Title: Microsoft Internet Explorer and Outlook/Outlook Express Remote File Write Vulnerability
Severity: HIGH
Description:
Under certain circumstances, Microsoft Internet Explorer and Outlook/Outlook Express will download files to the local TEMP directory even if a user has specifically cancelled a request to do so. The file could then be forcibly executed via an ActiveX control. For forcible execution, the correct path to the system's default temp folder must be specified in the ActiveX control.
If a malicious web site operator were to embed certain tags in a base 64 encoded HTML frameset a File Download dialogue box would appear when a user visits the webpage. This dialogue box would prompt the user to either save or open the file, or cancel the download altogether. The file will be downloaded to the TEMP directory regardless of what option a user chooses, including cancel. This vulnerability still applies even if the Security Zone settings are configured to disable downloads. In this case, a dialogue box would appear stating that file downloads are not permitted, however, the file would still be forcibly downloaded to the TEMP directory.
The second HTML frame would contain an ActiveX control with Class ID being 15589FA1-C456-11CE-BF01-00AA0055595A and a refresh tag pointing to the downloaded file. From here, the file downloaded to the TEMP directory would be executed.
The same results can be achieved by sending two malformed email messages to a recipient. The first email would consist of an HTML message containing a batch file.
The email recipient would be prompted whether or not they would like to save or open the file, or cancel the download. As stated above, when choosing any of these three options, the file will still be downloaded to the TEMP directory.
The second email would contain a malformed .url file pointing to the batch file.
If the user was deliberately mislead to click on the URL, the file downloaded to the TEMP directory would be then executed.
Note that if this vulnerability is exploited on Internet Explorer 5 for Unix, all running instances of IE will halt and will require manual termination.
Affected Products:
- Microsoft Internet Explorer 5.0 for Windows 2000
- Microsoft Internet Explorer 5.0 for Windows 95
- Microsoft Internet Explorer 5.0 for Windows 98
- Microsoft Internet Explorer 5.0 for Windows NT 4.0
- Microsoft Internet Explorer 5.0.1
- Microsoft Outlook 2000 0.0.0
- Microsoft Outlook 97 0.0.0
- Microsoft Outlook 98 0.0.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
