TechNet Home > TechNet Security > Bulletins

Microsoft Security Bulletin MS01-053

Downloaded Applications Can Execute on Mac IE 5.1 for OS X.

Originally posted: October 23, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin:
All users of Microsoft® Internet Explorer 5.1 for Macintosh®

Impact of vulnerability:
Run code of attacker's choice

Maximum risk rating:
Moderate

Recommendation:
Customers should use the Mac OS X v10.1 Software Update utility to install the "Internet Explorer Security Update"

Affected Software:

•	Microsoft Internet Explorer 5.1 for the Macintosh

Top of section

General Information

Technical details

Technical description:

The Macintosh OS X Operating System provides built-in support for both BinHex and MacBinary file types. These file types allow for the efficient transfer of information across networks by allowing information to be compressed by the sender and then decompressed by the recipient. This capability is particularly useful on the Internet, by allowing users to dowload compressed files.

A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate when BinHex and MacBinary file types are downloaded. As a result, an application that is downloaded in either of these formats can execute automatically once the download is complete.

A user would first have to choose to download a file and allow the download to fully complete before the application could execute. Also, users can choose to disable the automatic decoding of both these file types.

Mitigating factors:

•	The user would have to choose to downoad the application before any attempt could be made to exploit the vulnerablity. It cannot be exploited without user interaction.
•	The application would have to successfully download before any attempt could be made to exploit the vulnerability. The user can cancel the download at anytime prior to completion.
•	The vulnerability could not be exploited if automatic decoding of BinHex and MacBinary files has been disabled. This is not a default setting however.

Risk Rating:

	Internet Systems	Intranet Systems	Client Systems
Mac OS X	None	None	Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2001-0720

Tested Versions:

Microsoft tested Internet Explorer for the Macintosh version 5.1, version 5.1.2 to assess whether they are affected by this vulnerability. Previous versions of Internet Explorer for Mac OS X are no longer supported and may or may not be affected by this vulnerability.

Top of section

Frequently asked questions

What's the scope of the vulnerability?
This vulnerability could allow an application to execute unexpectedly. If an attacker enticed the victim to download a malicious program compressed as a BinHex or MacBinary file type, the program could execute after the download completed.
For this attack to succeed, the user would have to initiate the download process. This vulnerability cannot be used to automatically download and excute malicious code on the users system.

What causes the vulnerability?
The vulnerability results because an issue with how IE and the Mac OS interoperate when handling downloaded MacBinary and BinHex files.

What are BinHex and MacBinary files?
BinHex is a utility that encodes Macintosh files so that they can travel well on networks. BinHex encodes a file from its 8-bit binary or bit-stream representation into a 7-bit ASCII set of text characters. The recipient decodes it at the other end.
MacBinary is a format for binary transfer of Macintosh documents over a telecommunication link. It is intended for use between Macintoshes and in uploading Macintosh documents to remote systems.

How could an attacker exploit this vulnerability?
An attacker would need to host an executable file on a web site, packaged as either a BinHex or MacBinary file, and then entice another user to visit the site and initiate a download. Once the download was complete, the executable file would automatically execute.

What does the patch do?
This patch updates Internet Explorer 5.1 to version 5.1.3 (build 3905) and prevents the Mac OS from automatically launching MacBinary and BinHex files.

Where can I download the patch or how do I update my OS?
Users must use the Software Update feature of Mac OS X v10.1 to install the "Internet Explorer 5.1 Security Update."
More information on Software Update is available at: http://www.apple.com/softwareupdate.

Top of section

Patch availability

Download locations for this patch

•	Microsoft IE 5.1 for Mac OSX: Users must use the Software Update feature of Mac OS X v10.1 to install the "Internet Explorer 5.1 Security Update." More information on Software Update is available at: http://www.apple.com/softwareupdate.

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Mac OS X v10.1.

Reboot needed: No

Superseded patches: None.

Verifying patch installation:

•	To verify that the patch has been installed on the machine, confirm that the version number of Internet Explorer is now 5.1.3. This can be done by choosing "About Internet Explorer" from the "Explorer" menu and confirming the version number is "5.1.3 (3905)"

Caveats:

None

Localization:

This patch can be installed on all versions of Internet Explorer 5.1 for Mac OS X v10.1.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section

Other information:

Support:

•	Microsoft Knowledge Base article Q311052 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
•	Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

•	V1.0 (October 23, 2001): Bulletin Created.
•	V1.1 (June 13, 2003): Updated download links to Windows Update.

Top of section

Top of page