__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Cumulative Patch for Internet Explorer
[Microsoft Security Bulletin MS02-023]
May 23, 2002 21:00 GMT Number M-082
______________________________________________________________________________
PROBLEM: There are six new vulnerabilities in Internet Explorer.
* Cross-Site Scripting in Local HTML Resource
* Local Information Disclosure through HTML object
* Script within Cookies Reading Cookies
* Zone Spoofing through Malformed Web Page
* Two "Content Disposition" Variants
A description of each vulnerability, if exploitable, is provided within
Microsoft's Security bulletin.
PLATFORM: Internet Explorer 5.01, Internet Explorer 5.5, and Internet
Explorer 6.0.
DAMAGE: The aggregate of severity is based on the types of systems
affected by the vulnerability, their deployment patterns, and
the effect that exploiting the vulnerability would have on
them.
SOLUTION: Apply appropriate patch for appropriate Internet Explorer
version as prescribed by Microsoft.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. The most serious vulnerability may allow an
ASSESSMENT: attacker to run code of choice.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-082.shtml
ORIGINAL BULLETIN:
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/
bulletin/MS02-023.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-023 *****]
Microsoft Security Bulletin MS02-023
15 May 2002 Cumulative Patch for Internet Explorer (Q321232)
Originally posted: May 15, 2002
Summary
Who should read this bulletin: Customers using Microsoft®
Internet Explorer
Impact of vulnerability: Six new vulnerabilities, the most serious
of which could allow code of attacker's choice to run.
Maximum Severity Rating: Critical
Recommendation: Consumers using the affected versions of IE should
install the patch immediately.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Technical details
Technical description:
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and 6.0. In addition,
it eliminates the following six newly discovered vulnerabilities:
* A cross-site scripting vulnerability in a Local HTML Resource. IE ships
with several files that contain HTML on the local file system to provide
functionality. One of these files contains a cross-site scripting
vulnerability that could allow a script to execute as if it were run by
the user herself, causing it to run in the local computer zone. An attacker
could craft a web page that exploits this vulnerability and then either
host that page on a web server or send it as HTML email. When the web page
was viewed and the attacker's script run, the attacker's script would be
injected into the local resource, where it would run in the Local Computer
zone, allowing it to run with fewer restrictions than it would in the
Internet Zone.
* An information disclosure vulnerability related to the use of am HTML
object provides that support for Cascading Style Sheets that could allow an
attacker to read, but not add, delete or change, data on the local system.
An attacker could craft a web page that exploits this vulnerability and then
either host that page on a web server or send it as HTML email. When the page
was viewed, the element would be invoked. Successfully exploiting this
vulnerability, however, requires exact knowledge of the location of the
intended file to be read on the user's system. Further, it requires that the
intended file contain a single, parcicular ASCII character.
* An information disclosure vulnerability related to the handling of script
within cookies that could allow one site to read the cookies of another.
An attacker could build a special cookie containing script and then construct
a web page that would deliver that cookie to the user's system and invoke it.
He could then send that web page as mail or post it on a server. When the page
executed and invoked the script in the cookie, it could potentially read or
alter the cookies of another site. Successfully exploiting this, however,
would require that the attacker know the exact name of the cookie as stored
on the file system to be read successfully.
* A zone spoofing vulnerability that could allow a web page to be incorrectly
reckoned to be in the Intranet zone or, in some very rare cases, in the
Trusted Sites zone. An attacker could construct a web page that exploits this
vulnerability and attempt to entice the user to visit the web page. If the
attack were successful, the page would be run with fewer security restrictions
than is appropriate.
* Two variants of the "Content Disposition" vulnerability discussed in
Microsoft Security Bulletin MS01-058 affecting how IE handles downloads when a
downloadable file's Content-Disposition and Content-Type headers are
intentionally malformed. In such a case, it is possible for IE to believe that
a file is a type safe for automatic handling, when in fact it is executable
content. An attacker could seek to exploit this vulnerability by constructing
a specially malformed web page and posting a malformed executable file. He
could then post the web page or mail it to the intended target. These two new
variants differ from the original vulnerability in that they for a system to
be vulnerable, it must have present an application present that, when it is
erroneously passed the malformed content, chooses to hand it back to the
operating system rather than immediately raise an error. A successful attack,
therefore, would require that the attacker know that the intended victim has
one of these applications present on their system.
Finally, it introduces a behavior change to the Restricted Sites zone.
Specifically, it disables frames in the Restricted Sites zone. Since the
Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email
Security Update and Outlook 2002 all read email in the Restricted Sites zone
by default, this enhancement means that those products now effectively
disable frames in HTML email by default. This new behavior makes it impossible
for an HTML email to automatically open a new window or to launch the download
of an executable.
Mitigating factors:
Cross-Site Scripting in Local HTML Resource:
* Outlook 98 and 2000 (after installing the Outlook Email Security Update),
Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted
Sites Zone. As a result, customers using these products would not be at risk
from automated email-borne attacks. However, these customers can still be
attacked if they choose to click on a hyperlink in a malicious HTML email.
* Customers using Outlook 2002 SP1 who have enabled the "Read as Plain Text"
feature would be immune from the HTML email attack. This is because this
feature disables all HTML elements, including scripting, from mail when it
is displayed.
* Any limitations on the rights of the user's account would also limit the
actions of the attacker's script.
* Customers who exercise caution in what web sites they visit or who place
unknown or untrusted sites in the Restricted Sites zone can potentially
protect themselves from attempts to exploit this issue on the web.
Local Information Disclosure through HTML Object:
* It can only be used to read information. It cannot add, change or delete
any information.
* The attacker would need to know the exact name and location on the system
of any file they attempted to read.
* Only files that contained a particular, individual ASCII character could
be read. If this single character is not present, the attempt to read the
file would fail.
* Outlook 98 and 2000 (after installing the Outlook Email Security Update),
Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted
Sites Zone. As a result, customers using these products would not be at risk
from automated email-borne attacks. However, these customers can still be
attacked if they choose to click on a hyperlink in a malicious HTML email.
* Customers using Outlook 2002 SP1 who have enabled the "Read as Plain Text"
feature would be immune from the HTML email attack. This is because this
feature disables all HTML elements, including scripting, from mail when it
is displayed.
Script within Cookies Reading Cookies:
* The specific information an attacker could access would depend on what
information a site has chosen to store in its cookies. Best practices
strongly recommend against storing sensitive information in cookies.
* Mounting a successful attack requires that the attacker know the exact
name and location of the target cookie. This vulnerability provides no
means for an attacker to acquire that information.
* Outlook 98 and 2000 (after installing the Outlook Email Security Update),
Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted
Sites Zone. As a result, customers using these products would not be at
risk from automated email-borne attacks. However, these customers can
still be attacked if they choose to click on a hyperlink in a malicious
HTML email.
* Customers using Outlook 2002 SP1 who have enabled the "Read as Plain Text"
feature would be immune from the HTML email attack. This is because this
feature disables all HTML elements, including scripting, from mail when it
is displayed.
Zone Spoofing through Malformed Web Page:
* A successful attack would require NetBIOS connectivity between the user and
the attacker's site. Any filtering of NetBIOS, such as that found by ISP's or
at the firewall perimeter, would thwart attempts to exploit this
vulnerability.
* Any attempt to render a web site in the Trusted Sites zone would require
very specific knowledge of custom configuration made by the user. This aspect
of the vulnerability is not exploitable by default, nor does the
vulnerability give the means to acquire the necessary information for that
attack.
New Variants of the "Content Disposition" Vulnerability:
* Any successful attempt to exploit this vulnerability requires that the
attacker know that the intended target have specific versions of specific
applications on their system. The vulnerability gives no means for an attacker
to know what applications or versions are present on the system.
* Any attempt to exploit the vulnerability requires that the attacker host a
malicious executable on a server accessible to the intended victim. If the
hosting server is unreachable for any reason, such as DNS blocking or the
server being taken down, the attack would fail.
Severity Rating:
Cross-Site Scripting in Local HTML Resource:
Internet Servers Intranet Servers Client Systems
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Internet Explorer 5.01 None None None
Internet Explorer 5.5 None None None
Internet Explorer 6.0 Moderate Moderate Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Local Information Disclosure through HTML Object:
Internet Servers Intranet Servers Client Systems
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Internet Explorer 5.01 Moderate Moderate Critical
Internet Explorer 5.5 Moderate Moderate Critical
Internet Explorer 6.0 Moderate Moderate Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Script within Cookies Reading Cookies:
Internet Servers Intranet Servers Client Systems
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Internet Explorer 5.01 None None None
Internet Explorer 5.5 Moderate Moderate Critical
Internet Explorer 6.0 Moderate Moderate Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Zone Spoofing through Malformed Web Page:
Internet Servers Intranet Servers Client Systems
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Internet Explorer 5.01 Low Low Low
Internet Explorer 5.5 Low Low Low
Internet Explorer 6.0 Low Low Low
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
New Variants of the "Content Disposition" Vulnerability:
Internet Servers Intranet Servers Client Systems
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Internet Explorer 5.01 Moderate Moderate Moderate
Internet Explorer 5.5 None None None
Internet Explorer 6.0 Moderate Moderate Moderate
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Aggregate severity of all vulnerabilities eliminated by patch:
Internet Servers Intranet Servers Client Systems
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Internet Explorer 5.01 Critical Critical Critical
Internet Explorer 5.5 Critical Critical Critical
Internet Explorer 6.0 Critical Critical Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The above assessment is based on the types of systems affected by the vulnerability,
their typical deployment patterns, and the effect that exploiting the vulnerability
would have on them. The personal information disclosure vulnerabilities are most
likely to affect client systems, based on usage patters. The variants of the
"Content Disposition" vulnerability require knowledge of the software installed on a
system by the user. The Zone Spoofing vulnerability requires NetBIOS access, which is
commonly blocked at the perimeter firewall and by ISP's. The aggregate severity
includes the severity of vulnerabilities announced in previously released security
bulletins.
Vulnerability identifiers:
* Cross-Site Scripting in Local HTML Resource: CAN-2002-0189
* Local Information Disclosure through HTML object: CAN-2002-0191
* Script within Cookies Reading Cookies: CAN-2002-0192
* Zone Spoofing through Malformed Web Page: CAN-2002-0190
* "Content Disposition" Variants: CAN-2002-0193, CAN-2002-0188
Tested Versions:
The following table indicates which of the currently supported versions of Internet
Explorer are affected by the vulnerabilities. Versions of IE prior to 5.01 Service
Pack 2 are no longer eligible for hotfix support. IE 5.01 SP2 is supported only via
Windows® 2000 Service Packs and Security Roll-up Packages and on Windows NT® 4.0.
IE 5.01 SP2 IE 5.5 SP1 IE 5.5 SP2 IE 6.0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Cross-Site Scripting in
Local HTML Resource
(CVE-CAN-2002-0189) No No No Yes
Local Information
Disclosure through
HTML object
(CAN-2002-0191) Yes Yes Yes Yes
Script within Cookies
Reading Cookies:
(CVE-CAN-2002-0192) No Yes Yes Yes
Zone Spoofing through
Malformed Web Page
(CVE-CAN-2002-0190) Yes Yes Yes Yes
New Variants of the
"Content Disposition"
Vulnerability
(CAN-2002-0193 and
CAN-2002-0188) Yes No No Yes
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Patch availability
Download locations for this patch
* http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp
Additional information about this patch
Installation platforms:
* The IE 5.01 patch can be applied to Windows 2000 Systems with Service Pack 2 or
Windows NT 4.0 systems with Service Pack 6a.
* The IE 5.5 patch can be installed on systems running IE 5.5 Service Pack 1 or
Service Pack 2.
* The IE 6.0 patch can be installed on system running IE 6.0 Gold.
Inclusion in future service packs:
* The fixes for these issues will be included in IE 6.0 Service Pack 1.
* The fixes for the issues affecting IE 5.01 Service Pack 2 will be included in
Windows 2000 Service Pack 3.
Reboot needed:
Yes
Superseded patches:
* This patch supersedes the one provided in Microsoft Security Bulletin MS02-015,
which is itself a cumulative patch.
Verifying patch installation:
* To verify that the patch has been installed on the machine, open IE, select Help,
then select About Internet Explorer and confirm that Q321232 is listed in the
Update Versions field.
* To verify the individual files, use the patch manifest provided in Knowledge
Base article Q321232.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in
"Patch Availability"
Obtaining other security patches:
Patches for other security issues are available from the following locations:
* Security patches are available from the Microsoft Download Center, and can be
most easily found by doing a keyword search for "security_patch".
* Patches for consumer platforms are available from the WindowsUpdate web site
* All patches available via WindowsUpdate also are available in a redistributable
form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks the following people for working with us to protect customers:
* Jani Laatikainen (jani@laatikainen.net) for reporting one of the
"Content-Disposition variants.
* Yuu Arai of LAC SNS Team (http://www.lac.co.jp/security/) for reporting one of the
"Content-Disposition variants.
* Cistobal Bielza Lino and Juan Carlos G. Cuartango from Instituto Seguridad Internet
(www.instisec.com) for reporting the Zone Spoofing through Malformed Web Page
vulnerability.
Support:
* Microsoft Knowledge Base article Q321232 discusses this issue and will be available
approximately 24 hours after the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product Support Services. There is no
charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without
warranty of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Microsoft Corporation or its suppliers
have been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 (May 15, 2002): Bulletin Created.
* V1.1 (May 16, 2002): Bulletin updated to correct erroneous information regarding
attack vectors for the Cross-Site Scripting in Local HTML Resource and Script within
Cookies Reading Cookies vulnerabilities and the capabilities of locally run scripts.
[***** End Microsoft Security Bulletin MS02-023 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
M-072: FreeBSD stdio File Descriptors Vulnerability
M-073: Microsoft Outlook E-mail Editor Vulnerability
M-074: SGI IRIX cpr Vulnerability
M-075: HP Security Vulnerability in MPE/iX FTPSRVR
M-076: SGI IRIX nsd symlink Vulnerability
M-077: SGI IRIX Xlib Vulnerability
M-078: Sun Heap Overflow in Cachefs Daemon (cachefsd)
M-079: Format String Vulnerability in ISC DHCPD
M-080: SGI IRIX fsr_xfs Vulnerability
M-081: SSHD "AllowedAuthentications" Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
