Incorrect Mime Header Vulnerability

Date: April 12, 2001

Subject:
Symantec Enterprise Security Manager protects against Microsoft Internet Explorer Incorrect MIME Header vulnerability.

Affected Systems:

• All Windows versions of Microsoft Internet Explorer 5.5 SP1 or earlier, except IE 5.01 SP2, running on x86 platforms
• Any software which utilizes vulnerable versions of Internet Explorer to render HTML

Problem:
There is a vulnerability in the way Microsoft's Internet Explorer handles certain MIME headers in HTML email that can allow specially formatted HTML files or email attachments to be opened allowing arbitrary code to run on a user's computer without permission. This vulnerability is currently being exploited on some hostile web sites.

Details:
A vulnerability in the way Microsoft's Internet Explorer (IE) handles MIME headers in HTML mail files was discovered recently by Juan Carlos Cuartango, a security analyst based in Spain, who worked with Microsoft to confirm and ready a fix for this issue. The problem occurs in the way IE handles the processing of some MIME types. HTML e-mails are just web pages in an e-mail format, so IE is used to open them appropriately based on their MIME type. There is a software flaw in the way IE processes certain MIME types. An attacker can create a malicious HTML e-mail attachment or HTML web file containing a hostile executable. By modifying the MIME header information to one of the improperly handled MIME types, the attacker can cause it to be opened and run automatically either by placing it on a web site that a user visits or by sending the email attachment containing the hostile executable directly to a user. IE would automatically launch the arbitrary code when the file was rendered and the code would run with the permissions of the user on the affected system.
While the vulnerability is NOT exploitable unless File Downloading is enabled in the Security Zone in which the file is rendered, the default install setting in affected versions of IE is File Downloading enabled.

Risk Impact:
Medium
Risk would depend on the user permissions under which the malicious code is executed.

Security Solution:
Microsoft has released a security bulletin for this vulnerability, http://www.microsoft.com/technet/security/bulletin/MS01-020.asp with a patch that can be downloaded to fix the problem. To properly apply the patch, a user must first upgrade to a supported version of Internet Explorer, IE 5.01 and 5.5 are the currently supported versions. NOTE: Internet Explorer version 5.01 SP2 already contains a fix for this issue and is not affected.
Or,
If unable to apply the patch immediately, disable "File Download" for the Security Zones in IE as follows:
1. Click Tools
2. Select Internet Options
3. Click the Security tab
4. Click Custom Level
5. In the Downloads section, under File Download, Select "Disable"
6. Click OK to apply the changes
File download should be disabled for all security zones to ensure maximum protection. If you need to download a file from a "trusted" site, enable "File Download" as needed then disable prior to browsing further.

Symantec Enterprise Solutions:
Symantec's Enterprise Security Manager helps manage these functions for you. Patches are managed through the ESM patch module. ESM further checks whether "File Download" is enabled in Internet Explorer security zones in violation of your security policy through the ESM template that can be downloaded here.

Copyright (c) 2008 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.