Buffer Overflow in Microsoft Internet Explorer
Last revised: April 2, 2002
A complete revision history can be found at the end of this file.
- Microsoft Internet Explorer
- Microsoft Outlook and Outlook Express
- Other applications that use the Internet Explorer HTML rendering engine
Microsoft Internet Explorer contains a buffer overflow vulnerability in its handling of embedded objects in HTML documents. This vulnerability could allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message.
Internet Explorer supports the <EMBED> directive, which can be used to include arbitrary objects in HTML documents. Common types of embedded objects include multimedia files, Java applets, and ActiveX controls. The SRC attribute specifies the source path and filename of an object. For example, a MIDI sound might be embedded in a web page with the following HTML code:
<EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true">Internet Explorer uses attributes of the <EMBED> directive and MIME information from the web server to determine how to handle an embedded object. In most cases, a separate application or plugin is used.
A group of Russian researchers, SECURITY.NNOV, has reported that Internet Explorer does not properly handle the SRC attribute of the <EMBED> directive. An HTML document, such as a web page or HTML email message, that contains a crafted SRC attribute can trigger a buffer overflow, executing code with the privileges of the user viewing the document.
According to the Severity Rating for the "Buffer Overrun in HTML Directive" vulnerability in MS02-005, Internet Explorer 5.5 and 6.0 are vulnerable. Outlook and Outlook Express are also vulnerable, since they use Internet Explorer to render HTML email messages. Other applications that use the Internet Explorer HTML rendering engine, such as America Online (AOL), Windows compiled HTML help (.chm) files, and third-party email clients may also be vulnerable.
The CERT/CC is tracking this vulnerability as VU#932283, which corresponds directly to the "buffer overrun" vulnerability described in Microsoft Security Bulletin MS02-005. This vulnerability has been assigned the CVE identifier CAN-2002-0022.
By convincing a user to view a malicious HTML document, an attacker can cause the Internet Explorer HTML rendering engine to execute arbitrary code with the privileges of the user who viewed the HTML document. This vulnerability could be exploited to distribute viruses, worms, or other malicious code.
Apply a patch
Microsoft has released a cumulative patch for Internet Explorer that corrects this vulnerability and several others. For more information about the patch and the vulnerabilities, please see Microsoft Security Bulletin MS02-005:
Disable ActiveX Controls and Plugins
In Internet Explorer, plugins may be used to view, play, or otherwise process embedded objects. The execution of embedded objects is controlled by the "Run ActiveX Controls and Plugins" security option. Disabling this option will prevent embedded objects from being processed, and will therefore prevent exploitation of this vulnerability.
According to MS02-005:
The vulnerability could not be exploited if the "Run ActiveX Controls and Plugins" security option were disabled in the Security Zone in which the page was rendered. This is the default condition in the Restricted Sites Zone, and can be disabled manually in any other Zone.
At a minimum, disable the "Run ActiveX Controls and Plugins" security option in the Internet Zone and the zone used by Outlook or Outlook Express. The "Run ActiveX Controls and Plugins" security option is disabled in the "High" zone security setting. Instructions for configuring the Internet Zone to use the "High" zone security setting can be found in the CERT/CC Malicious Web Scripts FAQ:
Apply the Outlook Email Security Update
Another way to effectively disable the processing of ActiveX controls and plugins in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where the "Run ActiveX Controls and Plugins" security option is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook.
- Outlook 2002 and Outlook Express 6
The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.
- Outlook 2000
- Outlook 98
This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
Microsoft has released a Security Bulletin and a Knowledge Base Article addressing this vulnerability:
- Security Bulletin MS02-005
- Knowledge Base Article Q317731
Our email client Mulberry does not use the core HTML rendering engine library for its HTML display, and so is not affected by the bug in that library. Having looked at the details of this alert I can also confirm that our own HTML rendering engine is not affected by this, as it ignores the relevant tags.
The CERT/CC thanks ERRor and DarkZorro of domain Hell and 3APA3A of SECURITY.NNOV for reporting this issue to us.
Author: Art Manion
Copyright 2002 Carnegie Mellon University.
February 25, 2002: Initial release February 25, 2002: Fixed < and > tags February 25, 2002: Updated Description with version information March 5, 2002: Added MacOS and Unix information April 2, 2002: Added AOL information