|
2000640 : Microsoft Internet Explorer 5.5 index.dat file can be used to remotely execute code |
|
High RiskQuick Links
- Event Description
- Products that have this security check
- Affected platforms
- How to remove this vulnerability
- References
- Information about this document
Event description
Microsoft Internet Explorer allows a malicious Web site operator to inject executable code in the index.dat file, by including Javascript in a URL. Internet Explorer uses the index.dat file to store recently visited URLs and maintain a listing of subfolders in the Temporary Internet Files folder. After code is injected into index.dat, the attacker can parse the file to execute the code, using the OBJECT TYPE="text/html" variable to bypass security restrictions in Internet Explorer. When the file is parsed, the JavaScript executes as trusted code, because index.dat is registered as local content by the Internet Explorer security mechanism.
A malicious Web site operator could use this to execute any malicious JavaScript on a visiting user's computer, including code that would list the names of the cache folders in the Temporary Internet Folders directory. If an attacker knows the names of the cache folders, the attacker can execute other files that have been downloaded to the visiting user's computer and cached in these folders.
Products that have this security check
- BlackICE Agent for Server
- BlackICE PC Protection
- BlackICE Server Protection
- Proventia Desktop
- Proventia Network IDS
- Proventia Network IPS
- Proventia Network MFS
- Proventia Server for VMware
- Proventia Server IPS for Linux technology
- Proventia Server IPS for Microsoft Windows technology
- RealSecure Desktop
- RealSecure Desktop Protector
- RealSecure Desktop Protector 3.6
- RealSecure Guard
- RealSecure Network
- RealSecure Sentry
- RealSecure Server Sensor
| HTTP_GETargscript | |
This signature detects an HTTP GET request that contains a Cross Site Script attack in the argument data of an HTTP request. Because of the unusual nature of this exploit, this signature cannot report the true intruder. During this exploit, the victim communicates with an HTTP server that the intruder has chosen. However, this HTTP server is simply a "means to an end" and plays no role in the actual attack. The damage is done when Web Browser executes script in its while processing the data returned by the web server. The real intruder may be indicated by other events reported coincidently with this one. This event is superceded by the 'Cross_Site_Scripting' event. | |
| False Positive: | The triggering of the event does not necessarily indicate malicious intent. |
Affected platforms
- Microsoft Internet Explorer 5.0Microsoft Internet Explorer 5.0.1Microsoft Internet Explorer 5.0.1 SP1Microsoft Internet Explorer 5.0.1 SP2Microsoft Internet Explorer 5.0.1 SP3Microsoft Internet Explorer 5.0.1 SP4Microsoft Internet Explorer 5.1Microsoft Internet Explorer 5.5Microsoft Internet Explorer 5.5 PreviewMicrosoft Internet Explorer 5.5 SP1Microsoft Internet Explorer 5.5 SP2
How to remove this vulnerability
Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS01-027. See References.
For IE 5.01 SP1:
Microsoft originally provided a patch for this vulnerability in MS00-093, but it was superseded by the patch released with MS01-015 and then superseded with MS01-027.
As a workaround, disable Active Scripting.
References
Microsoft Security Bulletin MS01-027
Flaws in Web Server Certificate Validation Could Enable Spoofing
http://www.microsoft.com/technet/security/bulletin/MS01-027.mspx
Microsoft Security Bulletin MS01-015
IE can Divulge Location of Cached Content
http://www.microsoft.com/technet/security/bulletin/MS01-015.mspx
Georgi Guninski Security Advisory #29
OBJECT TYPE="text/html" may allow executing arbitrary programs in IE 5.5
http://www.guninski.com/parsedat-desc.html
Georgi Guninski Vulnerability Demonstration
OBJECT DATA="text/html" may allow executing arbitrary programs in IE 5.5 demo
http://www.guninski.com/parsedat.html
Microsoft Security Bulletin MS00-093
Patch Available for "Browser Print Template" and "File Upload via Form" Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/ms00-093.mspx
Microsoft Security Bulletin MS00-055
Patch Available for "Scriptlet Rendering" Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-055.mspx
BugTraq Mailing List, Thu Nov 23 2000 - 09:50:01 CST
OBJECT TYPE="text/html" may allow executing arbitrary programs in IE 5.5
http://archives.neohapsis.com/archives/bugtraq/2000-11/0309.html
BugTraq
Microsoft Internet Explorer 5.5 Index.dat Vulnerability
http://www.securityfocus.com/bid/1978
Information about this document
The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.
Copyright © 1997 – 2010 IBM Internet Security Systems. All rights reserved.
This page was created on Sat Sep 4 00:45:30 2010