Microsoft Security Bulletin (MS01-020)
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Originally posted: March 29, 2001
Summary
Who should read this bulletin: Customers using Microsoft® Internet
Explorer.
Impact of vulnerability: Run code of attacker’s choice.
Recommendation: Customers using IE should install the patch immediately.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Note: Internet Explorer 5.01 Service Pack 2 is not affected by this
vulnerability.
Technical details
Technical description:
Because HTML e-mails are simply web pages, IE can render them and open
binary attachments in a way that is appropriate to their MIME types.
However, a flaw exists in the type of processing that is specified for certain
unusual MIME types. If an attacker created an HTML e-mail containing an
executable attachment, then modified the MIME header information to
specify that the attachment was one of the unusual MIME types that IE
handles incorrectly, IE would launch the attachment automatically when it
rendered the e-mail.
An attacker could use this vulnerability in either of two scenarios. She could
host an affected HTML e-mail on a web site and try to persuade another user
to visit it, at which point script on a web page could open the mail and
initiate the executable. Alternatively, she could send the HTML mail directly
to the user. In either case, the executable attachment, if it ran, would be
limited only by user’s permissions on the system.
microsoft.com
Microsoft Internet Explorer Security Update, March 29, 2001
"This update resolves a security vulnerability in Internet Explorer, and is discussed in Microsoft Security Bulletin MS01-020. Download now to prevent a malicious user from running an executable e-mail attachment on your computer.
This vulnerability exists because Internet Explorer does not handle MIME (Multipurpose Internet Mail Extensions) headers in HTML e-mails correctly. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the excecutable on the user's computer. If this occurs, the executable can take any action on the computer that the user can take, including adding, changing, or deleting data, communicating with Web sites, or reformatting the hard drive. This update eliminates the vulnerability by correcting the way Internet Explorer handles MIME headers in HTML e-mails, preventing e-mails from automatically launching executable attachments."
microsoft.com |
