=====[BEGIN-ACROS-REPORT]===== PUBLIC ========================================================================= ACROS Security Problem Report #2004-01-20-1 ------------------------------------------------------------------------- ASPR #2004-01-20-1: Internet Explorer/Outlook double null character DoS ========================================================================= Document ID: ASPR #2004-01-20-1-PUB Vendor: Microsoft (http://www.microsoft.com) Target: Internet Explorer, Outlook, Windows Explorer Impact: Denial of service for Internet Explorer, Outlook and Explorer Severity: Medium Status: Official patch available, workaround available Discovered by: Sasa Kos Current version http://www.acrossecurity.com/aspr/ASPR-2004-01-20-1-PUB.txt Summary ======= For some web servers, two null (%00) characters appended after the host name cause Internet Explorer or Outlook to consume 100% CPU and freeze. This issue can be exploited by forcing the user's browser to open a hostile URL, either by setting up a malicious web site and luring the user into visiting it or sending a malicious HTML e-mail to a user using Outlook. Once Internet Explorer or Outlook is frozen, the user must kill iexplore.exe or outlook.exe process respectively via task manager in order to resume normal IE/Outlook use. Product Coverage ================ - Internet Explorer 6 - affected - Outlook 2002 - affected - Outlook 2003 - affected All patches applied, up to and excluding MS04-004 for IE. Other versions may also be affected. Analysis ======== There's probably some flawed assumption in the code responsible for parsing the requested URL, specifically in parsing the host name, that leads to a dead loop consuming 100% CPU. This issue, however, does not seem to occur with all host names. Furthermore, we discovered that the sensitivity to double-null suffix obviously depends on the "Do not save encrypted pages to disk" option being turned off (which is default). As far as Outlook is concerned, its susceptibility to this issue is not surprising, as Outlook is using Internet Explorer's browser object for rendering HTML e-mail. Outlook 2003 by default prevents remote HTML images from being displayed due to privacy reasons, which effectively prevents an e-mail borne attack unless the sender is listed in "safe senders" list. Our tests have shown that the computer under attack must be connected to Internet (directly, not via http proxy) in order for this issue to occur. Finally, once IE or Outlook is frozen, Windows Explorer often freezes as well, possibly due to calling the same piece of code that is caught in an endless loop. Mitigating Factors ================== 1) The issue does not appear when the option "Do not save encrypted pages to disk" in Internet Options/Advanced is turned on. This option is turned off by default, however. 2) User's computer must have routed access to internet (as opposed to access via an HTTP proxy server). Solution ======== An official patch MS04-004 was released, which fixes this issue. Affected users can install it via Windows Update or by downloading it from http://www.microsoft.com/technet/security/bulletin/ms04-004.asp. Workaround ========== Users with routed Internet access who can't install the official patch can turn on the "Do not save encrypted pages to disk" option in Internet Explorer to neutralize this vulnerability. Vendor Communication ==================== January 21, 2004: vendor notified about the issue February 2, 2004: patch MS04-004 released February 3, 2004: vendor confirmed the issue February 9, 2004: vendor confirmed the solution February 9, 2004: vendor reviewed the public report Acknowledgments =============== We would like to acknowledge Microsoft Security Response Center for prompt and professional response to our notification of the identified vulnerability. The author would like to acknowledge Mitja Kolsek for help and Aljosa Ocepek for review and useful suggestions. Contact ======= ACROS d.o.o. Stantetova 4 SI - 2000 Maribor e-mail: security@acrossecurity.com web: http://www.acrossecurity.com phone: +386 2 4200 766 fax: +386 2 4200 767 ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] ACROS Security Advisories http://www.acrossecurity.com/advisories.htm ACROS Security Papers http://www.acrossecurity.com/papers.htm ASPR Notification and Publishing Policy http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Revision History ================ February 10, 2004: Initial release Copyright ========= (c) 2004 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged. =====[END-ACROS-REPORT]=====