Microsoft Security Bulletin MS03-014

Technical description:

MHTML stands for MIME Encapsulation of Aggregate HTML. MHTML is an Internet standard that defines the MIME (Multipurpose Internet Mail Extensions) structure used to send HTML content in e-mail message bodies. The MHTML URL Handler in Windows is part of Outlook Express and provides a URL type that can be used on the local machine. This URL type (MHTML://) allows MHTML documents to be launched from a command line, from Start/Run, using Windows Explorer or from within Internet Explorer.

A vulnerability exists in the MHTML URL Handler that allows any file that can be rendered as text to be opened and rendered as part of a page in Internet Explorer. As a result, it would be possible to construct a URL that referred to a text file that was stored on the local computer and have that file render as HTML. If the text file contained script, that script would execute when the file was accessed. Since the file would reside on the local computer, it would be rendered in the Local Computer Security Zone. Files that are opened within the Local Computer Zone are subject to fewer restrictions than files opened in other security zones.

Using this method, an attacker could attempt to construct a URL and either host it on a website or send it via email. In the web based scenario, where a user then clicked on a URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine. In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in the e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail. In both the web based and e-mail based cases, any limitations on the user's privileges would also restrict the capabilities of the attacker's script.

Applying the update listed in Microsoft Security Bulletin MS03-004 -- Cumulative Patch for Internet Explorer-will help block an attacker from being able to load a file onto a user's computer and prevent the passing of parameters to an executable. This means that an attacker could only launch a program that already existed on the computer-provided the attacker was aware of the location of the program-and would not be able to pass parameters to the program for it to execute.

MHTML is a standard for exchanging HTML content in e-mail and as a result the MHTML URL Handler function has been implemented in Outlook Express. Internet Explorer can also render MHTML content, however the MHTML function has not been implemented separately in Internet Explorer - it simply uses Outlook Express to render the MHTML content.

Mitigating factors:

• For the web-based scenario, the attacker would have to host a web site that contained a web page used to exploit this vulnerability and entice a user to visit it. An attacker would have no way to force a user to visit the site. Instead, the attacker would need to lure the user there, typically by getting the user to click on a link to the attacker's site.
• The HTML mail-based attack scenario would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update.
• Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges.
• If the cumulative patch for Internet Explorer MS03-004 has been installed, known means by which an attacker may place a file onto a user's computer will be blocked.
• In order to invoke an executable already present on the local system, an attacker must know the path to that executable.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2002-0980

Tested Versions:

Microsoft tested Internet Explorer versions 5.01 SP3, 5.5 SP2, 6.0 Gold and 6.0 SP1 as well as Outlook Express versions 5.5 SP2, 6.0 Gold and 6.0 SP1 for this vulnerability. Versions of IE prior to 5.01 Service Pack 3 are no longer eligible for hotfix support. More information is available from the Windows Operating System Components Lifecycles Web site

What's the scope of the vulnerability?
The vulnerability could allow an attacker to read files or launch a program on the user's computer in the Local Computer Zone.
If an attacker were to host a malicious website that contained an MHTML document and could convince a user to visit that site, they could potentially exploit this vulnerability and read files or launch executables already present on the users computer.
Microsoft Security Bulletin MS03-004 describes a vulnerability through which an attacker could load a file onto a user's local system. If the patch discussed in Microsoft Security Bulletin MS03-004 has been applied, the scope of the new vulnerability discussed in this bulletin is significantly reduced. In this case, an attacker would not be able to deliver a program of their choice to the local system - the program invoked must already exist on the system for an attacker to invoke it, nor could an attacker pass any parameters to an executable program.

What is MHTML?
MHTML stands for MIME Encapsulation of Aggregate HTML Documents and is an Internet standard that defines the MIME (Multipurpose Internet Mail Extensions) structure used to send HTML content in message bodies. The MHTML URL Handler is used to package HTML content for email messages. It is a common format for encapsulating the multiple files associated with an HTML document.
MHTML takes a "snapshot" of the current HTML page, and archives it for sending to someone in email, or for offline viewing of the page in Internet Explorer. For example, it is possible in Internet Explorer to save a webpage as a single file for offline viewing using the "File| Save As" option and then selecting the "Web Archive, single file" option from the "save as" drop down. The web page will be saved as a single file in the MHTL format. Microsoft Knowledge Base article 221787 describes this feature in more detail.

What is HTML?
HTML stands for Hyper Text Markup Language and is used to create documents that are portable between various platforms. One of its key features is the ability to render a document composed of separate resources such as images, sound files, etc. inline with the text.

What's wrong with the implementation of the MHTML format?
The MHTML URL Handler is capable of treating any file type as if it were an HTML file. For example, if a .txt file were opened using the MHTML protocol, it could be rendered as if it were an .HTML file. This poses a security vulnerability because some files-such as text files-- are often considered a "safe file type" and a web page could cause them to be opened in the Local Computer Zone. If such a file contained executable script and the script could be caused to execute, it would do so with the privileges associated with the Local Computer Zone rather than the web site.

You've mentioned Internet Security Zones - what are they?
IE Security Zones are a system that divides online content into categories-or zones-- based on its trustworthiness. Specific web domains can be assigned to a zone, depending on how much trust is placed in the content of each domain. The zone then restricts the capabilities of the web content, based on the zone's settings.
By default, most Internet domains are treated as part of the Internet Zone. The Internet Zone has settings and restrictions that can be configured to prevent scripts and other active code from gaining access to resources on the local computer.

What is the Local Computer Zone?
The local computer zone is an implicit zone used for content that exists on the user's computer. It is much less restricted and allows scripts and active code to access and manipulate content on the local system. By default, files stored on the local computer are run in the Local Computer zone.

What is a URL Handler?
A URL handler lets an application register a new URL type that, when invoked by a web page, starts the application automatically. For example, when Outlook 2002 is installed on a system, it registers "outlook://" as a custom URL handler. Outlook can then be invoked by typing this URL in IE, in the "Run" box, or by clicking on a hyperlink. In the case of MHTML, the URL used is "mhtml://"

What causes the vulnerability?
The vulnerability results because the Outlook Express component that displays pages encoded in the MHTML format contains a flaw that allows it to render non-MHTML files as if they were HTML pages. The flaw would allow the rendering of any file whose content is text - such as a .txt file or a file containing script.

What could this vulnerability enable an attacker to do?
An attacker could attempt to use the MHTML URL Handler to render a file that was already present on a user's machine as an HTML page. If the attacker were able to place a .txt file that contained malicious script onto a user's computer, he or she could then attempt to use the MHTML URL Handler to open that file as an html file - thus causing the script to execute. A script running in the Local Computer Zone is typically trusted more than a script running in the Internet Zone, which would normally have been downloaded and invoked from a web site.
However it should be noted that if the patch discussed in Microsoft Security Bulletin MS03-004 has been applied, an attacker would be unable to place a file onto a user's local system. This would limit an attacker to simply being able to execute a file that was already present on the local system - an attacker would not be able to pass parameters to an executable either.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by crafting a URL using the MHTML format and luring a user to visit a website hosting this - most likely by sending the URL in an email message. If the attacker was able to guess the location on the user's local system of a file containing malicious script or was able to place malicious script in a known location on the user's computer, he or she could cause that script to execute in an HTML page.

This fix appears to be addressing a problem with how web pages are displayed. Why is the bulletin titled "Cumulative Patch for Outlook Express"?
MHTML was designed as an Internet Standard for sending HTML content in the body of email messages, along with those resources referenced from within the HTML content itself. As a result, the MHTML function has been implemented in Outlook Express, Whenever Internet Explorer needs to render an MHTML page, it actually uses the MHTML feature in Outlook Express - the MHTML URL Handler has not been separately implemented in Internet Explorer.
Since the vulnerability lies in Outlook Express, this patch contains the fix for the described vulnerability, as well as all previously released fixes for Outlook Express.

So even though this vulnerability relates to how certain web pages are displayed, it does not affect Internet Explorer?
Yes- Internet Explorer does not render MHTML files itself. MHTML was designed as a standard for exchanging HTML in e-mail and so the MHTML URL Handler has been implemented in Outlook Express, not Internet Explorer.

I don't use Outlook Express to read e-mail. Do I still need this patch?
Yes - since the URL Handler that deals with MHTML files is actually in Outlook Express, you should install this patch regardless of whether you use Outlook Express to read e-mail.

What does the patch do?
The patch eliminates the vulnerability by prohibiting the MHTML format from reading any file type other than .MHT or .MHTML-the file types associated with an MHTML formatted file.

Download locations for this patch

• Microsoft Outlook Express

  http://www.microsoft.com/windows/ie/ie6/downloads/critical/330994/default.mspx