10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.968 High
EPSS
Percentile
99.7%
The Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler does not adequately validate the source of alternate content. An attacker could exploit this vulnerability to access data and execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running the program that invoked the handler, typically Internet Explorer (IE).
The Cross Domain Security Model
IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is “…an implicit zone for content that exists on the local computer. The content found on the user’s computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust.” The determination of what zone and/or domain a URL exists in and what actions can be performed in that zone is made by the Internet Security Manager Object.
HTML Help
The Microsoft HTML Help system “…is the standard help system for the Windows platform.” HTML Help components can be compiled to “…compress HTML, graphic, and other files into a relatively small compiled help (.chm) file…”. The resulting compiled Help (CHM) file can then “…be distributed with a software application, or downloaded from the Web.” The Help Viewer application “…uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition)…”.
The InfoTech Storage Format
CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.
For example, the following URL references an HTML file within a CHM file hosted on a remote web site:
> ms-its:http://www.example.com/directory/path/compiledhelpfile.chm:/htmlfile.html
This URL references a local CHM file:
> its:file://c:\directory\path\compiledhelpfile.chm:/htmlfile.html
MIME Encapsulation of Aggregate HTML Documents (MHTML)
MHTML (RFC 2110) provides a way to include multiple components of an HTML document (HTML, images, script, etc.) in a single MIME email message. Outlook Express implements an MHTML protocol handler (mhtml:
), and Windows systems use IE to access MHTML URLs. The ITS protocol handlers can reference objects contained within MHTML documents:
> ms-its:mhtml:file://c:\directory\path\mhtmlfile.mhtml
The ITS protocol handlers can specify an alternate location for MHTML content (URL is wrapped):
> ms-its:mhtml:file://c:\file_does_not_exist.mhtml!http://www.example.com/directory/ path/compiledhelpfile.chm:/htmlfile.html
The Problem
If the MHTML protocol handler is unable to access the specified MHTML file, (for example, if the file does not exist) the handler will attempt to access the content specified by the alternate location. In the example above, the MHTML protocol handler incorrectly treats HTML content from one domain (htmlfile.html
in example.com) as if it were in a different domain (file://, the Local Machine Zone). This is a violation of the cross-domain security model. Testing shows that the ms-its:, its:, and mk:@MSITStore: protocol handlers can act as attack vectors.
An attacker could exploit this vulnerability using a specially crafted URL and an HTML document containing script, an ActiveX object, or possibly an IFRAME element. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm). Likewise, a CHM file may not have the expected .chm extension.
Functional exploit code is publicly available, and there are reports of incidents involving this vulnerability (e.g., the Ibiza trojan, variants of Bugbear, Bloodhound.Exloit.6).
Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected.
By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker’s document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites and in the Local Machine Zone (read cookies/content, modify/create content, etc.).
Install a patch
Install the appropriate cumulative patch for Outlook Express according to Microsoft Security Bulletin MS04-013.
Note: Disabling Active scripting or ActiveX controls is not an effective workaround
Disabling Active scripting and ActiveX controls in any zone does not prevent the exploitation of this vulnerability. Disabling these features in the Internet and Local Machine Zones (see MS KB Article 833633) may stop some attacks.
Disable ITS and MHTML protocol handlers
Disabling the ITS and MHTML protocol handlers may prevent exploitation of this vulnerability. Delete or rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk,mhtml}
Modifying the Windows registry in this way may have unintended consequences. Disabling the ITS protocol handlers will reduce the functionality of the Windows help systems. Plan to undo these changes after patches have been tested and installed.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.
Read and send email in plain text format
Outlook 2002 SP1 and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of antivirus vendors.
Use a different web browser
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle MHTML protocol URLs.
323070
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 02, 2004 Updated: April 13, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see Microsoft Security Bulletin MS04-013.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23323070 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.
This document was written by Art Manion.
CVE IDs: | CVE-2004-0380 |
---|---|
Severity Metric: | 76.50 Date Public: |
msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Start.asp
msdn.microsoft.com/library/en-us/stg/stg/istorage.asp
msdn.microsoft.com/workshop/author/dhtml/reference/objects/object.asp
msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp
msdn.microsoft.com/workshop/networking/moniker/monikers.asp
msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
msdn.microsoft.com/workshop/networking/pluggable/pluggable.asp
msdn.microsoft.com/workshop/security/szone/overview/overview.asp
msdn.microsoft.com/workshop/security/szone/overview/overview.asp#default_zones
msdn.microsoft.com/workshop/security/szone/overview/overview.asp#SecurityZones
msdn.microsoft.com/workshop/security/szone/reference/objects/internetsecuritymanager.asp
secunia.com/advisories/10523/
support.microsoft.com/default.aspx?scid=833633
support.microsoft.com/support/kb/articles/Q174/3/60.asp
support.microsoft.com/support/kb/articles/Q182/5/69.asp
www.auscert.org.au/3990
www.dsv.su.se/~jpalme/ietf/mhtml.html
www.helpware.net/htmlhelp/hh_info.htm
www.ietf.org/rfc/rfc2110.txt
www.ietf.org/rfc/rfc2111.txt
www.microsoft.com/technet/security/bulletin/ms04-013.mspx
www.microsoft.com/windows/ieak/default.asp
www.securityfocus.com/archive/1/345615
www.securityfocus.com/bid/9658
[<a href="msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ _cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ _cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml_.asp</a>]