TUCoPS :: Browsers :: ciacm016.htm

Internet Explorer, Cumulative Vulnerabilities Patch
Internet Explorer, Cumulative Vulnerabilities Patch Privacy and Legal Notice

CIAC INFORMATION BULLETIN

M-016: Internet Explorer, Cumulative Vulnerabilities Patch

[Microsoft Security Bulletin MS01-055]

November 15, 2001 15:00 GMT

PROBLEM: Microsoft has released a cumulative patch of all known vulner- abilities in Internet Explorer 5.5 SP2 and 6.0 including three new ones. Two new vulnerbilities exist which could allow malicious user to potentially craft a URL that would allow them to gain unauthorized access to a user's cookies and potentially modify the values contained in them. The third new vulnerability involves how IE handles URLs that include dotless IP addresses.
PLATFORM: Microsoft Internet Explorer 5.5 SP2 and 6.0
DAMAGE: Access to the information in a user's cookies could expose personal data including login strings to websites that allow automatic logins. Internet zone spoofing could allow a malicious site to operate in the Intranet zone instead of the Internet zone. The Intranet zone has fewer security restrictions than the Internet zone.
SOLUTION: Apply available patch.

VULNERABILITY
ASSESSMENT:
The risk is MEDIUM. Access to cookies could allow personal information to be compromised including giving an intruder the ability to login as the user to sites that allow automatic logins.

LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-016.shtml
  ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp
  PATCHES: http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp

[***** Start Microsoft Security Bulletin MS01-055 *****]




13 November 2001 Cumulative Patch for IE

Originally posted: November 08, 2001

Updated: November 13, 2001



Summary

Who should read this bulletin: Customers using Microsoft® Internet Explorer 



Impact of vulnerability: Exposure and altering of data in cookies. 



Maximum Severity Rating: Moderate 



Recommendation: Customers running Internet Explorer 5.5 or 6.0 should apply the patch. 



Affected Software: 



Microsoft Internet Explorer 5.5 

Microsoft Internet Explorer 6.0 



 

Technical details



Technical description: 



On November 08, 2001, Microsoft released the original version of this bulletin. In it, 

we detailed a work-around procedure that customers could implement to protect 

themselves against a publicly disclosed vulnerability. On November 13, 2001, we 

released a patch that, when applied, eliminates all known vulnerabilities affecting IE 

5.5 and IE 6. We therefore expanded the scope of the bulletin to discuss all of the 

vulnerabilities the patch addresses. Customers who disabled Active Scripting per the 

original version of this bulletin can re-enable it after installing this patch. 



In addition to eliminating all previously discussed vulnerabilities affecting IE 5.5 

Service Pack 2 and IE 6, the patch also eliminates three newly discovered ones: 



The first two involve how IE handles cookies across domains. Although the underlying 

flaws are completely unrelated, the scope is exactly the same in each case, a 

malicious user could potentially craft a URL that would allow them to gain 

unauthorized access to a user's cookies and potentially modify the values contained in 

them. Because some web sites store sensitive information in a user's cookies, this 

could allow personal information to be compromised. Both vulnerabilities could be 

exploited either by hosting specially crafted URL's on a web page or by sending them 

to the victim in an HTML email. 



The third vulnerability is a new variant of a vulnerability discussed in Microsoft 

Security Bulletin MS01-051 affecting how IE handles URLs that include dotless IP 

addresses. If a web site were specified using a dotless IP format (e.g., 

http://031713501415 rather than http://207.46.131.13), and the request were malformed 

in a particular way, IE would not recognize that the site was an Internet site. 

Instead, it would treat the site as an intranet site, and open pages on the site in 

the Intranet Zone rather than the correct zone. This would allow the site to run with 

fewer security restrictions than appropriate. This vulnerability does not affect IE 6. 





Mitigating factors:

Cookie Handling Vulnerabilities: 



To exploit either vulnerability, the attacker would need to entice the user into 

visiting a particular web site or opening an HTML e-mail containing the malformed URL. 



The Outlook Email Security Update (which is included as part of Outlook 2002 in Office 

XP) would protect the user against the mail-borne attack scenario. 



Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected 

by the mail-borne attack scenario, because the "Restricted Sites" zone sets Active 

Scripting to disabled. Note that this is the default setting for Outlook Express 6.0. 

Users of Outlook Express 6.0 should verify that Active Scripting is still disabled in 

the Restricted Sites Zone. 





Zone Spoofing Vulnerability: 



The default settings in the Intranet Zone differ in only a few ways from those of the 

Internet Zone. The differences are enumerated in the FAQ in MS01-051, but none would 

allow destructive action to be taken. 





Severity Rating:



Cookie handling vulnerabilities:  Internet Servers Intranet Servers Client Systems 

Internet Explorer 5.5 Moderate Moderate Moderate 

Internet Explorer 6.0 Moderate Moderate Moderate 



Zone Spoofing Vulnerability variant:  Internet Servers Intranet Servers Client Systems 

Internet Explorer 5.5 Moderate Moderate Moderate 



Aggregate severity of all vulnerabilities eliminated by patch:  Internet Servers 

Intranet Servers Client Systems 

Internet Explorer 5.5 Moderate Moderate Moderate 

Internet Explorer 6.0 Moderate Moderate Moderate 



The above assessment is based on the types of systems affected by the vulnerability, 

their typical deployment patterns, and the effect that exploiting the vulnerability 

would have on them. In the case of the cookie handling vulnerabilities, the attack 

scenarios either could be prevented or would require user action in order to succeed. 

In the case of the Zone Spoofing vulnerability, even a successful attack would not 

allow any signficant change in privileges under default conditions. 





Vulnerability identifiers:

First Cookie Handling Vulnerability: CAN-2001-0722 



Second Cookie Handling Vulnerability: CAN-2001-0723 



Zone Spoofing Vulnerability variant: CAN-2001-0724 



Tested Versions:

Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by 

these vulnerabilities. Previous versions are no longer supported, and may or may not 

be affected by these vulnerabilities.







Patch availability

Download locations for this patch 

Microsoft Internet Explorer 5.5 and 6.0:

http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp 



 

Additional information about this patch

Installation platforms: 



The IE 5.5 patch can be installed on IE 5.5 Service Pack 2. 



The IE 6 patch can be installed on IE 6 Gold. 





Inclusion in future service packs:



The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service 

Pack 1. 





Reboot needed: Yes 



Superseded patches: MS01-051. 



Verifying patch installation: 



To verify that the patch has been installed on the machine, open IE, select Help, then 

select About Internet Explorer and confirm that Q312461 is listed in the Update 

Versions field. 



To verify the individual files, use the patch manifest provided in Knowledge Base 

articles Q312461. 





Caveats:

None 





Localization:

Localized versions of this patch are under development. When completed, they will be 

available at the locations discussed in "Obtaining other security patches". 





Obtaining other security patches: 

Patches for other security issues are available from the following locations: 



Security patches are available from the Microsoft Download Center, and can be most 

easily found by doing a keyword search for "security_patch". 



Patches for consumer platforms are available from the WindowsUpdate web site 

All patches available via WindowsUpdate also are available in a redistributable form 

from the WindowsUpdate Corporate site. 





Other information: 



Acknowledgments

Microsoft thanks  Marc Slemko for reporting one of the cookie handling issues to us 

and working with us to protect customers.







Support: 



Microsoft Knowledge Base article Q312461 discusses this issue and will be available 

approximately 24 hours after the release of this bulletin. Knowledge Base articles can 

be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There is no 

charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 

information about security in Microsoft products. 



Disclaimer: 

The information provided in the Microsoft Knowledge Base is provided "as is" without 

warranty of any kind. Microsoft disclaims all warranties, either express or implied, 

including the warranties of merchantability and fitness for a particular purpose. In 

no event shall Microsoft Corporation or its suppliers be liable for any damages 

whatsoever including direct, indirect, incidental, consequential, loss of business 

profits or special damages, even if Microsoft Corporation or its suppliers have been 

advised of the possibility of such damages. Some states do not allow the exclusion or 

limitation of liability for consequential or incidental damages so the foregoing 

limitation may not apply. 







Revisions: 





V1.0 (November 08, 2001): Bulletin Created. 

V2.0 (November 13, 2001): Bulletin updated with patch information and to discuss the 

inclusion of fixes for additional cookie handling vulnerability and a variant of the 

zone spoofing issue. 




[***** End Microsoft Security Bulletin MS01-055 *****]

CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)

    FAX:            +1 925-423-8002

    STU-III:        +1 925-423-2604

    E-mail:          ciac@llnl.gov

    World Wide Web:  http://www.ciac.org/

                     http://ciac.llnl.gov

                     (same machine -- either one will work)

    Anonymous FTP:   ftp.ciac.org

                     ciac.llnl.gov

                     (same machine -- either one will work)


This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH