A malicious user can use this vulnerability to do any action on the victim system with the victim user’s privileges – transfer files, run programs, etc. No further user interaction is required apart from viewing a web page created by the attacker. In the e-mail attack scenario the victim user is usually required to click a link in the e-mail.
Somewhere in the process of evaluating the security zone for URLs, hex-decoding (the %xy notation) is done more than once for a single URL, ie. the decoded URL is decoded again. This causes some undesired effects if the URL contains certain special characters multiply encoded.
Unlike some other operating systems, Windows allows the % sign in hostnames, so a URL containing such encoding works in Internet Explorer – given that the hostname resolves correctly to the attacker’s IP address. The attacker can then host e.g. an HTML document on the server, which Internet Explorer misinterprets as belonging in “My Computer” zone.
A proof-of-concept exploit was tested with Internet Explorer 6 on Windows 2000 and Windows XP. The exploit successfully launches an attacker-supplied EXE program when the victim user visits a web page containing the exploit. A full list of vulnerable versions is included in Microsoft’s bulletin (link below).
Microsoft was informed of the problem on February 16th, 2004. A preliminary patch was first produced in September 2004 and Microsoft sent it to me for testing. However it turned out that the fix didn’t correctly protect from a variation of the exploit, so the release was delayed.
The final patch and Microsoft’s bulletin is available at http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx
The vulnerability was discovered and researched by Jouko Pynnönen (firstname.lastname@example.org), Finland.