Overview
A vulnerability exists in Microsoft Internet Explorer that allows a malicious agent to execute arbitrary code when parsing MIME parts in a document. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document (for example, when browsing a filesystem, reading email or news messages, or visiting a web page), should immediately upgrade to a non-vulnerable version of Internet Explorer.
Description
Internet Explorer contains a table which is used to determine the handling of MIME types encountered in any HTML document (email messages, newsgroup postings, web pages, or local files). This table contains a set of entries that cause Internet Explorer to do the wrong thing with certain MIME parts, introducing a security vulnerability. Specifically, these incorrect entries lead IE to open specific MIME parts without giving the end user the opportunity to say if they should be opened. This vulnerability allows an intruder to construct a malicious content that, when viewed in Internet Explorer (or any program that uses the IE HTML rendering engine) can execute arbitrary code. It is not necessary to run an attachment; simply viewing the document in a vulnerable program is sufficient. The systems affected by this vulnerability include:
IE 6 is not affected by this issue. For more details, see Microsoft Security Bulletin MS01-020 (or Microsoft Knowledgebase article Q290108) on this topic at: Note: The above patch has been superseded by the IE 5.5 patches discussed in MS01-027. On May 15, 2002, Microsoft released a cumulative set of patches for Internet Explorer as discussed in MS02-023. There have been reports that simply previewing HTML content (as in a mail client or filesystem browser) is sufficient to trigger the vulnerability. This vulnerability is now being actively exploited. More information about the activity and remediation can be found in CERT Advisory CA-2001-26: Nimda Worm. This vulnerability has been exploited further, as discussed in CERT Incident Note IN-2002-05. |
Impact
Attackers can cause arbitrary code to be executed on a victim's system by embedding the code in a malicious email, or news message, or web page. |
Solution
Upgrade to IE 6, or apply the patch from Microsoft, available at: |
|
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
- http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
- http://www.microsoft.com/technet/security/bulletin/MS01-027.asp
- http://support.microsoft.com/support/kb/articles/Q299/6/18.ASP
- http://support.microsoft.com/support/kb/articles/Q290/1/08.ASP
- http://www.kriptopolis.com/
- http://www.faqs.org/rfcs/rfc2387.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0154
- http://www.securityfocus.com/bid/2524
- http://www.securitytracker.com/alerts/2001/Mar/1001197.html
- http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
- http://www.ietf.org/rfc/rfc2045.txt
Acknowledgements
Microsoft has acknowledged Juan Carlos Cuartango as bringing this issue to their attention.
This document was written by Jeffrey S. Havrilla and Shawn V. Hernan.
Other Information
CVE IDs: | CVE-2001-0154 |
CERT Advisory: | CA-2001-06 |
Severity Metric: | 60.75 |
Date Public: | 2001-03-29 |
Date First Published: | 2001-03-31 |
Date Last Updated: | 2004-03-05 16:37 UTC |
Document Revision: | 40 |