user's browser preferences specify Notes with Internet Explorer, then
the version of Internet Explorer that is installed on the user's
workstation is used for browsing. It is launched as an ActiveX component
within Notes, but Notes does not ship any IE code. If Internet Explorer is
chosen as the user's preferred browser, then Notes launches Internet
Explorer in a separate window and opens the link. The Notes client does
not need to be upgraded but the user must upgrade their version of Internet
Explorer to prevent against this vulnerability, which they should do
anyway.
Microsoft Corporation
Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment") related to this issue at:
-
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
A patch is available for this issue at:
-
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
Note: The above patch has been supserseded by the IE 5.01 and 5.5 patch\
es discussed in MS01-027
Netscape Communications Corporation
We have concluded that the bug, as described above, does NOT affect
Netscape clients 4.x and 6.x for the following two reasons:
- We ALWAYS verify that the user wants to open/launch the attachment with
a link. The user must click this link to view/launch the attachment.
- Also, we ALWAYS stay true to the MIME type given. Therefore, if someone
sent a malicious .exe file, and manually changed the MIME type to
image/gif, Netscape would open the file as a gif. The result would be
garbled binary code.
As a result of our forced check for user authorization (bullet #1) we assume
that the bug in question does not affect us.
Opera Software
Opera does not use Internet Explorer or any other external software to render HTML.
QUALCOMM Incorporated
It is unclear at this time what impact, if any, this vulnerability has on Eudora clients.
Appendix B. - References
-
Havrilla, J., and Hernan, S., "CERT Vulnerability Note VU#980499: Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML", March 2001.
https://www.kb.cert.org/vuls/id/980499
Microsoft has acknowledged Juan Carlos Cuartango for
bringing this issue to their attention.
This document was written by Jeffrey S. Havrilla and Shawn
V. Hernan. If you have feedback, comments, or additional
information about this issue, please send us email.
This document is available from:
http://www.cert.org/advisories/CA-2001-06.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
-
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.
Copyright 2001 Carnegie Mellon University.
