__________________________________________________________
                        U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                  Microsoft Incorrect VBScript Handling in IE
                     [Microsoft Security Bulletin MS02-009]

February 25, 2002 19:00 GMT                                       Number M-045
______________________________________________________________________________
PROBLEM:       A flaw exists in how VBScript is handled in IE relating to 
               validating cross-domain access. 
PLATFORM:      Microsoft Internet Explorer 5.01 
               Microsoft Internet Explorer 5.5 
               Microsoft Internet Explorer 6.0 
DAMAGE:        A malicious user could exploit this vulnerability by using 
               scripting to extract the contents of frames in other domains, 
               then sending that content back to their web site. This would 
               enable the attacker to view files on the user's local machine. 
SOLUTION:      Apply available patch. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The vulnerability could only be used to 
ASSESSMENT:    view files. It could not be used to create, delete, modify or 
               execute the files. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-045.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-009.asp 
 PATCHES:                                                                     
                     http://www.microsoft.com/windows/ie/downloads/critical/q318089/default.asp 
                     http://www.microsoft.com/Windowsupdate 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS02-009 *****]
Microsoft Security Bulletin MS02-009  

Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files
Originally posted: February 21, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Internet Explorer. 

Impact of vulnerability: Information Disclosure 

Maximum Severity Rating: Critical 

Recommendation: Customers using IE should apply the patch. 

Affected Software: 

Microsoft Internet Explorer 5.01 
Microsoft Internet Explorer 5.5 
Microsoft Internet Explorer 6.0 


Technical description: 

Frames are used in Internet Explorer to provide for a fuller browsing experience. 
By design, scripts in the frame of one site or domain should be prohibited from 
accessing the content of frames in another site or domain. However, a flaw exists 
in how VBScript is handled in IE relating to validating cross-domain access. This 
flaw can allow scripts of one domain to access the contents of another domain in 
a frame. 

A malicious user could exploit this vulnerability by using scripting to extract 
the contents of frames in other domains, then sending that content back to their 
web site. This would enable the attacker to view files on the user's local machine 
or capture the contents of third-party web sites the user visited after leaving the 
attacker’s site. The latter scenario could, in the worst case, enable the attacker 
to learn personal information like user names, passwords, or credit card information. 

In both cases, the user would either have to go to a site under the attacker's 
control or view an HTML email sent by the attacker. In addition, the attacker would 
have to know the exact name and location of any files on the user's system. Further, 
the attacker could only gain access to files that can be displayed in a browser 
window, such as text files, HTML files, or image files. 

Mitigating factors: 

The vulnerability could only be used to view files. It could not be used to create, 
delete, modify or execute them.
 
The vulnerability would only allow an attacker to read files that can be opened in 
a browser window, such as image files, HTML files and text files. Other file types, 
such as binary files, executable files, Word documents, and so forth, could not be 
read.
 
The attacker would need to specify the exact name and location of the file in order 
to read it.
 
The email-borne attack scenario would be blocked if the user were using any of the 
following: Outlook 98 or 2000 with the Outlook Email Security Update installed; 
Outlook 2002; or Outlook Express 6.
 
Severity Rating:  	Internet Servers 	Intranet Servers 	Client Systems 
Internet Explorer 5.01 	Moderate 		Moderate 		Critical 
Internet Explorer 5.5 	Moderate 		Moderate 		Critical 
Internet Explorer 6.0 	Moderate 		Moderate 		Critical
 
The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. This vulnerability affects the disclosure of personal information, 
and is most likely to have an impact on client systems. 

Vulnerability identifier: CAN-2002-0052 

Patch availability
Download locations for this patch 
http://www.microsoft.com/windows/ie/downloads/critical/q318089/default.asp 
http://www.microsoft.com/Windowsupdate 

Additional information about this patch
Installation platforms: 
The IE 5.01 patch can be applied to Windows 2000 Systems with Service Pack 2 running 
IE 5.01. 
The IE 5.5 patch can be installed on systems running IE 5.5 Service Pack 1 or 
Service Pack 2. 
The IE 6.0 patch can be installed on system running IE 6.0 Gold. 

Inclusion in future service packs:
The fix for this issue will be included in Internet Explorer 6.0 Service Pack 1. 

Reboot needed: Yes 

Superseded patches: None. 

Verifying patch installation: 

To verify the individual files, use the patch manifest provided in Knowledge Base 
article Q318089. 
Caveats:
Third-party scripting languages may be affected by this issue. An architectural 
change is being made in a future service pack of IE that will ensure that this 
cannot be an issue for third-party scripting languages. 

Localization:
Localized versions of this patch are under development. When completed, they will 
be available at the locations discussed in "Obtaining other security patches". 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 
All patches available via WindowsUpdate also are available in a redistributable 
form from the WindowsUpdate Corporate site. 

Other information: 
Acknowledgments
Microsoft thanks  Zentai Peter Aron, Ivy Hungary Ltd (http://w3.ivy.hu/) for 
reporting this issue to us and working with us to protect customers. 

Support: 

Microsoft Knowledge Base article Q318089 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. Knowledge 
Base articles can be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There 
is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either express 
or implied, including the warranties of merchantability and fitness for a 
particular purpose. In no event shall Microsoft Corporation or its suppliers be 
liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft 
Corporation or its suppliers have been advised of the possibility of such damages. 
Some states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation may not apply. 

Revisions: 

V1.0 (February 21, 2002): Bulletin Created.

[***** End Microsoft Security Bulletin MS02-009 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-035: Red Hat Linux "rsync" Vulnerability
M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability
M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module 
M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability
M-039: Microsoft Telnet Server Buffer Overflow Vulnerability
M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions
M-041: Microsoft Internet Explorer Cumulative Patch
M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP
M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability
M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers