----------------------------------------------------------------------
SNS Advisory No.67
The Return of the Content-Disposition Vulnerability in IE
Problem first discovered on: Wed, 18 Sep 2002
Published on: Thu, 21 Aug 2003
----------------------------------------------------------------------
Overview:
---------
Microsoft Internet Explorer is prone to a vulnerability that can,
under several conditions, result in the automatic download and
parse of a specific tag included with HTML files in the My Computer
zone without the knowledge of the user.
Problem Description:
--------------------
If specific MIME type is specified in the Content-Type header of
an HTTP response and if a special string is defined in the Content-
Disposition header, this string can be automatically downloaded and
opened within the Temporary Internet Files (TIF) under several
conditions in Microsoft Internet Explorer. A malicious website
administrator can induce a user to view a specially crafted web site
to cause the script to be automatically executed upon viewing the
malicious contents. Execution of the script can then, disclose the
path to the TIF directory to the attacker.
Additionally, if this vulnerability is exploited through a specific
string in the Content-Disposition header, the OBJECT tag can be
parsed in the "My Computer" zone. However, if the user has access
to the malicious Web site, the attacker will be able to execute
programs on the computer with the user's privileges.
Tested Version:
---------------
Internet Explorer 6 Service Pack 1 Japanese Edition
Solution:
---------
Apply an appropriate patch available at:
Microsoft Security Bulletin MS03-032:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
Microsoft Security Bulletin MS03-032(Japanese site):
http://www.microsoft.com/japan/technet/security/bulletin/MS03-032.asp
Thanks to:
Security Response Team of Microsoft Asia Limited
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd. shall
take no responsibility for any problems, loss or damage caused by, or
by the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/security/english/snsadv_e/67_e.html
SNS Advisory No.67
The Return of the Content-Disposition Vulnerability in IE
Problem first discovered on: Wed, 18 Sep 2002
Published on: Thu, 21 Aug 2003
----------------------------------------------------------------------
Overview:
---------
Microsoft Internet Explorer is prone to a vulnerability that can,
under several conditions, result in the automatic download and
parse of a specific tag included with HTML files in the My Computer
zone without the knowledge of the user.
Problem Description:
--------------------
If specific MIME type is specified in the Content-Type header of
an HTTP response and if a special string is defined in the Content-
Disposition header, this string can be automatically downloaded and
opened within the Temporary Internet Files (TIF) under several
conditions in Microsoft Internet Explorer. A malicious website
administrator can induce a user to view a specially crafted web site
to cause the script to be automatically executed upon viewing the
malicious contents. Execution of the script can then, disclose the
path to the TIF directory to the attacker.
Additionally, if this vulnerability is exploited through a specific
string in the Content-Disposition header, the OBJECT tag can be
parsed in the "My Computer" zone. However, if the user has access
to the malicious Web site, the attacker will be able to execute
programs on the computer with the user's privileges.
Tested Version:
---------------
Internet Explorer 6 Service Pack 1 Japanese Edition
Solution:
---------
Apply an appropriate patch available at:
Microsoft Security Bulletin MS03-032:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
Microsoft Security Bulletin MS03-032(Japanese site):
http://www.microsoft.com/japan/technet/security/bulletin/MS03-032.asp
Discovered by:
--------------
Yuu Arai y.arai (at) lac.co (dot) jp [email concealed]
Acknowledgements:
-----------------
Thanks to:
Security Response Team of Microsoft Asia Limited
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd. shall
take no responsibility for any problems, loss or damage caused by, or
by the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/security/english/snsadv_e/67_e.html
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv (at) lac.co (dot) jp [email concealed]>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
[ reply ]