Outlook Express MHTML protocol handler does not properly validate source of alternate content

Overview

The Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler does not adequately validate the source of alternate content. An attacker could exploit this vulnerability to access data and execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running the program that invoked the handler, typically Internet Explorer (IE).

Description

The Cross Domain Security Model

IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is “…an implicit zone for content that exists on the local computer. The content found on the user’s computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust.” The determination of what zone and/or domain a URL exists in and what actions can be performed in that zone is made by the Internet Security Manager Object.

HTML Help

The Microsoft HTML Help system “…is the standard help system for the Windows platform.” HTML Help components can be compiled to “…compress HTML, graphic, and other files into a relatively small compiled help (.chm) file…”. The resulting compiled Help (CHM) file can then “…be distributed with a software application, or downloaded from the Web.” The Help Viewer application “…uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition)…”.

The InfoTech Storage Format

CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.

For example, the following URL references an HTML file within a CHM file hosted on a remote web site:

> ms-its:http://www.example.com/directory/path/compiledhelpfile.chm:/htmlfile.html

This URL references a local CHM file:

> its:file://c:\directory\path\compiledhelpfile.chm:/htmlfile.html

MIME Encapsulation of Aggregate HTML Documents (MHTML)

MHTML (RFC 2110) provides a way to include multiple components of an HTML document (HTML, images, script, etc.) in a single MIME email message. Outlook Express implements an MHTML protocol handler (mhtml:), and Windows systems use IE to access MHTML URLs. The ITS protocol handlers can reference objects contained within MHTML documents:

> ms-its:mhtml:file://c:\directory\path\mhtmlfile.mhtml

The ITS protocol handlers can specify an alternate location for MHTML content (URL is wrapped):

> ms-its:mhtml:file://c:\file_does_not_exist.mhtml!http://www.example.com/directory/ path/compiledhelpfile.chm:/htmlfile.html

The Problem

If the MHTML protocol handler is unable to access the specified MHTML file, (for example, if the file does not exist) the handler will attempt to access the content specified by the alternate location. In the example above, the MHTML protocol handler incorrectly treats HTML content from one domain (htmlfile.html in example.com) as if it were in a different domain (file://, the Local Machine Zone). This is a violation of the cross-domain security model. Testing shows that the ms-its:, its:, and mk:@MSITStore: protocol handlers can act as attack vectors.

An attacker could exploit this vulnerability using a specially crafted URL and an HTML document containing script, an ActiveX object, or possibly an IFRAME element. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm). Likewise, a CHM file may not have the expected .chm extension.

Functional exploit code is publicly available, and there are reports of incidents involving this vulnerability (e.g., the Ibiza trojan, variants of Bugbear, Bloodhound.Exloit.6).

Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected.

---

Impact

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker’s document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites and in the Local Machine Zone (read cookies/content, modify/create content, etc.).

---

Solution

Install a patch
Install the appropriate cumulative patch for Outlook Express according to Microsoft Security Bulletin MS04-013.

---

Note: Disabling Active scripting or ActiveX controls is not an effective workaround

Disabling Active scripting and ActiveX controls in any zone does not prevent the exploitation of this vulnerability. Disabling these features in the Internet and Local Machine Zones (see MS KB Article 833633) may stop some attacks.

Disable ITS and MHTML protocol handlers

Disabling the ITS and MHTML protocol handlers may prevent exploitation of this vulnerability. Delete or rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk,mhtml}
Modifying the Windows registry in this way may have unintended consequences. Disabling the ITS protocol handlers will reduce the functionality of the Windows help systems. Plan to undo these changes after patches have been tested and installed.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.

Read and send email in plain text format

Outlook 2002 SP1 and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of antivirus vendors.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle MHTML protocol URLs.

---

Vendor Information

323070

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: April 02, 2004 Updated: April 13, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS04-013.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23323070 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/archive/1/345615&gt;
• <http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx&gt;
• <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp&gt;
• <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp&gt;
• <http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp&gt;
• <http://support.microsoft.com/support/kb/articles/Q182/5/69.asp&gt;
• <http://support.microsoft.com/support/kb/articles/Q174/3/60.asp&gt;
• <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp#SecurityZones&gt;
• <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp#default_zones&gt;
• <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable.asp&gt;
• <http://msdn.microsoft.com/workshop/networking/moniker/monikers.asp&gt;
• <http://www.microsoft.com/windows/ieak/default.asp&gt;
• <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Start.asp&gt;
• [[<a href=“http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml.asp”>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml.asp</a>]](<[<a href=“http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml.asp”>http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/ cdosys_mime_encapsulation_of_aggregate_html_documents_mhtml.asp</a>]>)
• <http://msdn.microsoft.com/library/en-us/stg/stg/istorage.asp&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/object.asp&gt;
• <http://msdn.microsoft.com/workshop/security/szone/reference/objects/internetsecuritymanager.asp&gt;
• <http://support.microsoft.com/default.aspx?scid=833633&gt;
• <http://www.ietf.org/rfc/rfc2110.txt&gt;
• <http://www.ietf.org/rfc/rfc2111.txt&gt;
• <http://www.dsv.su.se/~jpalme/ietf/mhtml.html&gt;
• <http://www.helpware.net/htmlhelp/hh_info.htm&gt;
• <http://www.securityfocus.com/bid/9658&gt;
• <http://secunia.com/advisories/10523/&gt;
• <http://www.auscert.org.au/3990&gt;

Acknowledgements

This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2004-0380
Severity Metric:	76.50 Date Public: