发布时间 :2002-03-08 00:00:00
修订时间 :2017-10-09 21:30:03

[原文]Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated.

[CNNVD]Microsoft Internet Explorer HTML文档指令缓冲区溢出漏洞(CNNVD-200203-011)

        Internet Explorer 5.5和6.0版本的mshtml.dll的HTML指令实现存在缓冲区溢出漏洞。远程攻击者借助web页执行任意代码,该漏洞以一种导致2字符编码标准的字符串连接的方式指定嵌入式控制项。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:925MS IE HTML Directive Buffer Overflow

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20020213 dH & SECURITY.NNOV: buffer overflow in mshtml.dll
(UNKNOWN)  BUGTRAQ  20020227 Details and exploitation of buffer overflow in mshtml.dll (and few sidenotes on Unicode overflows in general)
(VENDOR_ADVISORY)  XF  ie-html-directive-bo(8116)
(UNKNOWN)  BID  4080

- 漏洞信息

Microsoft Internet Explorer HTML文档指令缓冲区溢出漏洞
高危 缓冲区溢出
2002-03-08 00:00:00 2005-05-02 00:00:00
        Internet Explorer 5.5和6.0版本的mshtml.dll的HTML指令实现存在缓冲区溢出漏洞。远程攻击者借助web页执行任意代码,该漏洞以一种导致2字符编码标准的字符串连接的方式指定嵌入式控制项。

- 公告与补丁

        Microsoft has released a patch which addresses this issue:
        Microsoft Internet Explorer 5.5 SP2
        Microsoft Internet Explorer 5.5 SP1
        Microsoft Internet Explorer 6.0

- 漏洞信息 (F25806) (PacketStormID:F25806)
2002-02-26 00:00:00

CERT Advisory CA-2002-04 - Microsoft Internet Explorer contains a buffer overflow vulnerability in its handling of embedded objects in HTML documents. This vulnerability allows attackers to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message. This bug was discussed in MS02-005.


CERT Advisory CA-2002-04 Buffer Overflow in Microsoft Internet Explorer

   Original release date: February 25, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Microsoft Internet Explorer
     * Microsoft Outlook and Outlook Express
     * Other  applications  that use the Internet Explorer HTML rendering


   Microsoft  Internet  Explorer contains a buffer overflow vulnerability
   in   its   handling  of  embedded  objects  in  HTML  documents.  This
   vulnerability could allow an attacker to execute arbitrary code on the
   victim's  system  when  the  victim visits a web page or views an HTML
   email message.

I. Description

   Internet Explorer supports the <EMBED> directive, which can be used to
   include  arbitrary objects in HTML documents. Common types of embedded
   objects  include multimedia files, Java applets, and ActiveX controls.
   The SRC attribute specifies the source path and filename of an object.
   For  example,  a  MIDI  sound might be embedded in a web page with the
   following HTML code:

     <EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true">

   Internet  Explorer  uses  attributes of the <EMBED> directive and MIME
   information from the web server to determine how to handle an embedded
   object. In most cases, a separate application or plugin is used.

   A  group  of  Russian  researchers,  SECURITY.NNOV,  has reported that
   Internet  Explorer  does  not properly handle the SRC attribute of the
   <EMBED>  directive. An HTML document, such as a web page or HTML email
   message,  that  contains  a crafted SRC attribute can trigger a buffer
   overflow,  executing  code with the privileges of the user viewing the
   document.  Microsoft  Internet  Explorer, Outlook, and Outlook Express
   are vulnerable. Other applications that use the Internet Explorer HTML
   rendering  engine, such as Windows compiled HTML help (.chm) files and
   third-party email clients, may also be vulnerable.

   The  CERT/CC  is  tracking  this  vulnerability  as  VU#932283,  which
   corresponds  directly  to the "buffer overrun" vulnerability described
   in Microsoft Security Bulletin MS02-005.

   This vulnerability has been assigned the CVE identifier CAN-2002-0022.

II. Impact

   By  convincing  a  user to view a malicious HTML document, an attacker
   can  cause  the  Internet  Explorer  HTML  rendering engine to execute
   arbitrary  code  with  the  privileges of the user who viewed the HTML
   document. This vulnerability could be exploited to distribute viruses,
   worms, or other malicious code.

III. Solution

Apply a patch

   Microsoft  has  released a cumulative patch for Internet Explorer that
   corrects  this  vulnerability and several others. For more information
   about the patch and the vulnerabilities, please see Microsoft Security
   Bulletin MS02-005:

Disable ActiveX Controls and Plugins

   In  Internet Explorer, plugins may be used to view, play, or otherwise
   process  embedded  objects.  The  execution  of  embedded  objects  is
   controlled  by the "Run ActiveX Controls and Plugins" security option.
   Disabling  this  option  will  prevent  embedded  objects  from  being
   processed,   and   will   therefore   prevent   exploitation  of  this

   According to MS02-005:

     The  vulnerability  could  not  be  exploited  if  the "Run ActiveX
     Controls and Plugins" security option were disabled in the Security
     Zone  in which the page was rendered. This is the default condition
     in  the  Restricted Sites Zone, and can be disabled manually in any
     other Zone.

   At  a minimum, disable the "Run ActiveX Controls and Plugins" security
   option  in  the  Internet Zone and the zone used by Outlook or Outlook
   Express.  The  "Run  ActiveX  Controls and Plugins" security option is
   disabled  in  the  "High"  zone  security  setting.  Instructions  for
   configuring  the Internet Zone to use the "High" zone security setting
   can be found in the CERT/CC Malicious Web Scripts FAQ:

Apply the Outlook Email Security Update

   Another  way to effectively disable the processing of ActiveX controls
   and  plugins  in  Outlook  is  to  install  the Outlook Email Security
   Update.  The  update  configures Outlook to open email messages in the
   Restricted  Sites  Zone,  where the "Run ActiveX Controls and Plugins"
   security  option  is  disabled  by  default.  In  addition, the update
   provides  further  protection  against malicious code that attempts to
   propagate via Outlook.

     * Outlook 2002 and Outlook Express 6
       The functionality of the Outlook Email Security Update is included
       in Outlook 2002 and Outlook Express 6.
     * Outlook 2000
     * Outlook 98

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  When  vendors  report  new  information  to the CERT/CC, we
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their


   Microsoft  has  released  a  Security  Bulletin  and  a Knowledge Base
   Article addressing this vulnerability:
     * Security Bulletin MS02-005
     * Knowledge Base Article Q317731;en-us;Q317731


   Our  email client Mulberry does not use the core HTML rendering engine
   library  for  its  HTML  display, and so is not affected by the bug in
   that  library.  Having  looked at the details of this alert I can also
   confirm that our own HTML rendering engine is not affected by this, as
   it ignores the relevant tags.

Appendix B. - References



   The  CERT/CC  thanks  ERRor and DarkZorro of domain Hell and 3APA3A of
   SECURITY.NNOV for reporting this issue to us.

   Author: Art Manion

   This document is available from:

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

Revision History
   February 25, 2002:  Initial release

Version: PGP 6.5.8


- 漏洞信息

Microsoft IE HTML Document Directive Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-02-13 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete