COMMAND

    IE

SYSTEMS AFFECTED

    IE 5.x

PROBLEM

    Juan  Carlos  Garcia  Cuartango  found  following.   Microsoft has
    released  a  security  bulletin  ms01-020 entitled "Incorrect MIME
    Header Can Cause IE to Execute E-mail Attachment".  EML files  are
    MIME  multipart  files  that  IE   5  will  parse.   There  is   a
    vulnerability allowing  arbitrary code  execution using  this kind
    of  files. This vulnerabiliy could allow an hostile page or e-mail
    to  perform  any  action  on  your  computer.   The  vulnerability
    affects IE 5, IE 5.5 over all windows platforms.

    Juan  has  prepared  some  demos  about the vulnerability on major
    spanish security site:

        http://www.kriptopolis.com/cua/eml.html

    It you want to have a look to the hostile EML files you must click
    the right  mouse button  over the  pictures and  select the  "Save
    Target As" menu option.

    Because HTML e-mails are simply web pages, IE can render them  and
    open binary  attachments in  a way  that is  appropriate to  their
    MIME types.  However, a flaw exists in the type of processing that
    is  specified  for  certain  unusual  MIME  types.  If an attacker
    created an HTML e-mail  containing an executable attachment,  then
    modified  the  MIME  header   information  to  specify  that   the
    attachment  was  one  of  the  unusual  MIME types that IE handles
    incorrectly, IE would launch the attachment automatically when  it
    rendered the e-mail.  An attacker could use this vulnerability  in
    either of two scenarios.   She could host an affected  HTML e-mail
    on a web  site and try  to persuade another  user to visit  it, at
    which point script on a web page could open the mail and  initiate
    the  executable.   Alternatively,  she  could  send  the HTML mail
    directly to the user.  In either case, the  executable attachment,
    if it  ran, would  be limited  only by  user's permissions  on the
    system.

    The vulnerability could  not be exploited  if File Downloads  have
    been  disabled  in  the  Security  Zone  in  which  the  e-mail is
    rendered.  This is not a default setting in any zone, however.

    The  file  extention  .NWS  (OE  News  File) will achieve the same
    result as a .EML file.   So if you're filtering for these  at your
    mail/proxy server you  might want to  block these also.   Like the
    .EML files these also execute upon 'selecting' in windows explorer
    because of the preview function.

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin

        http://www.microsoft.com/technet/security/bulletin/ms01-020.asp

    for information on obtaining this patch.