search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML

Vulnerability Note VU#980499

Original Release Date: 2001-03-31 | Last Revised: 2004-03-05

Overview

A vulnerability exists in Microsoft Internet Explorer that allows a malicious agent to execute arbitrary code when parsing MIME parts in a document. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document (for example, when browsing a filesystem, reading email or news messages, or visiting a web page), should immediately upgrade to a non-vulnerable version of Internet Explorer.

Description

Internet Explorer contains a table which is used to determine the handling of MIME types encountered in any HTML document (email messages, newsgroup postings, web pages, or local files). This table contains a set of entries that cause Internet Explorer to do the wrong thing with certain MIME parts, introducing a security vulnerability. Specifically, these incorrect entries lead IE to open specific MIME parts without giving the end user the opportunity to say if they should be opened. This vulnerability allows an intruder to construct a malicious content that, when viewed in Internet Explorer (or any program that uses the IE HTML rendering engine) can execute arbitrary code. It is not necessary to run an attachment; simply viewing the document in a vulnerable program is sufficient.

The systems affected by this vulnerability include:

    • All Windows versions of Microsoft Internet Explorer 5.5 SP1 or earlier, except IE 5.01 SP2, running on x86 platforms
    • Any software which utilizes vulnerable versions of Internet Explorer to render HTML

IE 6 is not affected by this issue.

For more details, see Microsoft Security Bulletin MS01-020 (or Microsoft Knowledgebase article Q290108) on this topic at:
Note: The above patch has been superseded by the IE 5.5 patches discussed in MS01-027. On May 15, 2002, Microsoft released a cumulative set of patches for Internet Explorer as discussed in MS02-023.

There have been reports that simply previewing HTML content (as in a mail client or filesystem browser) is sufficient to trigger the vulnerability.

This vulnerability is now being actively exploited. More information about the activity and remediation can be found in CERT Advisory CA-2001-26: Nimda Worm. This vulnerability has been exploited further, as discussed in CERT Incident Note IN-2002-05.

Impact

Attackers can cause arbitrary code to be executed on a victim's system by embedding the code in a malicious email, or news message, or web page.

Solution

Upgrade to IE 6, or apply the patch from Microsoft, available at:

Note: The above patch has been superseded by the IE 5.5 patches discussed in MS01-027. A cumulative patch for this and other vulnerabilities is discussed in MS02-023.


It has been reported that upgrading to the latest version of Windows Media Player is an additional means to protect yourself from this problem. Although this appears to protect you from a specific way to exploit this vulnerability, we do not believe it is a general purpose fix. Disabling File Downloading in all of your Security Zones will also mitigate against the risks posed by the vulnerability.

Vendor Information

980499
 
Expand all

Lotus Software Affected

Notified:  March 30, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

Notes doesn't use IE to display HTML formatted email.

If a user's browser preferences specify Notes with Internet Explorer, then
the version of Internet Explorer that is installed on the user's
workstation is used for browsing.  It is launched as an ActiveX component
within Notes, but Notes does not ship any IE code.  If Internet Explorer is
chosen as the user's preferred browser, then Notes launches Internet
Explorer in a separate window and opens the link.  The Notes client does
not need to be upgraded but the user must upgrade their version of Internet
Explorer to prevent against this vulnerability, which they should do
anyway.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional information at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation Affected

Updated:  July 17, 2002

Status

Affected

Vendor Statement

Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment") related to this issue at:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

A patch is available for this issue at:
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

Note: The above patch has been supserseded by the IE 5.5 patches discussed in MS01-027. A cumulative patch for this and other vulnerabilities is discussed in MS02-023.

IE 6 is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

As noted in the MS01-020 Caveats section of the advisory, end users must apply this patch to supported versions of Microsoft's browser. This means IE must upgrade to IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1 users must apply this patch. Users of IE who have not previously upgraded will receive an incorrect message stating that they do not need to apply this patch. Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which has this patch incorporated in it).

From MS01-020:

Caveats:
If the patch is installed on a system running a version of IE other
than the one it is designed for, an error message will be displayed
saying that the patch is not needed. This message is incorrect, and
customers who see this message should upgrade to a supported version
of IE and re-install the patches.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cyrusoft Not Affected

Notified:  March 30, 2001 Updated: March 30, 2001

Status

Not Affected

Vendor Statement

Mulberry does not use Internet Explorer to render HTML within Mulberry
itself and is not vulnerable to these kinds of problems. Users can save
HTML attachments to disk and then view those in browsers susceptible to
this problem, but this requires the direct intervention of the user to
explicitly save to disk - simply viewing HTML in Mulberry does not expose
users to these kinds of problems.

Our HTML rendering is a basic styled-text only renderer that does not
execute any form of scripts. This is true on all the platforms we support:
Win32, Mac OS (Classic & X), Solaris, linux.

An official statement about this is available on our website at:

<http://www.cyrusoft.com/mulberry/htmlsecurity.html>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netscape Communications Corporation Not Affected

Notified:  March 30, 2001 Updated: April 12, 2001

Status

Not Affected

Vendor Statement

We have concluded that the bug, as described below, does NOT affect Netscape clients 4.x and 6.x for the following two reasons:

    1. We ALWAYS verify that the user wants to open/launch the attachment with a link. The user must click this link to view/launch the attachment.
    2. Also, we ALWAYS stay true to the MIME type given. Therefore, if someone sent a malicious .exe file, and manually changed the MIME type to image/gif, Netscape would open the file as a gif. The result would be garbled binary code.

    As a result of our forced check for user authorization (bullet #1) we assume that the bug in question does not affect us.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Opera Software Not Affected

    Notified:  March 30, 2001 Updated: April 02, 2001

    Status

    Not Affected

    Vendor Statement

    Opera does not use Internet Explorer or any other external software to render html.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    QUALCOMM Unknown

    Notified:  March 30, 2001 Updated: March 30, 2001

    Status

    Unknown

    Vendor Statement

    It is unclear at this time what impact, if any, this vulnerability has on Eudora clients.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base
    Temporal
    Environmental

    References

    Acknowledgements

    Microsoft has acknowledged Juan Carlos Cuartango as bringing this issue to their attention.

    This document was written by Jeffrey S. Havrilla and Shawn V. Hernan.

    Other Information

    CVE IDs: CVE-2001-0154
    CERT Advisory: CA-2001-06
    Severity Metric: 60.75
    Date Public: 2001-03-29
    Date First Published: 2001-03-31
    Date Last Updated: 2004-03-05 16:37 UTC
    Document Revision: 40

    Sponsored by CISA.

    Download PGP Key

    Read CERT/CC Blog

    Learn about Vulnerability Analysis