---------------------------------------------------------------------- SNS Advisory No.67 The Return of the Content-Disposition Vulnerability in IE Problem first discovered on: Wed, 18 Sep 2002 Published on: Thu, 21 Aug 2003 ---------------------------------------------------------------------- Overview: --------- Microsoft Internet Explorer is prone to a vulnerability that can, under several conditions, result in the automatic download and parse of a specific tag included with HTML files in the My Computer zone without the knowledge of the user. Problem Description: -------------------- If specific MIME type is specified in the Content-Type header of an HTTP response and if a special string is defined in the Content- Disposition header, this string can be automatically downloaded and opened within the Temporary Internet Files (TIF) under several conditions in Microsoft Internet Explorer. A malicious website administrator can induce a user to view a specially crafted web site to cause the script to be automatically executed upon viewing the malicious contents. Execution of the script can then, disclose the path to the TIF directory to the attacker. Additionally, if this vulnerability is exploited through a specific string in the Content-Disposition header, the OBJECT tag can be parsed in the "My Computer" zone. However, if the user has access to the malicious Web site, the attacker will be able to execute programs on the computer with the user's privileges. Tested Version: --------------- Internet Explorer 6 Service Pack 1 Japanese Edition Solution: --------- Apply an appropriate patch available at: Microsoft Security Bulletin MS03-032: http://www.microsoft.com/technet/security/bulletin/MS03-032.asp Microsoft Security Bulletin MS03-032(Japanese site): http://www.microsoft.com/japan/technet/security/bulletin/MS03-032.asp Discovered by: -------------- Yuu Arai y.arai@lac.co.jp Acknowledgements: ----------------- Thanks to: Security Response Team of Microsoft Asia Limited Disclaimer: ----------- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/security/english/snsadv_e/67_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
