Overview
A cross-domain vulnerability exists in the DHTML Editing ActiveX control. An attacker may be able to execute arbitrary script in the Local Machine Zone or read or modify data in other domains. For example, the attacker could execute arbitrary commands with parameters, download and execute arbitrary code, read cookies, spoof content, or modify form behavior.
Description
The Cross-Domain Security Model IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Internet Security Manager Object determines which zone or domain a URL exists in and what actions can be performed. From Microsoft Security Bulletin MS03-048: |
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to execute script in the Local Machine Zone. Script that executes in the Local Machine Zone can be used to download and execute arbitrary code. An attacker may obtain full access to web content in another domain, which may reside in a different security zone. The impact is similar to that of a cross-site scripting vulnerability. This includes the ability to spoof or modify web content, access website information such as cookies, or retrieve data from an encrypted HTTPS connection. For a more detailed description of the impact of cross-site scripting vulnerabilities, please see CERT Advisory CA-2000-02. |
Solution
Install an update |
There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system. |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
- http://secunia.com/advisories/13482/
- http://www.securityfocus.com/bid/11950
- http://www.securitytracker.com/alerts/2004/Dec/1012584.html
- http://xforce.iss.net/xforce/xfdb/18504
- http://freehost07.websamba.com/greyhats/abusiveparent-discussion.htm
- http://activex.microsoft.com/activex/controls/dhtmled/dhtmled.asp
- http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/dnaredcom/html/cncpt.asp
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmshtml/html/mshtmleditplatf.asp
- http://www.cert.org/advisories/CA-2000-02.html#impact
- http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56
- http://support.microsoft.com/?kbid=833633
- http://support.microsoft.com/?kbid=315933
- http://support.microsoft.com/?kbid=240797
- http://support.microsoft.com/?kbid=298110
- http://www.antiphishing.org/consumer_recs.html
Acknowledgements
This vulnerability was publicly reported by Paul.
This document was written by Will Dormann.
Other Information
CVE IDs: | CVE-2004-1319 |
Severity Metric: | 35.10 |
Date Public: | 2004-12-15 |
Date First Published: | 2005-01-05 |
Date Last Updated: | 2005-02-17 16:36 UTC |
Document Revision: | 29 |