Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element

Overview

Microsoft Internet Explorer (IE) will execute an HTML Application (HTA) referenced by the DATA attribute of an OBJECT element if the Content-Type header returned by the web server is set to “application/hta”. An attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user running IE.

Note: (2003-10-04) The patch provided by MS03-040 addresses two attack vectors that were not resolved by MS03-032.

Description

1. The OBJECT element
The IE Dynamic HTML Object Model (DOM) defines the OBJECT element as a way to embed ActiveX controls and other objects in HTML documents. The DATA attribute is a URI that provides the data for an object, such as an HTML file (e.g., <OBJECT DATA=“somefile.html”>).

2. The HTML Application (HTA)
HTML Applications (HTAs) are HTML documents that are executed as trusted applications that are not subject to IE security restrictions. HTAs can run script, Java, or ActiveX controls. From Microsoft documentation:

Warning_ HTAs can potentially expose the client machine to malicious script. HTAs, like .exe files have read/write access to the files and system registry on the client machine. Powerful executables can be produced and delivered quickly with a few short script statements. Use of HTAs is not recommended where security or the source of the file is questionable._ 3. IE MIME type determination
Instead of accepting the server-supplied Content-Type header as recommended in RFC 2616, IE uses a rather complicated method to determine the MIME type of a file referenced by a URI. In many cases, IE will download and parse a file as part of the MIME type determination process. This check is unable to differentiate between HTA and HTML files since both files are essentially text files that contain HTML code. As a result, IE accepts the MIME Content-Type provided by the server.

4. The problem
When accessing an HTA file directly, IE prompts the user to download or run the file. However, when an HTA file is referenced by the DATA attribute of an OBJECT element, and the web server returns the Content-Type header set to “application/hta”, IE may execute the HTA file directly, without user intervention. The HTML used to reference the HTA file can be created in at least three ways:
1. The HTML can be static
2. The HTML can be generated by script (<<http://lists.netsys.com/pipermail/full-disclosure/2003-September/009639.html&gt;&gt;)
3. The HTML can be generated by Data Binding an XML source to an HTML consumer (<<http://lists.netsys.com/pipermail/full-disclosure/2003-September/009665.html&gt;&gt;)
The extension of the HTA file does not affect this behavior, for example <OBJECT DATA=“somefile.jpg”> (where somefile.jpg is a text file containing HTML code). IE security zone settings for ActiveX controls may prevent an HTA from being executed in this manner.

Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected, however, recent versions of these programs open mail in the Restricted Sites Zone where ActiveX controls and plug-ins and Active scripting are disabled by default.

This vulnerability is documented in an advisory from eEye Digital Security and Microsoft Security Bulletins MS03-032 and MS03-040.

The CERT/CC has received reports of this vulnerability being exploited to install backdoors and DDoS tools, read AIM credentials from the registry, install porn dialers, and modify DNS settings (QHosts). See Incident Note IN-2003-04 for further information.

---

Impact

By convincing a victim to view an HTML document (web page, HTML email), a remote attacker could execute arbitrary code with the privileges of the victim.

---

Solution

Apply patch
Apply the patch (828750) referenced in Microsoft Security Bulletin MS03-040 or a more recent cumulative patch. CAN-2003-0838 and CAN-2003-0809 correspond to the attack vectors that use script (2) and XML Data Binding (3), respectively.

The patch (822925) referenced in Microsoft Security Bulletin MS03-032 (released on 2003-08-20) stops HTAs from executing in one case in which static HTML is used to create an OBJECT element referencing the HTA(1). The patch does not prevent HTAs from executing in at least two other cases in which the requisite HTML is generated by script (2) or by XML Data Binding (3).

---

Disable ActiveX controls and plug-ins

It appears that disabling the “Run ActiveX controls and plug-ins” setting will prevent OBJECT elements from being instantiated, thus preventing exploitation of this vulnerability. Disable “Run ActiveX controls and plug-ins” in the Internet Zone and any zone used to read HTML email. In our tests, this setting prevented OBJECT elements from being instantiated and therefore stopped sample exploits from running. It has been reported that disabling ActiveX controls and plug-ins is not completely effective.

Apply the Outlook Email Security Update

Another way to effectively disable ActiveX controls and plug-ins in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where ActiveX controls and plug-ins and Active scripting are disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.

Unmap HTA MIME type

Deleting or renaming the following registry key prevents HTAs from executing in the three cases listed above:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta
Note that there may be other attack vectors that do not rely on this MIME setting.

Block Content-Type headers

Use an application layer firewall, HTTP proxy, or similar technology to block or modify HTTP Content-Type headers with the value “application/hta”. This technique may not work for encrypted HTTP connections and it may break applications that require the “application/hta” Content-Type header.

Block**mshta.exe**

Use a host-based firewall to deny network access to the HTA host: %SystemRoot%\system32\mshta.exe. Examining network traces of known attack vectors, it seems that the exploit HTML/HTA code is accessed three times, twice by IE and once by mshta.exe. The HTA is instantiated at some point before the third access attempt. Blocking mshta.exe prevents the third access attempt, which appears prevent the exploit code from being loaded into the HTA. There may be other attack vectors that circumvent this workaround. For example, a vulnerability that allowed data in the browser cache to be loaded into the HTA could remove the need for mshta.exe to access the network. This technique may break applications that require HTAs to access the network. Also, specific host-based firewalls may or may not properly block mshta.exe from accessing the network.

Maintain updated antivirus software

Antivirus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely on antivirus software to defend against this vulnerability. The CERT/CC maintains a partial list of antivirus vendors.

---

Vendor Information

865940

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: August 25, 2003 Updated: October 05, 2003

Status

Affected

Vendor Statement

Please see Microsoft Security Bulletin MS03-40.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23865940 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.eeye.com/html/Research/Advisories/AD20030820.html&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS03-032.asp&gt;
• <http://support.microsoft.com/default.aspx?scid=kb;en-us;822925&gt;
• <http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/object.asp&gt;
• <http://msdn.microsoft.com/workshop/author/hta/overview/htaoverview.asp&gt;
• <http://msdn.microsoft.com/workshop/author/hta/reference/objects/hta.asp&gt;
• <http://msdn.microsoft.com/workshop/author/om/doc_object.asp&gt;
• <http://msdn.microsoft.com/workshop/author/databind/data_binding.asp&gt;
• <http://www.ietf.org/rfc/rfc2616.txt&gt;
• <http://www.secunia.com/advisories/9580/&gt;
• <http://www.securityfocus.com/archive/1/334459&gt;
• <http://xforce.iss.net/xforce/xfdb/12960&gt;
• <http://lists.netsys.com/pipermail/full-disclosure/2003-September/009639.html&gt;
• <http://lists.netsys.com/pipermail/full-disclosure/2003-September/009665.html&gt;
• <http://lists.netsys.com/pipermail/full-disclosure/2003-September/009671.html&gt;
• <http://greymagic.com/adv/gm001-ie/&gt;
• <http://securityresponse.symantec.com/avcenter/venc/data/backdoor.coreflood.dr.html&gt;
• <http://securityresponse1.symantec.com/sarc/sarc.nsf/html/backdoor.coreflood.html&gt;
• <http://securityresponse.symantec.com/avcenter/venc/data/download.aduent.trojan.html&gt;
• <http://www.symantec.com/avcenter/venc/data/trojan.qhosts.html&gt;
• http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0310&L=ntbugtraq&F=P&S=&P=2603
• http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0309&L=ntbugtraq&F=P&S=&P=784
• <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0838&gt;
• <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0809&gt;
• <http://pivx.com/larholm/unpatched/&gt;

Acknowledgements

Microsoft credits eEye Digital Security for reporting this vulnerability. Information used in this document came from eEye, Microsoft, and http_equiv.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0532
CERT Advisory:	CA-2003-22 Severity Metric: