Internet Explorer Object Data Remote Execution Vulnerability
Release Date: August 20, 2003
Reported Date: May 15, 2003
Severity: High (Remote Code Execution)
Systems Affected: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 6.0 for Windows Server 2003
Description: eEye Digital Security has discovered a security vulnerability in Microsoft's Internet Explorer that would allow executable code to run automatically upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object tag, which is used to embed basically all ActiveX into HTML pages. The parameter that specifies the remote location of data for objects is not checked to validate the nature of the file being loaded, and therefore trojan executables may be run from within a webpage as silently and as easily as Internet Explorer parses image files or any other "safe" HTML content.
This attack may be utilized wherever IE parses HTML, including web sites, e-mail, newsgroups, and within applications utilizing web-browsing functionality.
<snip>
In case anyone needs a SNORT rule to catch attempts to exploit this vulnerability:
#-----
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet Explorer Object Data Remote Execution Vulnerability"; \
content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; \
nocase; flow:from_server, established; \
reference:cve,CAN-2003-0532; \
classtype:web-application-activity; rev:1;)
#-----
Any improvements and suggestions to this rule are highly welcomed.
-- NK @ Vilnius nk.tinkle.lt
