Microsoft Security Bulletin MS02-019

Technical description:

This is a cumulative patch that, when applied, eliminates all previously released security vulnerabilities affecting IE 5.1 for Macintosh, and Office v. X for Macintosh. In addition, it eliminates two newly discovered vulnerabilities.

• The first is a buffer overrun vulnerability associated with the handling of a particular HTML element. Because of support for HTML in Office applications, this flaw affects both IE and Office for Macintosh. A security vulnerability results because an attacker can levy a buffer overrun attack against IE that attempts to exploit this flaw. A successful attack would have the result of causing the program to fail, or to cause code of the attacker's choice to run as if it were the user.
• The second is a vulnerability that can allow local AppleScripts to be invoked by a web page. This vulnerability can allow locally stored AppleScripts to be invoked automatically without first calling the Helper application. The AppleScripts would run as if they had been launched by the user, and could take the same actions as any AppleScript legitimately launched by the user. The AppleScript would have to already be present on the system; there is no way for an attacker to deliver an AppleScript of her choosing through this vulnerability.

Mitigating factors:

Unchecked Buffer in HTML Element:

• Successfully exploiting this issue with Office files requires that a user accept files from an unknown or untrusted source. Users should never accept files unknown or untrusted sources. Accepting files only from trusted sources can prevent attempts to exploit this issue.
• A successful attack using HTML email would require specific knowledge of the user's mail client and cannot be mounted against PC users.
• A successful attack using an HTML web page would require the attacker to lure the user to visiting a site under her control. Users who exercise caution in their browsing habits can potentially protect themselves from attempts to exploit this vulnerability.
• On operating systems that enforce security on per-user basis, such as Mac OS X, the specific actions that an attacker's code can take would be limited to those allowed by the privileges of the user's account.

Local AppleScript Invocation:

• The vulnerability only affects IE on Mac OS 8 & 9.
• A successful attack requires that the attacker know the full path and file name of any AppleScript they want to invoke.
• The vulnerability provides no means to deliver an AppleScript of the attacker's construction: it can only invoke AppleScripts already present on the user's system.

Severity Rating:

Unchecked Buffer in HTML Element:

Local AppleScript Invocation:

Aggregate severity of all vulnerabilities eliminated by patch:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The unchecked buffer in HTML Element vulnerability could be remotely exploited through HTML email. On Office, the HTML Element issues does not qualify as a vulnerability, because exploiting the issue requires that users accept and open files from untrusted sources. The AppleScript local invocation requires detailed knowledge regarding the naming and configuration of the machine in order to be exploitable. In addition, the severity rating includes the aggregate ratings for issues eliminated by previous patches that are contained in this patch.

Vulnerability identifier:

• Unchecked Buffer in HTML Element:CAN-2002-0152
• Local AppleScript Invocation:CAN-2002-0153

Tested Versions:

Microsoft tested Internet Explorer 5.1 for Macintosh, Outlook Express 5.0.2, and Office v. X, 2001 and 98 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What vulnerabilities are eliminated by this patch?
These are cumulative patches that, when applied, eliminated all known security vulnerabilities affecting IE 5.1, Office v. X, 2001 and 98 for Macintosh. In addition to eliminating all previously patched vulnerabilities, it addresses two new ones:

• A vulnerability that could allow an attacker to run code on the user's system as if she were the user.
• A vulnerability that could allow an attacker to invoke an AppleScript stored on the user's machine if she knew the exact name and location of the script.

Unchecked Buffer in HTML Element (CVE-CAN-2002-0152)

What's the scope of the first vulnerability?
This is a buffer overflow vulnerability. By creating a specially formed web page and posting it on a web site or sending it to a user as HTML email, it is possible for an attacker to exploit the vulnerability and cause code to run as if it were run by the user himself. In addition, it's possible to exploit this particular vulnerability by including the malformed web page in some Mac Office data files. This code could take any action that the user himself is capable of including adding, changing or deleting data or configuration information.
In the case of Mac OS X, the specific actions that an attacker's program could take would be limited by the security on the user's account. User's who use accounts adhere to least privilege could limit the damage that a successful attack could accomplish. In the case of Mac Office files, there is no way to exploit this vulnerability without the user first knowingly accepting files from an unknown or untrusted source and then choosing to open them.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the code that handles the processing of a certain HTML element. If an attacker were to build a web page that invokes this element in a particular manner, she could overrun the buffer and cause code of her choice to run on the user's system.

What are HTML Elements?
Hypertext Markup Language or HTML forms the underlying language that lets web browsers display web pages. In its most basic form, a web page is simply a collection of text that is displayed in the web browser. To provide for a richer and fuller experience, HTML provides the ability to display more than unformatted text. This is accomplished through the use of commands or elements that give the browser to instructions on how to handle the information that's being passed to it
For example, suppose you wanted to give a web page a title. You would use a specific HTML element that would call out the title. In the raw HTML, the actual title would be demarcated by the HTML element tag and look like this:
The tags tell the browser where the element begins and ends, so that it can process the element correctly.
There are many elements that provide many different functions. They do all, though, have the same structure in common: they are all demarcated with the element name within brackets so that the browser can correctly identify that something is an element, and then determine the particular element for proper handling and see where it ends.

How are HTML elements handled?
Since there are many different HTML elements, there are different programmatic routines to handle each particular element properly. The browser will evaluate each particular element as it is received and based on the initial tag pass the information which follows to the correct handler for processing. It will continue doing this until it detects a closing tag. At this point, it will no longer send the information to the handler.
Using the example above, when the browser reads the initial title tag, is received, the browser stops passing information to the title handler.

What's wrong with how the particular HTML element is handled?
There is a flaw in the handler routines for a particular HTML element. Specifically, the data received is not properly validated against the available input buffer.

Why does this flaw affect Office as well as IE for Macintosh?
Office for Macintosh provides support for web pages within several of its constituent applications. The flaw that affects this particular HTML element in question is also present in these products as well.

Is this the same flaw as the Buffer Overrun in HTML Directive?
No. While this is similar to the issue that was addressed in MS02-005, it is different.

What could this vulnerability enable an attacker to do?
An attacker could use this vulnerability to attempt to modify the program as it was running. This means that an attacker could seek to make her own program run on the system as if the user had chosen to start it.
This means that the attacker's code could take any action that the user himself were capable of including adding, changing or deleting data or configuration information. For instance, the attacker could attempt to change the security settings on the system or attempt to delete a file of her choosing on the user's system.
It's important to note that on operating systems that enforce security on a per-user basis, such as Mac OS X, the user's capability to act on the system may be limited, based on the specific configuration of his account. If the user's account had few privileges, that attacker's code may be limited in the actions that it could take. Alternately, if the user were running as an administrator or other highly privileged account, the attacker could take complete control of the system.

How could an attacker exploit this vulnerability?
An attacker would need to create a web page that invoked the HTML element in question in a particular way. The user would then have to open or view this web page in one of two ways:

• By viewing it in IE by browsing to a site where she had posted the web page. When the page had loaded in IE, it would attempt to exploit the vulnerability.
• By viewing it in Outlook Express or Entourage by opening the web page as an HTML email. When the message had opened by the user or rendered in the preview pane, it would attempt to exploit the vulnerability.

How great a risk does the web-borne scenario pose?
For the web-borne scenario to succeed, the attacker would have to entice the user to visit the page she had posted. A user who exercises caution in his choice of web sites could potentially protect himself from this attempt to exploit the vulnerability by not visiting the attacker's malicious page.

How great a risk does the email-borne scenario pose?
The email-borne scenario has the advantage that the attacker can send the page directly to the user. Additionally, it could be used to attack multiple users through a mass-mailing attack. However, this attack does require knowing the particular mail client that the intended victim is using, which can mitigate the threat.

You said that this flaw affects Office for Macintosh as well. How would an attacker seek to exploit this flaw using Office?
For an attack to succeed using this method, a user would have to accept a file from a malicious or unknown source. When the user opened the file, it would attempt to exploit the flaw.
However, because users should never accept files from unknown or untrusted sources, this actually doesn't qualify as security vulnerability. By exercising proper caution based on the trustworthiness of the source of a file, a user can protect himself from this scenario.
In the best interests of customers, however, we are making a fix available now so that they can address this issue in conjunction with the IE vulnerability.

How does the patch eliminate this vulnerability?
The patch eliminates this vulnerability by implementing proper input validation on the HTML element in question.

I'm running IE for Mac OS X, how do I eliminate this vulnerability?
If you're running IE for Mac OS X, you can eliminate this vulnerability by using the Software Update feature of Mac OS X v. 10.1 to install the "Internet Explorer 5.1 Security Update".

I'm running an affected product other than IE for Mac OS X, what should I do?
If you're running any of the other affected products, you should apply the patches available for download as specified in the "Download Locations for this Patch" section of the bulletin.

Does this vulnerability affect IE for Windows?
No. This vulnerability does not affect IE for Windows.

Does this flaw affect Office for Windows? 
No. This flaw does not affect Office for Windows.

Local Applescript Invocation (CAN-CVE-2002-0153)

What's the scope of the second vulnerability?
This vulnerability could allow an attacker to invoke an AppleScript already present on the user's machine. The attacker could seek to exploit this vulnerability by constructing a web page that references an AppleScript file already present on the user's local machine. When the web page was viewed in a browser, the script would execute as if the user had chosen to run the script himself.
The vulnerability only affects IE on Mac OS 8 & 9; it does not affect IE on Mac OS X. Also, while there are many well-known AppleScripts, because the system hard drive can be easily renamed, it's possible to mitigate the threat this poses by having a non-default hard drive name.

What causes the vulnerability?
The vulnerability results because of incorrect handling of AppleScripts within a specific HTML element in IE for Macintosh. It is possible to invoke local AppleScripts using this HTML element and bypass the built-in security checks governing the execution of local programs.

What is AppleScript?
AppleScript is a system level scripting language that makes it easy for users to automate common or simple tasks in the operating system, individual applications, or across applications. A number of standard AppleScripts ship with Mac OS 8 & 9 to handle common tasks such as shutting down the system, putting the system to sleep and closing windows.

What's wrong with how AppleScript is handled in IE for Macintosh?
There is a flaw in how AppleScripts are handled when called by a particular HTML element in IE for Macintosh. IE fails to correctly recognize that a script resource on the local system is being called. Because of this it treats the as if it were a script element to be handled within the browser, by passing the stricter security governing resources outside of the browser.

Is this the same flaw as the Local Executable Invocation via Object tag (CVE-CAN-2002-007)?
No. While this is similar to the issue address in MS02-015, they are not the same. This is different from that issue.

What could this enable an attacker to do?
An attacker could seek to exploit this vulnerability to invoke an AppleScript that is already present on the local system. The AppleScript would run as if the user himself had chosen to run it directly. For example, an attacker could call "Put Computer To Sleep" and cause the system to go to sleep.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by crafting a web page that calls an AppleScript with the specific HTML element. She would then post it on a web site under her control and have to entice the user to view the page in IE for Macintosh.
For the attack to succeed, the attacker would have to know the full path and filename of an AppleScript already present on the user's local system.

What kinds of AppleScripts are present on the typical system by default?
By default, there are a number of AppleScripts called "speakable items" present on the system. These scripts can be used for system configuration and maintenenence. Examples of typical speakable items include scripts to change the resolution on the system, closing a single window on the desktop, closing multiple windows on the desktop, or restarting the computer.

Can an attacker use this vulnerability to load an AppleScript on my machine? 
No. The vulnerability does not give an attacker any means to deliver an AppleScript of her choosing to the user.

Can a program or script other than AppleScripts be invoked?
No. The flaw affects only the handling of AppleScripts.

What does the patch do? 
That patch eliminates the vulnerability by instituting proper handling of AppleScripts that are stored on the user's local system.

I'm running IE for Macintosh on Mac OS X, am I affected by this vulnerability? 
No. This vulnerability only affects IE for Macintosh on OS 8 & 9.

Download locations for this patch

• Microsoft IE 5.1 for Mac OSX: Users must use the Software Update feature of Mac OS X v10.1 to install the "Internet Explorer 5.1 Security Update."

  More information on Software Update is available at:
  http://www.apple.com/softwareupdate.

• Microsoft PowerPoint 98 for Macintosh:
   http://www.microsoft.com/mac/downloads.aspx#Office98
• All other products: http://www.microsoft.com/mac/download