Microsoft Internet Explorer and Outlook/Outlook Express Remote File Write Vulnerability

Under certain circumstances, Microsoft Internet Explorer and Outlook/Outlook Express will download files to the local TEMP directory even if a user has specifically cancelled a request to do so. The file could then be forcibly executed via an ActiveX control. For forcible execution, the correct path to the system's default temp folder must be specified in the ActiveX control.

If a malicious web site operator were to embed certain tags in a base 64 encoded HTML frameset a File Download dialogue box would appear when a user visits the webpage. This dialogue box would prompt the user to either save or open the file, or cancel the download altogether. The file will be downloaded to the TEMP directory regardless of what option a user chooses, including cancel. This vulnerability still applies even if the Security Zone settings are configured to disable downloads. In this case, a dialogue box would appear stating that file downloads are not permitted, however, the file would still be forcibly downloaded to the TEMP directory.

The second HTML frame would contain an ActiveX control with Class ID being 15589FA1-C456-11CE-BF01-00AA0055595A and a refresh tag pointing to the downloaded file. From here, the file downloaded to the TEMP directory would be executed.

The same results can be achieved by sending two malformed email messages to a recipient. The first email would consist of an HTML message containing a batch file.

The email recipient would be prompted whether or not they would like to save or open the file, or cancel the download. As stated above, when choosing any of these three options, the file will still be downloaded to the TEMP directory.

The second email would contain a malformed .url file pointing to the batch file.

If the user was deliberately mislead to click on the URL, the file downloaded to the TEMP directory would be then executed.

Note that if this vulnerability is exploited on Internet Explorer 5 for Unix, all running instances of IE will halt and will require manual termination.


 

Privacy Statement
Copyright 2010, SecurityFocus