"Multiple Vulnerabilities in Microsoft Internet Explorer
- All Versions"
[Revision from original indicated in bold]
The National Infrastructure Protection Center (NIPC) continues to track vulnerabilities within Microsoft Internet Explorer (IE). Microsoft's Outlook Express (OE) uses IE to show the text of any e-mail message in the body window of OE. This assessment addresses vulnerabilities that are primary means through which several generations of recent mass-mailer computer worms (i.e., LoveLetter, Nimda, Klez, Badtrans.B) propagate.
First, when Microsoft Windows 95, Windows 98, Windows NT and, Windows 2000 scripting is turned on, IE is vulnerable to an ActiveX and HTML exploit. Any e-mail or web page with scripting that includes the command "GetObject()" as well as an ActiveX HTML file can view any file on the user's hard drive. This includes password files, cookie files, and/or other files containing personal or sensitive information. This vulnerability allows an unauthorized person to read or open files on the user's hard drive. The malicious executable program (malware) must request a file that exists on the drive. There are many files universal to Microsoft operating systems containing sensitive information. The Microsoft Windows password files require specific location within the directory structure, as do cookie files that may contain personal information.
This file extension bug takes advantage of the way IE handles file extensions. The HTML, web site, e-mail, or any other HTML medium that takes advantage of this can contain a Trojan, backdoor program, or other malware. The file extension could be .txt,.wav, .mp3, or any other file extension. The "Open File" dialog box opens and asks if the user wants to save or open the file from its source. If the user chooses to open the file from its source, the file runs without any further questions or options given to the user. The NIPC is providing this assessment in order to raise awareness about these significant vulnerabilities which otherwise have not been widely publicized.
The NIPC recommends that users consider turning off Active Scripting in OE by setting OE to use the "Restricted Sites Zone" (Note that this is the default for Outlook Express 6.0). Users of Outlook should also consider installing the Outlook E-mail Security Update (OESU) which sets Outlook to use "Restricted Sites" by default and blocks access to potentially harmful attachments (Note that the OESU is part of Outlook 2000 SP2 and Outlook XP).
To protect against the ActiveX and HTML exploit, users should consider their web browsing habits. Those who go to untrusted sites can turn off ActiveX and all scripting through IE's security settings in the "Internet" zone and move sites that they trust into the "Trusted Sites" zone.
It is further recommended that users consider not downloading anything from unknown or untrusted sources and verify the e-mail attachment before saving or executing. Users should also consider only downloading or accepting files from a trusted source and not relying on the apparent file type.
System administrators and home users are strongly encouraged to patch vulnerable system software as the primary means of defense against this and similar exploits (i.e., LoveLetter, Nimda, Klez, Badtrans.B). Administrators and users are also advised to keep their anti-virus current by frequently checking vendor web sites for updates and routinely checking for alerts issued by the NIPC, CERT/CC, and other similar organizations.
The following link contains additional information on this threat: http://email@example.com
Microsoft has made available a patch for Outlook and Outlook Express to prevent this exploit from automatically executing, which can be found at: http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
Recipients of this assessment are further encouraged
to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or
the NIPC, and to other appropriate authorities. Incidents may be reported
online using http://www.nipc.gov/incident/cirr.htm.
The NIPC Watch and Warning Unit can be reached at (202) 323-3205, 1-888-585-9078