Title: Microsoft IE MIME Header Attachment Execution Vulnerability
Severity: HIGH
Description:
There exists a serious vulnerability in the HTML rendering component of Microsoft Internet Explorer, used in the web-browser product as well as many other software programs that involve HTML processing.
This vulnerability is related to the interpretation of MIME headers.
Multipurpose Internet Mail Extensions (MIME) enables users to exchange various data files over the internet. Prior to transmission, a MIME header type is specified by the server, enabling the recipient to choose the appropriate viewer for the data indicated in the header. Uncommon MIME headers typically aren't automatically viewed; instead, a user is promted with warning message of some kind, depending on the type.
When HTML code is processed, the output is created through a process called rendering. Rendering includes the interpretation of MIME fields and the data that is associated with them.
Many applications use the rendering capabilities of MSIE to process HTML in their application data. Therefore, any vulnerabilities in this subsystem could be present in the applications that use it as well.
Due to a flaw in IE's rendering system, it is possible for an attacker to run remotely supplied executables on the victim's machine. This is due to the renderer incorrectly handling a MIME header, and executing the associated binary program without warning or prompting the user. This behaviour occurs only when the Security Zone settings permit file downloads, which they do by default.
This vulnerability can be exploited by an attacker through a web-browser using a malicious web-page. If an attacker can cause the victim to visit the webpage using a vulnerable version of MSIE, arbitrary programs can be executed on the victim host.
This vulnerability can also be exploited elsewhere, against victims using MS-Outlook and possibly other client-programs which use the MSIE rendering system. Outlook uses the MSIE HTML rendering component to process HTML e-mail.
If an attacker composed an HTML email containing an executable attachment with a modified MIME header (one of the 'uncommon' types), IE will execute the unknown attachment rather than prompting the user. The end result may be the execution of arbitrary executables supplied by an attacker.
Depending on the security level of the user running the vulnerable application, successful exploitation of this vulnerability could lead to complete compromise of the host.
Exploits for this issue have been incorporated into a number of worms.
Affected Products:
- Microsoft Internet Explorer 5.0.1
- Microsoft Internet Explorer 5.0.1 SP1
- Microsoft Internet Explorer 5.0.1 SP2
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 5.5 SP1
- Microsoft Internet Explorer 5.5 SP2
- Microsoft Windows ME
References:
- Microsoft: Microsoft Security Bulletin (MS01-020)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
