Microsoft Internet Explorer does not properly evaluate Content-Type and Content-Disposition headers

Overview

A cross-domain scripting vulnerability exists in the way Microsoft Internet Explorer (IE) evaluates Content-Type and Content-Disposition headers and checks for files in the local browser cache. This vulnerability could allow a remote attacker to execute arbitrary script in a different domain, including the Local Machine Zone.

Description

Microsoft Security Bulletin MS03-032 describes a vulnerability in the way IE checks for files in the local browser cache:

A flaw in Internet Explorer could allow a malicious Web site operator to access information in another Internet domain, or on the user’s local system by injecting specially crafted code when the browser checks for the existence of files in the browser cache. …There is a flaw in the way Internet Explorer checks the originating domain when checking for the existence of local files in the browser cache.
SNS Advisory No.67 further elaborates:

If specific MIME type is specified in the Content-Type header of an HTTP response and if a special string is defined in the Content-Disposition header, this string can be automatically downloaded and opened within the Temporary Internet Files (TIF) under several conditions in Microsoft Internet Explorer. …Additionally, if this vulnerability is exploited through a specific string in the Content-Disposition header, the OBJECT tag can be parsed in the “My Computer” zone.
Presumably, specially crafted Content-Type and Content-Disposition headers can cause IE to execute script in a different domain, including the Local Machine Zone. It seems that the contents of the Content-Disposition header is treated as HTML code, and any script in those contents is executed without regard to cross-domain security restrictions. For some reason, IE considers the script to be in the Local Machine Zone, when files in the Temporary Internet Files directory should not be trusted and are typically treated as if they were in the Internet zone.

---

Impact

An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary script with privileges of the user in the security context of the Local Machine Zone. This technique could be used to read certain types of files in known locations on the user’s system. In conjunction with other vulnerabilities (VU#626395, VU#25249), the attacker could execute arbitrary commands on the user’s system. The attacker could also determine the path to the Temporary Internet Files folder (cache) and access data from other web sites.

---

Solution

Apply patch
Apply 822925 or a more recent cumulative patch for IE. See Microsoft Security Bulletin MS03-032.

---

Vendor Information

205148

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: August 25, 2003 Updated: August 25, 2003

Status

Affected

Vendor Statement

Please see Microsoft Security Bulletin MS03-032.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23205148 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.lac.co.jp/security/english/snsadv_e/67_e.html&gt;
• <http://www.microsoft.com/security/security_bulletins/ms03-032.asp&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS03-032.asp&gt;
• <http://support.microsoft.com/default.aspx?scid=kb;en-us;822925&gt;
• <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp&gt;
• <http://www.secunia.com/advisories/9580/&gt;
• <http://www.securityfocus.com/bid/8457&gt;
• <http://xforce.iss.net/xforce/xfdb/12961&gt;

Acknowledgements

Microsoft credits LAC/SNS for reporting this vulnerability. Information used in this document came from LAC/SNS and Microsoft.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0531
CERT Advisory:	CA-2003-22 Severity Metric: