Microsoft Security Advisory (913333)

Microsoft Security Advisory (913333)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: February 7, 2006

Microsoft is investigating new public reports of a vulnerability in older versions of Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. The attacker could do this by one or more of the following actions:
•

By hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site;
•

By convincing a user to open a specially crafted e-mail attachment;
•

By convincing a user to click on a link in an e-mail message that takes the user to a malicious Web site; or
•

By sending a specially crafted e-mail message to Outlook Express users, which they view in the preview pane.

Note This is not the same issue as the one addressed by Microsoft Security Bulletin MS06-001 (912919).
The vulnerability exists in:
•

Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
•

Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium.

The vulnerability does not exist in:
•

Internet Explorer for Microsoft Windows XP Service Pack 1 and Windows XP Service Pack 2
•

Internet Explorer for Microsoft Windows XP Professional x64 Edition
•

Internet Explorer for Microsoft Windows Server 2003 and Windows Server 2003 Service Pack 1
•

Internet Explorer for Windows Server 2003 for Itanium-based Systems
•

Internet Explorer for Windows Server 2003 with Service Pack 1 for Itanium-based Systems
•

Internet Explorer for Windows Server 2003 x64 Edition
•

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
•

Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
•

Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 Second Edition
•

Internet Explorer 6 Service Pack 1 on Windows Millennium Edition

Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. In an e-mail based attack, customers would have to click a link to the malicious Web site, preview a malicious e-mail message, or open an attachment that exploited the vulnerability. In both Web-based and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Mitigating Factors:
•

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
•

In an e-mail based attack of this exploit, customers would have to open a malicious e-mail message, preview a malicious e-mail message in the Outlook Express preview pane, click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability. Users can disable the preview pane in Outlook Express and delete the suspicious e-mail message without opening the e-mail message.
•

In an e-mail based attack of this exploit, customers would have to open a malicious e-mail message, preview a malicious e-mail message in the Outlook preview pane, click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability. Users can disable the preview pane in Outlook and delete the suspicious e-mail message without opening the e-mail message. Customers who read e-mail in plain text in Outlook would have to click on a link that would take them to a malicious Web site, or open an attachment to be at risk from this vulnerability.
•

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•

Customers who have installed Internet Explorer 6 Service Pack 1 are not affected by this vulnerability.
•

Internet Explorer 6 Service Pack 1 is the only supported version for Windows 98 and Windows 98 Second Edition.
•

This issue does not affect Windows XP Service Pack 1, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows Server 2003, Windows Server 2003 Service Pack 1, Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with Service Pack 1 for Itanium-based Systems, or Windows Server 2003 x64 Edition.

http://www.microsoft.com/technet/security/advisory/913333.mspx