Software Engineering Institute

Microsoft Internet Explorer features the ability to process scripts contained in HTML documents. This feature is known as Active scripting, and Internet Explorer supports several scripting languages, including VBScript and JScript. JScript is similar to Netscape's JavaScript and both languages played some part in the development of ECMAScript (ECMA-262). For security reasons, a script loaded from one site should not be able to access resources on another site, including the local client. In JavaScript, the Same Origin Policy protects clients by ensuring that "when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame." Internet Explorer implements a similar policy, adding the restriction that scripts are not allowed to access properties or objects across security zones.

As reported by GreyMagic Software and Liu Die Yu, Internet Explorer does not adequately validate references to certain cached objects and methods across different domains and security zones. A script from a potentially malicious site executing in one domain and security zone is able to access resources in another domain and zone, including the Local Computer zone, via the DHTML Document Object Model interface.

Outlook, Outlook Express, AOL, MSN, Eudora, Lotus Notes, and any other software that uses the WebBrowser ActiveX control could be affected by this vulnerability.

Note that in order for this vulnerability to be exploited, Active scripting must be enabled in the security zone in which the HTML document is rendered.

More information is available in Microsoft Security Bulletin MS02-068.

By convincing a user to follow a URL or read an HTML email message containing malicious script, and attacker could take any action with the privileges of the user executing the script. This could include opening new browser windows to different sites in different security zones, reading or modifying information in open browser windows, reading files on the local file system, and executing commands that are in a location known to the attacker. An attacker who is able to obtain cookies used for authentication may be able to impersonate a legitimate user and obtain sensitive data such as passwords or credit card information. By leveraging features of the Microsoft HTML Help system (VU#25249), an attacker could execute commands with parameters or cause arbitrary files to be downloaded to a known location on the local system, subject to the user's privileges.

Apply Patch

Apply the patch referenced in Microsoft Security Bulletin MS03-015.

A number of object and method caching vulnerabilities were addressed by MS02-066. The external method caching vulnerability was addressed by MS02-068, which supersedes MS02-066. As of May 2003, the clipboardData method caching vulnerability has not been addressed. Both the external and clipboardData vulnerabilities affect Internet Explorer version 6.0 SP1.

Disable Active scripting

At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, and any other software that uses Internet Explorer to render HTML. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ.

Apply Outlook Email Security Update

The Outlook Email Security Update configures Outlook 2000 and Outlook 98 to use the Restricted sites zone to open email. By default, Active scripting is disabled in the Restricted sites zone. Outlook Express 6.0 and Outlook 2002 include the functionality provided by the Outlook Security Update.
Outlook 2000:
http://office.microsoft.com/downloads/2000/Out2ksec.aspx

Outlook 98:
http://office.microsoft.com/downloads/9798/Out98sec.aspx
Restrict HTML Help commands

Restrict the execution of the Shortcut and WinHelp HTML Help commands to specified folders, or disable the commands entirely. This will prevent malicious scripts from downloading arbitrary files and executing arbitrary commands with parameters via HTML Help. It will also limit the ability of HTML Help to open URLs and execute commands.

http://support.microsoft.com/?kbid=810687
Microsoft has also released an updated version of HTML Help (811630) that is available via Windows Update:

http://support.microsoft.com/default.aspx?scid=KB;en-us;q811630
Filter Script Code

It may be possible to use an application layer filter to detect and block or disable script code within HTML data.