__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Cumulative Patch for Internet Explorer
[Microsoft Security Bulletin MS03-004]
February 6, 2003 18:00 GMT Number N-038
______________________________________________________________________________
PROBLEM: In addition to including the functionality of all previously
released patches for Internet Explorer 5.01, 5.5 and 6.0, this
patch also eliminates two newly discovered vulnerabilities
involving Internet Explorer’s cross-domain security model.
PLATFORM: Microsoft Internet Explorer 5.01, 5.5, and 6.0
DAMAGE: An attacker could possibly run malicious script by misusing a
dialog box and cause a script to access information in a
different domain. In addition, this flaw could possibly also
enable an attacker to invoke an executable that was already
present on the local system.
SOLUTION: Apply available patches.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. In order to exploit this flaw, an attacker
ASSESSMENT: would have to host a malicious web site that contained a web
page designed to exploit this particular vulnerability and then
persuade a user to visit that site.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-038.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/MS03-004.asp
PATCHES:
http://www.microsoft.com/windows/ie/downloads/critical
/810847/default.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-004 *****]
Microsoft Security Bulletin MS03-004
Cumulative Patch for Internet Explorer (810847)
Originally posted: February 5, 2003
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer.
Impact of vulnerability: Allow an attacker to execute commands on a user’s
system.
Maximum Severity Rating: Critical
Recommendation: Customers should install the patch immediately.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-004.asp
Technical details
Technical description:
This is a cumulative patch that includes the functionality of all previously
released patches for IE 5.01, 5.5, 6.0. In addition, it eliminates two newly
discovered vulnerabilities involving Internet Explorer’s cross-domain security
model - which keeps windows of different domains from sharing information.
These flaws results in Internet Explorer because incomplete security checking
causes Internet Explorer to allow one website to potentially access information
from another domain when using certain dialog boxes.
In order to exploit this flaw, an attacker would have to host a malicious web
site that contained a web page designed to exploit this particular vulnerability
and then persuade a user to visit that site. Once the user has visited the
malicious web site, it would be possible for the attacker to run malicious
script by misusing a dialog box and cause that script to access information
in a different domain. In the worst case, this could enable the web site
operator to load malicious code onto a user's system. In addition, this flaw
could also enable an attacker to invoke an executable that was already present
on the local system.
A related cross-domain vulnerability allows Internet Explorer’s showHelp()
functionality to execute without proper security checking. showHelp() is one
of the help methods used to display an HTML page containing help content.
showHelp() allows more types of pluggable protocols than necessary, and this
could potentially allow an attacker to access user information, invoke
executables already present on a user’s local system or load malicious code
onto a user’s local system.
The requirements to exploit this vulnerability are the same as for the issue
described above: an attacker would have to host and lure a user to a malicious
web site. In this scenario, the attacker could open a showHelp window to a known
local file on the visiting user’s local system and gain access to information
from that file by sending a specially crafted URL to a second showHelp window.
The attacker could also potentially access user information or run code of
attacker’s choice.
This cumulative patch will cause window.showHelp( ) to cease to function. When
the latest HTML Help update - which is being released via Windows Update with
this patch - is installed, window.showHelp( ) will function again, but with
some limitations (see the caveats section later in this bulletin). This has
been necessary in order to block the attack vector that might allow a web site
operator to invoke an executable that was already present on a user’s local
system.
Mitigating factors:
The attacker would have to host a web site that contained a web page used to
exploit either of these cross-domain vulnerabilities.
The attacker would have no way to force users to visit the site. Instead, the
attacker would need to lure them there, typically by getting them to click on
a link that would take them to the attacker's site.
By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the
Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in
the Restricted Sites Zone if the Outlook Email Security Update has been
installed. Customers who use any of these products would be at no risk from
an e-mail borne attack that attempted to exploit this vulnerability unless
the user clicked a malicious link in the email.
Internet Explorer 5.01 users are not affected by the first vulnerability.
Severity Rating:
Internet Explorer 5.01 Critical
Internet Explorer 5.5 Critical
Internet Explorer 6.0 Critical
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier:
Improper Cross Domain Security Validation with dialog box CAN-2003-1326
Improper Cross Domain Security Validation with ShowHelp functionality
CAN-2003-1328
Tested Versions:
Microsoft tested Internet Explorer 6.0, 5.5 and 5.01 to assess whether they
are affected by this vulnerability. Previous versions are no longer supported
and may or may not be affected by this vulnerability.
Patch availability
Download locations for this patch
http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp
Additional information about this patch
Installation platforms:
The IE 5.01 patch can be installed on the following systems running IE 5.01
Service Pack 3: Windows 2000 Service Pack 3.
The IE 5.5 patch can be installed on the following systems running IE 5.5
Service Pack 2: Windows Millennium
The IE 6.0 patch can be installed on the following systems running IE 6.0
Gold: Windows XP Gold.
The IE 6.0 Service Pack 1 patch can be installed on the following systems
running IE 6.0 Service Pack 1: Windows XP Service Pack 1, Windows 2000 Service
Pack 3, Windows NT 4.0 Service Pack 6a, Windows Millennium or Windows 98.
More in formation on Windows support lifecycles is available at
http://www.microsoft.com/windows/lifecycle/desktop/business/components.mspx
Inclusion in future service packs:
The fixes for the issues affecting Internet Explorer 6.0 will be included in
Internet Explorer 6.0 Service Pack 2.
Reboot needed: Yes
Patch can be uninstalled: No
Superseded patches:
This patch supersedes the ones provided in Microsoft Security Bulletin
MS02-068 and MS02-066, which are also cumulative patches.
Verifying patch installation:
To verify that the patch has been open IE, select Help, then select About
Internet Explorer and confirm that Q810847 is listed in the Update Versions
field.
To verify the individual files, use the patch manifest provided in Knowledge
Base article 810847.
Caveats:
Users who apply this patch will not be able to use some HTML Help functionality.
In order to restore that functionality, users need to download the updated
HTML Help control (811630). Users should also note that when the latest version
of HTML Help is installed, the following limitations will occur when a help
file is opened with the showHelp method:
Only supported protocols can be used with showHelp to open a web page or help
(chm) file.
The shortcut function supported by HTML Help will be disabled when the help
file is opened with showHelp This will not affect the shortcut functionality
if the same CHM file is opened by the user manually by double-clicking on the
help file, or by through an application on the local system using the
HTMLHELP( ) API.
Localization:
Localized versions of this patch are available at the locations discussed in
"Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can be
most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site.
Other information:
Acknowledgments
Microsoft thanks Andreas Sandblad, Sweden for reporting the cross domain
vulnerability using showHelp and for working with us to protect customers.
Support:
Microsoft Knowledge Base article 810847 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web
site.
Technical support is available from Microsoft Product Support Services. There
is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (February 5, 2003): Bulletin Created.
V1.1 (February 6, 2003): Revised to provide additional clarification on
installation platforms.
[***** End Microsoft Security Bulletin MS03-004 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-028: Vulnerabilities in SSH2 Implementations from Multiple Vendors
N-029: Microsoft Unchecked Buffer in Windows Shell Vulnerability
N-030: HP: Sendmail Restricted Shell (smrsh) Vulnerability
N-031: Buffer Overflows in ISC DHCPD Minires Library
N-032: Double-Free Bug in Concurrent Versions System (CVS) Server
N-033: Unchecked Buffer in Locator Service Vulnerability
N-034: Cumulative Patch for Microsoft Content Management Server
N-035: Microsoft V1 Exchange Server Security Certificates Vulnerability
N-036: Updated kerberos packages fix vulnerability in ftp client
N-037: Multiple Vulnerabilities in Old Releases of MIT Kerberos
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
