Incorrect Mime Header Vulnerability

SUMMARY

Date: April 12, 2001
Subject
Symantec Enterprise Security Manager protects against the Microsoft Internet Explorer Incorrect MIME Header vulnerability.

Affected Systems

• All Windows versions of Microsoft Internet Explorer (IE) 5.5 SP1 or earlier, except IE 5.01 SP2, which run on x86 platforms.
• Any software that uses vulnerable versions of Internet Explorer to render HTML.

Problem
There is a vulnerability in the way Microsoft’s Internet Explorer handles certain MIME headers in HTML email messages, which can allow for specially formatted HTML files or email attachments to be opened, as well as allow for arbitrary code to run on a user’s computer without permission.

This vulnerability is currently being exploited on some hostile Web sites.

Details
Juan Carlos Cuartango, a security analyst based in Spain who worked with Microsoft to confirm and make available a fix for this issue, discovered a vulnerability in the way Microsoft’s IE processes some MIME types within HTML mail files.

Email messages in HTML are Web pages in an email format, so IE is conditioned to appropriately open them, based on their MIME type. A software flaw exists in the way IE processes certain MIME types. A user with malicious intentions can create an HTML email attachment or HTML Web file containing a hostile executable.

By modifying the MIME header information to one of the improperly handled MIME types, a malicious user can cause an attachment to be opened and to automatically run either by placing it on a Web site that a user visits, or by directly sending the email attachment containing the hostile executable to a user. IE would automatically launch the arbitrary code when the file was rendered, and the code would run with the permissions of the user on the affected system.

While the vulnerability cannot be exploited, unless File Downloading is enabled in the Security Zone in which the file is rendered, the default installation setting in the affected versions of IE is File Downloading-enabled.

Risk Impact
Medium

The risk would depend on the user permissions under which the malicious code is executed.

Security Solution
Microsoft has released a security bulletin for this vulnerability, http://www.microsoft.com/technet/security/bulletin/MS01-020.asp, with a patch that can be downloaded to fix the problem. To properly apply the patch, a user must first upgrade to a supported version of IE; currently, IE 5.01 and 5.5 are supported versions.

NOTE: IE version 5.01 SP2 already contains a fix for this issue and is not affected.
Another option, if you cannot immediately apply the patch, is to disable “File Download� for the Security Zones in IE as follows:
1. Click Tools.
2. Select Internet Options.
3. Click the Security tab.
4. Click Custom Level.
5. In the Downloads section under File Download, Select "Disable."
6. Click OK to apply the changes.

File download should be disabled for all the security zones to ensure maximum protection. If you need to download a file from a “trusted� site, enable “File Download� as required, and then disable prior to browsing further.

Symantec Enterprise Solutions
Symantec’s Enterprise Security Manager helps manage these functions for you. Patches are managed through the ESM patch module. ESM further checks whether “File Download� is enabled in the Internet Explorer security zones in violation of your security policy, through the ESM template, which can be downloaded from: http://securityresponse.symantec.com/avcenter/security/ESM/mime.zip.


Copyright (c) 2001 by Symantec Corporation
Permission to electronically redistribute this Alert is granted as long as it is not edited in any way, and unless Symantec Security Response authorizes it. Reprinting the whole or part of this Alert in medium other than electronic requires permission from Sym Security@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of printing, based on currently available information. Using the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from the use of, or reliance on this information.

Symantec, Symantec Security Response, Enterprise Security Manager (ESM), and Sym Security are Registered Trademarks of Symantec Corporation and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.