TUCoPS :: Browsers :: n-038.txt

Microsoft Cumulative Patch for Internet Explorer (CIAC N-038)

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                Microsoft Cumulative Patch for Internet Explorer
                     [Microsoft Security Bulletin MS03-004]

February 6, 2003 18:00 GMT                                        Number N-038
______________________________________________________________________________
PROBLEM:       In addition to including the functionality of all previously
               released patches for Internet Explorer 5.01, 5.5 and 6.0, this
               patch also eliminates two newly discovered vulnerabilities
               involving Internet Explorer’s cross-domain security model.
PLATFORM:      Microsoft Internet Explorer 5.01, 5.5, and 6.0
DAMAGE:        An attacker could possibly run malicious script by misusing a
               dialog box and cause a script to access information in a
               different domain. In addition, this flaw could possibly also 
               enable an attacker to invoke an executable that was already 
               present on the local system.
SOLUTION:      Apply available patches.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. In order to exploit this flaw, an attacker
ASSESSMENT:    would have to host a malicious web site that contained a web
               page designed to exploit this particular vulnerability and then
               persuade a user to visit that site.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-038.shtml
 ORIGINAL BULLETIN:
                     http://www.microsoft.com/technet/treeview/default.asp?url=
					   /technet/security/bulletin/MS03-004.asp
 PATCHES:
                     http://www.microsoft.com/windows/ie/downloads/critical
					   /810847/default.asp
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-004 *****]

Microsoft Security Bulletin MS03-004  

Cumulative Patch for Internet Explorer (810847)
Originally posted: February 5, 2003

Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer. 

Impact of vulnerability: Allow an attacker to execute commands on a user’s 
system. 

Maximum Severity Rating: Critical 

Recommendation: Customers should install the patch immediately. 

Affected Software: 

Microsoft Internet Explorer 5.01 
Microsoft Internet Explorer 5.5 
Microsoft Internet Explorer 6.0 

End User Bulletin: An end user version of this bulletin is available at: 
  http://www.microsoft.com/security/security_bulletins/ms03-004.asp 

Technical details

Technical description: 

This is a cumulative patch that includes the functionality of all previously 
released patches for IE 5.01, 5.5, 6.0. In addition, it eliminates two newly 
discovered vulnerabilities involving Internet Explorer’s cross-domain security 
model - which keeps windows of different domains from sharing information. 
These flaws results in Internet Explorer because incomplete security checking 
causes Internet Explorer to allow one website to potentially access information 
from another domain when using certain dialog boxes. 

In order to exploit this flaw, an attacker would have to host a malicious web 
site that contained a web page designed to exploit this particular vulnerability 
and then persuade a user to visit that site. Once the user has visited the 
malicious web site, it would be possible for the attacker to run malicious 
script by misusing a dialog box and cause that script to access information 
in a different domain. In the worst case, this could enable the web site 
operator to load malicious code onto a user's system. In addition, this flaw 
could also enable an attacker to invoke an executable that was already present 
on the local system. 

A related cross-domain vulnerability allows Internet Explorer’s showHelp() 
functionality to execute without proper security checking. showHelp() is one 
of the help methods used to display an HTML page containing help content. 
showHelp() allows more types of pluggable protocols than necessary, and this 
could potentially allow an attacker to access user information, invoke 
executables already present on a user’s local system or load malicious code 
onto a user’s local system. 

The requirements to exploit this vulnerability are the same as for the issue 
described above: an attacker would have to host and lure a user to a malicious 
web site. In this scenario, the attacker could open a showHelp window to a known 
local file on the visiting user’s local system and gain access to information 
from that file by sending a specially crafted URL to a second showHelp window. 
The attacker could also potentially access user information or run code of 
attacker’s choice. 

This cumulative patch will cause window.showHelp( ) to cease to function. When 
the latest HTML Help update - which is being released via Windows Update with 
this patch - is installed, window.showHelp( ) will function again, but with 
some limitations (see the caveats section later in this bulletin). This has 
been necessary in order to block the attack vector that might allow a web site 
operator to invoke an executable that was already present on a user’s local 
system. 

Mitigating factors: 

The attacker would have to host a web site that contained a web page used to 
exploit either of these cross-domain vulnerabilities. 

The attacker would have no way to force users to visit the site. Instead, the 
attacker would need to lure them there, typically by getting them to click on 
a link that would take them to the attacker's site. 

By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the 
Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in 
the Restricted Sites Zone if the Outlook Email Security Update has been 
installed. Customers who use any of these products would be at no risk from 
an e-mail borne attack that attempted to exploit this vulnerability unless 
the user clicked a malicious link in the email. 

Internet Explorer 5.01 users are not affected by the first vulnerability. 

Severity Rating: 
Internet Explorer 5.01 Critical  
Internet Explorer 5.5 Critical 
Internet Explorer 6.0 Critical 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: 

Improper Cross Domain Security Validation with dialog box CAN-2003-1326 
Improper Cross Domain Security Validation with ShowHelp functionality 
CAN-2003-1328 

Tested Versions:
Microsoft tested Internet Explorer 6.0, 5.5 and 5.01 to assess whether they 
are affected by this vulnerability. Previous versions are no longer supported 
and may or may not be affected by this vulnerability.


Patch availability
Download locations for this patch 

http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp 

Additional information about this patch

Installation platforms: 

The IE 5.01 patch can be installed on the following systems running IE 5.01 
Service Pack 3: Windows 2000 Service Pack 3. 

The IE 5.5 patch can be installed on the following systems running IE 5.5 
Service Pack 2: Windows Millennium 

The IE 6.0 patch can be installed on the following systems running IE 6.0 
Gold: Windows XP Gold. 

The IE 6.0 Service Pack 1 patch can be installed on the following systems 
running IE 6.0 Service Pack 1: Windows XP Service Pack 1, Windows 2000 Service 
Pack 3, Windows NT 4.0 Service Pack 6a, Windows Millennium or Windows 98. 

More in formation on Windows support lifecycles is available at 
http://www.microsoft.com/windows/lifecycle/desktop/business/components.mspx 

Inclusion in future service packs:
The fixes for the issues affecting Internet Explorer 6.0 will be included in 
Internet Explorer 6.0 Service Pack 2. 

Reboot needed: Yes 

Patch can be uninstalled: No 

Superseded patches:
This patch supersedes the ones provided in Microsoft Security Bulletin 
MS02-068 and MS02-066, which are also cumulative patches. 

Verifying patch installation: 

To verify that the patch has been open IE, select Help, then select About 
Internet Explorer and confirm that Q810847 is listed in the Update Versions 
field. 

To verify the individual files, use the patch manifest provided in Knowledge 
Base article 810847. 

Caveats:
Users who apply this patch will not be able to use some HTML Help functionality. 
In order to restore that functionality, users need to download the updated 
HTML Help control (811630). Users should also note that when the latest version 
of HTML Help is installed, the following limitations will occur when a help 
file is opened with the showHelp method: 

Only supported protocols can be used with showHelp to open a web page or help 
(chm) file. 

The shortcut function supported by HTML Help will be disabled when the help 
file is opened with showHelp This will not affect the shortcut functionality 
if the same CHM file is opened by the user manually by double-clicking on the 
help file, or by through an application on the local system using the 
HTMLHELP( ) API. 

Localization:
Localized versions of this patch are available at the locations discussed in 
"Patch Availability". 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be 
most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site.
 
Other information: 

Acknowledgments
Microsoft thanks  Andreas Sandblad, Sweden for reporting the cross domain 
vulnerability using showHelp and for working with us to protect customers.

Support: 

Microsoft Knowledge Base article 810847 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. 
Knowledge Base articles can be found on the Microsoft Online Support web 
site. 

Technical support is available from Microsoft Product Support Services. There 
is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, 
even if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

V1.0 (February 5, 2003): Bulletin Created. 
V1.1 (February 6, 2003): Revised to provide additional clarification on 
                         installation platforms. 

[***** End Microsoft Security Bulletin MS03-004 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-028: Vulnerabilities in SSH2 Implementations from Multiple Vendors
N-029: Microsoft Unchecked Buffer in Windows Shell Vulnerability
N-030: HP: Sendmail Restricted Shell (smrsh) Vulnerability
N-031: Buffer Overflows in ISC DHCPD Minires Library
N-032: Double-Free Bug in Concurrent Versions System (CVS) Server
N-033: Unchecked Buffer in Locator Service Vulnerability
N-034: Cumulative Patch for Microsoft Content Management Server
N-035: Microsoft V1 Exchange Server Security Certificates Vulnerability
N-036: Updated kerberos packages fix vulnerability in ftp client
N-037: Multiple Vulnerabilities in Old Releases of MIT Kerberos

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH