Microsoft Security Bulletin MS04-004

Microsoft originally issued this bulletin on February 2, 2004. Subsequent to issuing this security bulletin, Microsoft received reports that after installing the update provided with this bulletin, some Internet Explorer 6.0 Service Pack 1 users were experiencing errors when attempting to access SSL protected Web Sites. This error will present itself as a HTTP 500 (Internal Server Error) and only occurs when accessing web servers using SSL/TLS 3.0 with a specific configuration. An update for this issue is available, please see Knowledge Base article 831167. This update will be included in future Cumulative Security Updates for Internet Explorer 6.0 Service Pack 1.

This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following three newly-discovered vulnerabilities:

• A vulnerability that involves the cross-domain security model of Internet Explorer. The cross domain security model of Internet Explorer keeps windows of different domains from sharing information. This vulnerability could result in the execution of script in the Local Machine zone. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited this vulnerability could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user.
• A vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice would not be executed, but could be saved on the user's computer in a targeted location.
• A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the clear-text authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)

As with the previous Internet Explorer cumulative updates that were released with bulletins MS03-004, MS03-015, MS03-020, MS03-032, MS03-040, and MS03-048, this cumulative update causes the window.showHelp( ) control to no longer work if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you will still be able to use HTML Help functionality after you apply this update.

This Internet Explorer cumulative update also includes a change to the functionality of a clear-text authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:

http(s)://username:password@server/resource.ext

For more information about this change, please see Microsoft Knowledge Base article 834489.

This update will also invalidate usernames and passwords that were previously cached in Internet Explorer's protect store. After installing this update, users will be prompted to type their usernames and password in order to access authenticated sites. If the user selects the "Remember my password" check-box they will continue to be stored locally after the initial visit to these Web Sites. More information is available in the Frequently Asked Questions section of this document.

Additionally, this update will disallow navigation to "username:password@host.com" URLs for XMLHTTP.

Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP. More information can be found in Knowledge Base Article 832414.

The update also refines a change made in Internet Explorer 6 Service Pack 1, which prevents web pages in the Internet Security zone from navigating to the local computer zone. This is discussed further in the "Frequently Asked Questions" section of this bulletin.

Mitigating factors:

There are three common mitigating factors for both the Cross Domain Vulnerability and Drag-and-Drop Operation Vulnerability:

• By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections that are put in place that prevent these vulnerabilities from being automatically exploited would be removed.
• In the Web-based attack scenario, the attacker would have to host a Web site that contains a Web page that is used to exploit these vulnerabilities. An attacker would have no way to force a user to visit a malicious Web site. Instead, the attacker would have to lure them there, typically by getting them to click a link that takes them to the attacker's site.
• By default, Outlook Express 6.0, Outlook 2002 and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:
  • You have applied the update included with Microsoft Security bulletin MS03-040 or MS03-048.
  • You are using Internet Explorer 6 or later.
  • You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 SP2 or later in its default configuration.
• If an attacker exploited these vulnerabilities, they would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges.

Severity Rating:

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier:

• Travel Log Cross Domain Vulnerability CAN-2003-1026
• Function Pointer Drag and Drop Vulnerability CAN-2003-1027
• Improper URL Canonicalization Vulnerability CAN-2003-1025

• Microsoft has tested the following workarounds that apply across both the Travel Log Cross Domain Vulnerability CAN-2003-1026 and the Drag and Drop Operation VulnerabilityCAN-2003-1027 the vulnerabilities. These workarounds do not mitigate the Improper URL Canonicalization Vulnerability CAN-2003-1025. These workarounds help block known attack vectors. However they will not correct the underlying vulnerabilities. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.

Prompt before running ActiveX controls and active scripting in the Internet zone and in the Local Intranet zone

You can help protect against these vulnerabilities by changing your settings for the Internet security zone to prompt before running ActiveX controls. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt.
5. In the Scripting section, under Active Scripting, click Prompt, and then click OK.
6. Click Local intranet, and then click Custom Level.
7. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt.
8. In the Scripting section, under Active Scripting, click Prompt.
9. Click OK two times to return to Internet Explorer.

Impact of Workaround:

There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.

Restrict Web sites to only your trusted Web sites

After you set Internet Explorer to require a prompt before it runs ActiveX in the Internet zone and in the Local Intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. Microsoft recommends that you only add sites that you trust to the Trusted sites zone.

To do this, follow these steps:

1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
5. Repeat these steps for each site that you want to add to the zone.
6. Click OK two times to accept the changes and return to Internet Explorer.

   Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is "*.windowsupdate.microsoft.com" (without the quotes). This is the site that will host the update, and it requires the use of an ActiveX control to install the update.

Impact of Workaround:

For those sites that you have not configured to be in your Trusted sites zone, their functionality will be impaired if they require the use of ActiveX controls to function correctly. Adding sites to your Trusted sites zone will allow them to be able to download the ActiveX control that they require to function correctly. However you should only add Web sites you trust to the Trusted sites zone.

Install Outlook Email Security Update if you are using Outlook 2000 SP1 or earlier

By default, the Outlook E-mail Security Update causes Outlook 98 and 2000 to open HTML e-mail messages in the Restricted sites zone. By default, Outlook Express 6.0, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Customers who use any of these products are at reduced risk from an e-mail-borne attack that tries to exploit this vulnerability, unless the user clicks a malicious link in the e-mail message.

If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector

Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed e-mail messages or non-encrypted e-mail messages in plain text only.

Digitally-signed e-mail messages and encrypted e-mail messages are not affected by the setting and may be read in their original formats. Information about how to enable this setting in Outlook 2002 can be found in the following Knowledge Base article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;307594

Information about how to enable this setting in Outlook Express 6.0 can be found in the following Knowledge Base article:

http://support.microsoft.com/?kbid=291387

Impact of Workaround:

E-mail that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally:

• The changes are applied to the preview pane and to open messages.
• Pictures become attachments to avoid loss of message content.
• Because the message is still in Rich Text Format or in HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

Workarounds and other mitigations for the Improper URL Canonicalization Vulnerability CAN-2003-1025 can be found in Knowledge Base article 833786 - "Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks". Microsoft has also provided advice for consumers on how to avoid being tricked by spoof websites on the Microsoft Security Web site.

Why am I getting errors when attempting to access certain SSL protected Web Sites?
After installing the Internet Explorer 6.0 SP1 version of this update, there may be intermittent failures of POST requests to SSL protected sites. This may cause some users to receive an HTTP 500 (Internal server error) while attempting to access certain Web Sites. Microsoft is aware of this issue and has released an update. Information on obtaining this update may be found in the Knowledge Base Article 831167. This update will be included in future Cumulative Security Updates for Internet Explorer.

Do I need to install the update in Knowledge Base Article 831167 to be protected from the vulnerabilities address in this Security Update (MS04-004)?
No. Users who are not experiencing the errors described above do not need the update referenced in Knowledge Base Article 831167. Microsoft recommends that only users affected by this particular problem install the update in Knowledge Base Article 831167. Future Cumulative Security Updates for Internet Explorer 6.01 Service Pack 1 will contain this update.

Are there any server side workarounds that might help eliminate these errors?
Yes. If you cannot apply the update discussed in the Resolution section, one of the following server-side actions may work around the problem:

• Increase the HTTP keep-alive timeout interval on the Web server or proxy server. There is no setting in IIS to control the keep-alive timeout beyond the Windows registry KeepAliveTime value, but some Web servers and proxy servers may allow you to specify a connection expiration time. If the Web server or proxy server allows changing this value, increase the keep-alive timeout interval to work around the problem. Consult your web server documentation for the proper setting name and value. For additional information about the KeepAliveInterval and KeepAliveTime parameters, click the following article numbers to view the articles in the Microsoft Knowledge Base:

  314053 TCP/IP and NBT Configuration Parameters for Windows XP

  120642 TCP/IP and NBT Configuration Parameters for Windows 2000 or Windows NT

• Disable HTTP "keep alive connections" on the server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

  238210 HTTP Keep-Alive Header Sent Whenever ASP Buffering is Enabled

Why am I being prompted to re-enter my username and password on Web Sites where I had asked Internet Explorer to remember my password?
This update will invalidate the credentials that Internet Explorer had previously stored on the local system. This is due to the changes to authentication that are included in this update. As a result users will be prompted to re-enter their username and password for sites where they had selected to have Internet Explore remember that information. After typing in their username and password and after checking the "Remember my password" check-box, this information will continue to be stored locally. For more information on how Internet Explorer stores usernames and password please see the following article on MSDN.

Why is the Internet Explorer 5.5 SP2 update available for Windows 2000 Service Pack 2, Service Pack 3 and Service Pack 4, as well as Windows 98, Windows 98 Second Edition and Windows NT 4.0 Service Pack 6a?
Internet Explorer 5.5 SP2 is currently supported on Windows Millennium Edition (Windows Me) only. However since the vulnerabilities addressed in this bulletin were reported publicly prior to December 31, 2003, this version of the update will be supported on all the platforms listed above. For more information on support for Internet Explorer 5.5 SP2 please see the following Microsoft Product Lifecycle page.

Why is the update available for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Windows Me)?
Security updates for these platforms would normally be available by request through assisted support channels, however since the issues repaired in this bulletin were reported publicly prior to this announcement the Internet Explorer 6 Service Pack 1 version of this patch will be supported on those operating systems for this release. See this announcement and the Microsoft Support Lifecycle site for additional information on support options for these platforms.

What vulnerabilities are eliminated by this update?
This is a cumulative update that incorporates the functionality of all previously released updates for Internet Explorer. Additionally, this update eliminates the following newly reported vulnerabilities:

• A vulnerability that could allow an attacker to cause arbitrary code to run on the user's system.
• A vulnerability that could allow an attacker to save arbitrary code on the user's system.
• A vulnerability that could allow an attacker to mis-represent the location of a Web page in the Address bar of an Internet Explorer window.

What systems are primarily at risk from the vulnerability?
Any system that has Internet Explorer installed is at risk from this vulnerability, and Microsoft recommends that this update should be installed immediately on all systems. However, this vulnerabilities require a user to be logged on and to be using Internet Explorer for any malicious action to occur. Therefore, any systems where Internet Explorer is actively used (such as user's workstations) are at the most risk from these vulnerabilities. Systems where Internet Explorer is not actively used (such as most server systems) are at a reduced risk.

Does this Security Update contain any other changes to functionality in Internet Explorer?
Yes. This Internet Explorer cumulative update also includes a change to the functionality of a clear-text authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
For more information about this change, please see the Frequently Asked Questions section for this specific issue in this bulletin or Microsoft Knowledge Base article 834489.
Additionally, this update will disallow navigation to "username:password@host.com" URLs for XMLHTTP. Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP. More information can be found in Knowledge Base Article 832414.

Does the update contain any other security changes?
The update also refines a change made in Internet Explorer 6 Service Pack 1, which prevents web pages in the Internet zone from navigating to the Local Machine zone. This change was introduced to mitigate the effects of potential new cross domain vulnerabilities. The changes introduced in this update are further enhancements of the Internet Explorer 6 Service Pack 1 restrictions.

I am running Internet Explorer on Windows Server 2003. Does this mitigate some of these vulnerabilities?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration that mitigates both the Travel Log Cross Domain CAN-2003-1026 and the Drag and Drop OperationCAN-2003-1027 vulnerabilities. The Enhanced Security Configuration on Windows Server 2003 does not mitigate the Improper URL Canonicalization Vulnerability CAN-2003-1025.

What is Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or of an administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying numerous security-related settings, including the settings on the Security and the Advanced tab in the Internet Options dialog box. Some of the important modifications include:

• Security level for the Internet zone is set to High. This setting disables scripts, ActiveX controls, Microsoft Java Virtual Machine (MSJVM), HTML content, and file downloads.
• Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
• Install On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
• Multimedia content is disabled. This setting prevents music, animations, and video clips from running.

Disabling Internet Explorer Enhanced Security Configuration would remove the protections that are put in place to help prevent this vulnerability from being exploited. For more information about Internet Explorer Enhanced Security Configuration, see the Managing Internet Explorer Enhanced Security Configuration guide. To do so, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

Is there any configuration of Windows Server 2003 that is likely to have Internet Explorer Enhanced Security Configuration disabled?
Yes. Systems Administrators who have deployed Windows Server 2003 as a Terminal Server would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to use Internet Explorer in an unrestricted mode.

CAN-2003-1026: Travel Log Cross Domain Vulnerability Could Allow Remote Code Execution

What is the scope of this vulnerability?
This vulnerability could allow a malicious Web site operator to access information in another Internet or intranet domain or on the user's local system by injecting specially-crafted code when the browser parses specially formatted Script URLs from the travel log. This could also allow an attacker to run an executable file of their choice on the user's system.

What causes the vulnerability?
The process used to validate Script URLs in Internet Explorer's Travel Log causes this vulnerability.

What is Internet Explorer's travel log?
Internet Explorer's travel log is an interface that maintains a navigation stack for the WebBrowser control. This stack is used by Internet Explorer to maintain a list of recently visited sites. For example, the History tab in Internet Explorer is built based on information from the travel log. For detailed information about the travel log interface and how it is used by the WebBrowser control can be found at MSDN.

What is the cross-domain security model that Internet Explorer implements?
One of the principal security functions of a browser is to make sure that browser windows that are under the control of different Web sites cannot interfere with each other or access each other's data, while allowing windows from the same site to interact with each other. To differentiate between cooperative and uncooperative browser windows, the concept of a "domain" has been created. A domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot. The cross-domain security model is the part of the security architecture that keeps windows from different domains from interfering with each other.
The simplest example of a domain is associated with Web sites. If you visit http://www.microsoft.com, and it opens a window to http://www.microsoft.com/security, the two windows can interact with each other because both sites belong to the same domain, http://www.microsoft.com. However, if you visited http://www.microsoft.com, and it opened a window to a different Web site, the cross-domain security model would protect the two windows from each other. The concept goes even further. The file system on your local computer is also a domain. For example, http://www.microsoft.com could open a window and show you a file on your hard disk. However, because your local file system is in a different domain from the Web site, the cross-domain security model should prevent the Web site from reading the file that is being displayed.
The Internet Explorer cross-domain security model can be configured by using the security zone settings in Internet Explorer.

What are Internet Explorer security zones?
Internet Explorer security zones are a system that divides online content into categories or zones based on its trustworthiness. Specific Web domains can be assigned to a zone, depending on how much trust is placed in the content of each domain. The zone then restricts the capabilities of the Web content, based on the zone's policy. By default, most Internet domains are treated as part of the Internet zone, which has default policy that prevents scripts and other active code from accessing resources on the local system.

What is the issue with the way Internet Explorer calculates cross domain security?
Internet Explorer evaluates security when one Web Page requests access to resources in another security zone. However, there is a vulnerability in the process used to calculate security when specially formatted Script URLs are parsed out of the Travel Log. As a result, an attacker can bypass the security checks.

What could this vulnerability enable an attacker to do?
An attacker could use this vulnerability to create a Web page that could allow the attacker to access data across domains. This could include accessing information from other Web sites, from local files on the system, or from running executable files that already exist on the local file system. This could also include running executable files of the attacker's choice on the user's local file system.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by creating a malicious Web page or an HTML e-mail message and then enticing the user to visit this page or to view the HTML e-mail message. When the user visited the page or viewed the e-mail message, the attacker could access information from other websites, local files on the system, or cause script to run in the security context of the Local Machine Zone.

What does the update do?
The update addresses the vulnerability by ensuring that cross domain security checks take place whenever Script URLs are parsed from the Travel Log.

CAN-2003-1027: Function Pointer Drag and Drop Operation Vulnerability Could Allow Arbitrary Code to be Saved on User's System

What is the scope of the vulnerability?
This vulnerability involves using a drag and drop event in Internet Explorer with function pointers and could result in a file being saved on the user's system when the user clicked a link (the user would not receive a dialog box requesting to approve the download). To exploit this vulnerability, an attacker would have to host a malicious Web site or create an HTML e-mail that contained a link that is designed to exploit this particular vulnerability and then persuade a user to visit that site. If the user visited the page or viewed the e-mail message, and if the user clicked the malicious link, then code of the attacker's choice could be saved in a targeted location on the user's computer.

What causes the vulnerability?
The process by which the drag and drop technology validates certain Dynamic HTML (DHTML) events causes this vulnerability. As a result, a file could be downloaded to the user's system after the user clicks a link.

What are DHTML events?
DHTML events are special actions that are provided by the DHTML Object Model. These events can be used in script code to add dynamic content to a Web site. For more information about DHTML events, visit MSDN.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could save code of their choice to the user's local file system. Although this code could not be executed through this vulnerability directly, the operating system might open the file if it is dropped to a sensitive location, or a user may click the file inadvertently, causing the attacker's code to be executed.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page or an HTML e-mail with a link that is designed to exploit this particular vulnerability and then persuade a user to visit that site. If the user clicked the malicious link, any code of the attacker's choice could be saved on the user's computer in a targeted location.

What systems are primarily at risk from the vulnerability?
Any system that has Internet Explorer installed is at risk from this vulnerability, and this update should be installed immediately on all systems. However, this vulnerability requires a user to be logged on and to be using Internet Explorer for any malicious action to occur. Therefore, any systems where Internet Explorer is actively used (such as user's workstations) are at the most risk from this vulnerability. Systems where Internet Explorer is not actively used (such as most server systems) are a reduced risk.

What does the update do?
This update corrects this vulnerability by correctly evaluating drag-and-drop operations by using function pointers during DHTML events.

CAN-2003-1025: Improper URL Canonicalization Vulnerability Could Allow Attacker to Spoof Websites

What's the scope of the vulnerability?
There is a vulnerability that involves the address bar that is used by Internet Explorer to display the currently visited Web site. This vulnerability could result in an incorrect URL being listed in the Address bar that is not the actual Web page that is displayed by Internet Explorer. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)

What causes the vulnerability?
This vulnerability is caused by a canonicalization error that occurs when Internet Explorer parses special characters in a HTTP URL.

What is an HTTP URL?
An HTTP URL is a Uniform Resource Locator used to designate an address to a resource reachable via the HTTP protocol. While the generic syntax for a URIs is defined in RFC 2396 - Uniform Resource Identifiers (URI): Generic Syntax, the specific syntax for a HTTP URL is defined in RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1:

http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]

What might an attacker use the vulnerability to do?
An attacker could use this vulnerability to create a Web Page that would display a URL of the attackers choosing in the address bar, while displaying a different Web Site in the browser window. An attacker could use this vulnerability to create a malicious page that spoofs a legitimate site. For example an attacker could create a Web Page that looks like a user's on-line E-mail site. While this Web Page would be hosted on a malicious Web Site, an attacker could use this vulnerability to display a legitimate looking URL in the address bar. A user might see this URL and mistakenly give away sensitive information to the attacker's site.

How could an attacker exploit this vulnerability?
To exploit one of this vulnerability, an attacker would have to host a malicious Web site that contains a Web page that has a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that has a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with an HTTP URL of the attacker's choice in the Address bar, but with content from a Web site of the attacker's choice.

What does the update do?
The update corrects the vulnerability by making sure that Internet Explorer correctly parses special characters in URLs to make sure that the correct address is represented in the Address bar. This update also makes Internet Explorer's handling of HTTP URLs more compliant with RFC 2616 Hypertext Transfer Protocol -- HTTP/1.1 by removing the ability to perform authentication by using a "username:password@" format. This change to the default behavior of Internet Explorer is discussed further in Knowledge Base article 834489.

Prerequisites

Microsoft has tested the versions of Windows and the versions of Internet Explorer that are listed in this bulletin to assess whether they are affected by these vulnerabilities and to confirm that the update that this bulletin describes addresses these vulnerabilities.

To install the Internet Explorer 6 Service Pack 1 (SP1) versions of this update, you must be running Internet Explorer 6 SP1 (version 6.00.2800.1106) on one of the following versions of Windows:

• Microsoft Windows NT® Workstation 4.0 Service Pack 6a
• Microsoft Windows NT Server 4.0 Service Pack 6a
• Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
• Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
• Microsoft Windows XP
• Microsoft Windows XP Service Pack 1
• Microsoft Windows XP 64-Bit Edition, Service Pack 1

To install the Internet Explorer 6 for Windows Server 2003 versions of this update, you must be running Internet Explorer 6 (version 6.00.3790.0000) on Windows Server 2003 (32-bit or 64-bit) or you must be running Internet Explorer 6 (version 6.00.3790.0000) on Windows XP 64-Bit Edition, Version 2003.

To install the Internet Explorer 6 version of this update, you must be running Internet Explorer 6 (version 6.00.2600.0000) on a 32-bit version of Windows XP.

To install the Internet Explorer 5.5 version of this update, you must be running Internet Explorer 5.5 Service Pack 2 (version 5.50.4807.2300) on Microsoft Windows Millennium Edition

Note: Internet Explorer 5.5 SP2 is currently supported on Windows Millennium Edition (Windows Me) only. However since the vulnerabilities addressed in this bulletin were reported publicly prior to December 31, 2003, this version of the update will be supported on Windows 2000 Service Pack 2, Service Pack 3 and Service Pack 4, as well as Windows 98, Windows 98 Second Edition, and Windows NT 4.0 Service Pack 6a. For more information on support for Internet Explorer 5.5 SP2 please see the following Microsoft Product Lifecycle page. Windows Me is currently in Extended Support. Please see the following announcement for more information on support for Windows Me.

To install the Internet Explorer 5.01 version of this update, you must be running one of the following:

• Internet Explorer 5.01 Service Pack 4 (version 5.00.3700.1000) on Windows 2000 SP4
• Internet Explorer 5.01 Service Pack 3 (version 5.00.3502.1000) on Windows 2000 SP3
• Internet Explorer 5.01 Service Pack 2 (version 5.00.3315.1000) on Windows 2000 SP2

  Note: Versions of Windows and versions of Internet Explorer that are not listed in this article are no longer supported. Although you can install some of the update packages that are described in this article on these versions of Windows and of Internet Explorer, Microsoft has not tested these versions to assess whether they are affected by these vulnerabilities or to confirm that the update that this bulletin describes addresses these vulnerabilities. Microsoft recommends that you upgrade to a supported version of Windows and of Internet Explorer, and then apply the appropriate update.

For additional information about how to determine which version of Internet Explorer you are running, click the following article number to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed

For additional information about support life cycles for Windows components, visit the Microsoft Support Lifecycle Web site.

For additional information about how to obtain the latest service pack for Internet Explorer 6, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Service Pack for Internet Explorer 6

For additional information about how to obtain the latest service pack for Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:

276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5

For additional information about how to obtain the latest service pack for Internet Explorer 5.01, click the following article number to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

Restart Requirements

You must restart your computer to complete the installation. You do not have to use an administrator logon after the computer restarts for any version of this update.

Previous Update Status

This update replaces the MS03-048: November, 2003, Cumulative Update for Internet Explorer (824145).

Installation Information

The Windows Server 2003 versions of this security update (including Windows XP 64-Bit Edition, Version 2003) support the following Setup switches:

/help                  Displays the command line options

Setup Modes

/quiet                Quiet mode (no user interaction or display)

/passive             Unattended mode (progress bar only)

/uninstall           Uninstalls the package

Restart Options

/norestart        Do not restart when installation is complete

/forcerestart     Restart after installation

Special Options

/l                      Lists installed Windows hotfixes or update packages

/o                     Overwrite OEM files without prompting

/n                     Do not backup files needed for uninstall

/f                      Force other programs to close when the computer shuts down

Deployment Information

To install the Windows Server 2003 32-bit security update without any user intervention, use the following command:

windowsserver2003-kb832894-x86-enu.exe /quiet /passive

To install this security update without forcing the computer to restart, use the following command:

windowsserver2003-kb832894-x86-enu.exe /norestart

Note: You can combine these switches into one command. For backwards compatibility, the security update also supports the Setup switches that are used by the previous version of the setup utility. However, you should stop using the previous switches because this support may be removed in future security updates.

The other update packages for this security update support the following Setup switches:

/q                     Use Quiet mode or suppress messages when the files are being extracted.

/q:u                  Use User-Quiet mode. User-Quiet mode presents some dialog boxes to the user.

/q:a                  Use Administrator-Quiet mode. Administrator-Quiet mode does not present any dialog boxes to the user.

/t: path:             Specify the location of the temporary folder that is used by Setup or the target folder for extracting the files (when you are using the /c switch).

/c:                     Extract the files without installing them. If you do not specify the /t: path switch, you are prompted for a target folder.

/c: path             Specify the path and the name of the Setup .inf file or the .exe file.

/r:n                  Never restart the computer after installation.

/r:i                    Prompt the user to restart the computer if a restart is required, except when this switch is used with the /q:a switch.

/r:a                   Always restart the computer after installation.

/r:s                   Restart the computer after installation without prompting the user.

/n:v                  Do not check the version. Use this switch with caution to install the update on any version of Internet Explorer.

For example, to install the update without any user intervention and not force the computer to restart, use the following command:

q832894.exe /q:a /r:n

Note Interactive help, provided by the “/?” option will only show a subset of switches. However all the switches listed above are supported by this update.

Verifying Update Installation

To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. The Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For additional information about MBSA, please visit the Microsoft Baseline Security Analyzer Web site.

You may also be able to verify the files that this security update installed by using one of the following methods:

• Confirm that Q832894 is listed in the Update Versions field in the About Internet Explorer dialog box. You cannot use this method on Windows Server 2003 or on Windows XP 64-Bit Edition, Version 2003 because the package does not update the Update Versions field for these versions of Windows.
• Compare the versions of the updated files on your computer with the files that are listed in the "File Information" section in this bulletin.
• Confirm that the following registry entries exist:
  • Windows Server 2003 and Windows XP 64-Bit Edition, Version 2003:

    Confirm that the Installed DWORD value with a data value of 1 appears in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB832894

  • All other versions of Windows:

    Confirm that the IsInstalled DWORD value with a data value of 1 appears in the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{eddbec60-89cb-44ef-8291-0850fd28ff6a}

Removal Information

To remove this update, use the Add or Remove Programs tool (or the Add/Remove Programs tool) in Control Panel. Click Internet Explorer Q832894, and then click Change/Remove (or click Add/Remove).

On Windows Server 2003 and on Windows XP 64-Bit Edition, Version 2003, system administrators can use the Spunist.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB832894$\Spuninst folder. This utility supports the following Setup switches:

/?:-Show the list of installation switches.

/u:-Use Unattended mode.

/f:-Force other programs to quit when the computer shuts down.

/z:-Do not restart when the installation is complete.

/q:-Use Quiet mode (no user interaction).

On all other versions of Windows, system administrators can use the Ieuninst.exe utility to remove this update. This security update installs the Ieuninst.exe utility in the %Windir% folder. This utility supports the following Setup switches:

/?:-Show the list of supported switches.

/z:-Do not restart when the installation is complete.

/q:-Use Quiet mode (no user interaction).

For example, to remove this update quietly, use the following command:

c:\windows\ieuninst /q c:\windows\inf\q832894.inf

Note: This command assumes that Windows is installed in the C:\Windows folder.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Note: Because of file dependencies, this update may contain additional files.

For information about the specific security update for your operating system, click the appropriate link.