Signature Detail

HTTP: Internet Explorer MHTML Redirection

This signature detects attempts to exploit a known vulnerability in Microsoft Internet Explorer. Internet Explorer 6.0SP1 and earlier are affected. Attackers can use maliciously crafted MHTML redirections to cause IE users to download and execute arbitrary code.

Extended Description

Microsoft Internet Explorer has been reported prone to a vulnerability that may permit hostile content to be interpreted in the Local Zone. The issue may be exploited via the ITS (InfoTech Storage) Protocol URI handler. It is possible to use this protocol to force a browser into the Local Zone by redirecting into a non-existent MHTML file (using other known vulnerabilities). In this manner, it may be possible to reference hostile content to be executed in the Local Zone, such as a malicious CHM file. The issue, in combination with other vulnerabilities, is exploitable to provide for automatic delivery and execution of an arbitrary executable. This would occur when malicious web content is rendered in Internet Explorer. Outlook products and other components that use Internet Explorer to render HTML content also present possible attack vectors for this issue. It should be noted that there are multiple ways to invoke the protocol handler, such as through its:, ms-its:, ms-itss: and mk:@MSITStore: URIs. It has also been reported that web browsers other than Internet Explorer may also invoke the operating system URI handlers for the ITS protocol. It has been reported that this vulnerability is actively being exploited as an infection vector for malicious code that has been dubbed Trojan.Ibiza. **NOTE: Microsoft has released a cumulative update for Outlook Express (MS04-013) to address the MHTML-related vulnerabilities that are commonly exploited in tandem with this issue. While MS04-013 lists the same CVE candidate name as this BID, it is not currently known if this update also addresses the distinct ITS Protocol vulnerability. However, users are advised to apply the available updates, as they will reduce exposure to existing exploits that rely on the MHTML issues to exploit this or other vulnerabilities. It should be noted that if this individual vulnerability has not been addressed by the update, there may still potentially be other attack vectors which do not rely on the MHTML issues. **Update: Symantec has observed targeted attacks "in the wild" with confirmation that systems were compromised as a result. Users are advised to ensure that the patch has been installed and take appropriate measures to avoid future attacks using potentially unpublished and unpatched vulnerabilities. This includes disabling scripting and active content by default wherever possible (use the MSIE Zone functionality to permit scripting for content from trusted domains). Avoid visiting suspicious links, such as those included in e-mail/instant messages or other untrustworthy communications. Disable HTML e-mail, if possible.

Affected Products

• Microsoft Internet Explorer 5.0
• Microsoft Internet Explorer 5.0.1
• Microsoft Internet Explorer 5.0.1 SP1
• Microsoft Internet Explorer 5.0.1 SP2
• Microsoft Internet Explorer 5.0.1 SP3
• Microsoft Internet Explorer 5.0.1 SP4
• Microsoft Internet Explorer 5.5
• Microsoft Internet Explorer 5.5 Preview
• Microsoft Internet Explorer 5.5 SP1
• Microsoft Internet Explorer 5.5 SP2
• Microsoft Internet Explorer 6.0
• Microsoft Internet Explorer 6.0 SP1
• Microsoft Outlook Express 5.5
• Microsoft Outlook Express 6.0

References

• BugTraq: 9658
• CVE: CVE-2004-0380
• URL: http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
• URL: http://www.us-cert.gov/cas/techalerts/TA04-099A.html