(IE) Web Browser Has Multiple URL-related Flaws That May Allow for Remote Code Execution, Remote HTTP Request Generation, and Application of Incorrect Security Restrictions
Version(s): 5.01, 5.5, 6
Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000), Windows (XP)
Advisory/Patch Link: www.microsoft.com/technet/security/bulletin/MS01-051.asp
Microsoft reported several vulnerabilities in their Internet Explorer (IE) web browser. Malformed web URLs that use the dotless IP format will use Intranet Zone security preferences rather than those for the more restrictive Internet Zone. Two others flaws involve URL processing.
The first vulnerability is due to a flaw in URL processing. If a malformed web URL is specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), Internet Explorer will load the web page but will not interpret the web page as an Internet site, instead apply the security preferences of the Intranet Zone. In default configurations, the Intranet Zone runs with fewer security restrictions. This particular vulnerability does not affect IE 6.
The second vulnerability is due to a flaw in processing URLs that specify third-party sites. If a URL is encoded in a particular way, a remote user can cause HTTP requests to be generated that would be sent to another site as soon as the connection to that site is established. These HTTP requests will appear to have originated from the IE browser. This may allow a remote user to take action on behalf of another user.
The third vulnerability is apparently a variant of a previously reported flaw (discussed in Microsoft Security Bulletin MS01-015) involving how IE invokes Telnet sessions. When a Telnet session is specified in a web page, IE will start Telnet with any remotely supplied command-line options specified by the web site. This can be used by a remote user to specify malicious Telnet options.
When IE is used with the Telnet client provided as part of Services for Unix (SFU) 2.0 on Windows NT 4.0 or Windows 2000 hosts, the Telnet client can be made to create a verbatim transcript of a Telnet session. The remote user can use this logging option to stream an executable file to an arbitrary file on the IE user's host. The arbitrary file could be one that executes automatically the next time the IE user boots the host. Microsoft reports that this is not a hole in the Telnet client but in IE.
Microsoft credits Michiel Kikkert (security@kikkert.nl) for reporting the Zone Spoofing vulnerability and Joao Gouviea (tharbad@kaotik.org) for reporting the HTTP Request Encoding vulnerability.
Impact: A remote web site referring to a web page using the dotless IP format could cause that page to be loaded and interpreted using the Intranet Zone security options, which are typically less stringent.
A remote web site can cause HTTP requests to be generated appearing to have originated from the IE user. Those requests could take action on behalf of the user.
A remote web site can invoke the Telnet client on the IE user's host with special options that cause an executable file to be placed on the user's host that will be executed when the host is rebooted.
Solution: The vendor has issued patches, available at:
http://www.microsoft.com/windows....ult.asp
Microsoft notes that the IE 5.01 patch can be installed on IE 5.01 Service Pack 2, the IE 5.5 patch can be installed on IE 5.5 Service Pack 2, and the IE 6 patch can be installed on IE 6 Gold.
Microsoft indicates that this fix will be included in future IE 5.01 Service Pack 3, IE 5.5 Service Pack 3, and IE 6 Service Pack 1.
For additional instructions and for directions on how to verify the patch application, see the Vendor URL.
Microsoft Security Alert posted below:
Date: Wed, 10 Oct 2001 17:52:02 -0700
From: Microsoft Product Security <secnotif@MICROSOFT.COM>
Subject: Microsoft Security Bulletin MS01-051
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Malformed Dotless IP Address Can Cause Web Page to be
Handled in Intranet Zone
Date: 10 October 2001
Software: Internet Explorer
Impact: Three vulnerabilities:
- Cause web page to render a web page using inappropriate security
settings
- Send commands to a third-party web site in the guise of the user
- Create a file on the system of a user who visited a web site.
Bulletin: MS01-051
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-051.asp.
- ----------------------------------------------------------------------
Issue:
======
This patch eliminates three vulnerabilities affecting Internet
Explorer. The first involves how IE handles URLs that include dotless
IP addresses. If a web site were specified using a dotless IP format
(e.g., http://031713501415 rather than http://207.46.131.13), and the
request were malformed in a particular way, IE would not recognize
that the site was an Internet site. Instead, it would treat the site
as an intranet site, and open pages on the site in the Intranet Zone
rather than the correct zone. This would allow the site to run with
fewer security restrictions than appropriate. This vulnerability does
not affect IE 6.
The second involves how IE handles URLs that specify third-party
sites. By encoding an URL in a particular way, it would be possible
for an attacker to include HTTP requests that would be sent to the
site as soon as a connection had been established. These requests
would appear to have originated from the user. In most cases, this
would only allow the attacker to send the user to a site and request
a page on it. However, if exploited against a web-based service
(e.g., a web-based mail service), it could be possible for the
attacker to take action on the user's behalf, including sending a
request to delete data.
The third is a new variant of a vulnerability discussed in Microsoft
Security Bulletin MS01-015, affecting how Telnet sessions are invoked
via IE. By design, telnet sessions can be launched via IE. However, a
vulnerability exists because when doing so, IE will start Telnet
using any command-line options the web site specifies. This only
becomes a concern when using the version of the Telnet client that
installs as part of Services for Unix (SFU) 2.0 on Windows NT® 4.0
or Windows® 2000 machines. The version of the Telnet client in SFU
2.0 provides an option for creating a verbatim transcript of a Telnet
session. An attacker could start a session using the logging option,
then stream an executable file onto the user's system in a location
that would cause it to be executed automatically the next time the
user booted the machine. The flaw does not lie in the Telnet client,
but in IE, which should not allow Telnet to be started remotely with
command-line arguments.
Mitigating Factors:
====================
Zone Spoofing vulnerability:
- The default settings in the Intranet Zone differ in only a few
ways from those of the Internet Zone. The differences are
enumerated in the FAQ, but none would allow destructive action
to be taken.
HTTP Request Encoding vulnerability:
- In order to exploit this vulnerability successfully, the
attacker would need to possess significant personal
information about the victim, such as what web services the
user subscribed to, folder structures, and so forth.
- Even if the attacker knew the requisite personal information,
factors outside of the attacker's control (such as whether
the user was logged onto the service already) could cause the
user to see prompts and dialogues that would indicate that an
attack was underway.
- It is unlikely that the vulnerability could be used to target
large populations; it is likely that it could be used only against
specific targets.
New variant of Telnet Invocation vulnerability:
- This vulnerability is only a concern for customers who are using
the Telnet client that ships as part of Services for Unix 2.0.
No other versions of Telnet contain the command-line feature to
create log files, including the versions that ship by default
as part of Windows platforms.
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-051.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Michiel Kikkert (security@kikkert.nl)
- Joao Gouviea (tharbad@kaotik.org)
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBO8TtC40ZSRQxA/UrAQHy0Af+MZN2lTMZ4+pE0uemyAZQjVKW52+L5LkD
nzUEE6pUz5ZSCRNQBxjMUD53FDJYuIuopjp65w/Tc2oAnDbLwq0Zjm9p36egJCbG
y8v6ZwSgG1SSMsM0IBsH651TLvUjbnURpE5h3aMFwtjUH2I/LmBxV2dGMlmZ4xuN
jvNCyulh6o9ES2bxdKCRGznoE1afrbC8FMtaYqVKLRUuhTfQ997Z9wO4cxBSLeKM
owHlkmUpL+bHA+to62F3gL/bIkPoYW2+LTG8GHNewJqsib4TNRW3dI+bFfKNhOap
jCAzSVF8AtM7vTf1vAUMA1FRoJr25Obg2P3ZAiunvG9LTKeqM1/jbA==
=pdOt
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.