TUCoPS :: Windows Apps :: ciacm041.txt

Microsoft Internet Explorer Cumulative Patch

Privacy and Legal Notice

[CIAC] INFORMATION BULLETIN

M-041: Microsoft Internet Explorer Cumulative Patch

[Microsoft Security Bulletin MS02-005]

February 12, 2002 18:00 GMT
  ------------------------------------------------------------------------
 PROBLEM:           Six vulnerabilities have been found in Internet
                    Explorer, the most serious of which allows an intruder
                    to remotely run code on another users system.
 PLATFORM:          Windows Platforms with Internet Explorer 5.01 SP2, 5.5
                    SP1 and SP2, or 6.0.
 DAMAGE:            Depending on the vulnerability, an intruder can read
                    or execute files on a client system and possibly get
                    remote access to the system.
 SOLUTION:          Apply the 11 February 2002 Cumulative Patch for
                    Internet Explorer available on the Microsoft windows
                    update website.
  ------------------------------------------------------------------------
 VULNERABILITY      The risk is HIGH. Remote users can run code on a
 ASSESSMENT:        clients system and possibly get user access on that
                    system.
  ------------------------------------------------------------------------

 LINKS:
   CIAC    http://www.ciac.org/ciac/bulletins/m-041.shtml
 BULLETIN:
   ORIGINALhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-005.asp
 BULLETIN:
   PATCHES:http://windowsupdate.microsoft.com
  ------------------------------------------------------------------------

[***** Start Microsoft Security Bulletin MS02-005 *****]

Microsoft Security Bulletin MS02-005

11 February 2002 Cumulative Patch for Internet Explorer
Originally posted: February 11, 2002

Summary

        Who should read this bulletin: Customers using Microsoft(r) Internet
Explorer

        Impact of vulnerability: Six vulnerabilities, the most serious of which
        could allow an attacker to run code on another user's system.

        Maximum Severity Rating: Critical

        Recommendation: Customers using an affected version of IE should install
        the patch immediately.

        Affected Software:
                Microsoft Internet Explorer 5.01
                Microsoft Internet Explorer 5.5
                Microsoft Internet Explorer 6.0

Technical details

        Technical description:

        This is a cumulative patch that, when installed, eliminates all previously
        discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In
        addition, it eliminates the following six newly discovered
        vulnerabilities:

        A buffer overrun vulnerability associated with an HTML directive that's
        used to incorporate a document within a web page. By creating a web page
        that invokes the directive using specially selected attributes, an
        attacker could cause code to run on the user's system.

        A vulnerability associated with the GetObject scripting function. Before
        providing a handle to an operating system object, GetObject performs a
        series of security checks to ensure that the caller has sufficient
        privileges to it. However, by requesting a handle to a file using a
        specially malformed representation, it would be possible to bypass some
        of these checks, thereby allowing a web page to complete an operation
        that should be prevented, namely, reading files on the computer of a
        visiting user's system.

        A vulnerability related to the display of file names in the File
        Download dialogue box. When a file download from a web site is
        initiated, a dialogue provides the name of the file and lets the user
        choose what action to take. However, a flaw exists in the way HTML
        header fields (specifically, the Content-Disposition and Content-Type
        fields) are handled. This flaw could make it possible for an attacker to
        misrepresent the name of the file in the dialogue, in an attempt to
        trick a user into opening or saving an unsafe file.

        A vulnerability that could allow a web page to open a file on the web
        site, using any application installed on a user's system. By design, IE
        should only open a file on a web site using the application that's
        registered to that type of file, and even then only if it's on a list of
        safe applications. However, through a flaw in the handling of the
        Content-Type HTML header field, an attacker could circumvent this
        restriction, and specify the application that should be invoked to
        process a particular file. IE would comply, even if the application was
        listed as unsafe.

        A vulnerability that could enable a web page to run a script even if the
        user has disabled scripting. IE checks for the presence of scripts when
        initially rendering a page. However, the capability exists for objects
        on a page to respond to asynchronous events; by misusing this capability
        in a particular way, it could be possible for a web page to fire a
        script after the page has passed the initial security checks.

        A newly discovered variant of the "Frame Domain Verification"
        vulnerability discussed in Microsoft Security Bulletin MS01-058. The
        vulnerability could enable a malicious web site operator to open two
        browser windows, one in the web site's domain and the other on the
        user's local file system, and to use the Document.open function to pass
        information from the latter to the former. This could enable the web
        site operator to read, but not change, any file on the user's local
        computer that could be opened in a browser window. In addition, this
        could be used to mis-represent the URL in the address bar in a window
        opened from their site.

Mitigating factors:

Buffer Overrun in HTML Directive:

        The vulnerability could not be exploited if the "Run ActiveX Controls
        and Plugins" security option were disabled in the Security Zone in which
        the page was rendered. This is the default condition in the Restricted
        Sites Zone, and can be disabled manually in any other Zone.

        Outlook 98 and 2000 (after installing the Outlook Email Security
        Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the
        Restricted Sites Zone. As a result, customers using these products would
        not be at risk from email-borne attacks.

        The buffer overrun would allow code to run in the security context of
        the user rather than the system. The specific privileges the attacker
        could gain through this vulnerability would therefore depend on the
        privileges accorded to the user.

File Reading via GetObject function:

        This vulnerability could only be used to read files. It could not be
        used to create, change, delete, or execute them.

        The attacker would need to know the name and location of the file on the
        user's computer.

        Some files that would be of interest to an attacker - most notably, the
        SAM Database - are locked by the operating system and therefore could
        not be read even using this vulnerability.

        The email-borne attack scenario would be blocked if the user were using
        any of the following: Outlook 98 or 2000 with the Outlook Email Security
        Update installed; Outlook 2002; or Outlook Express 6.

        The web-based attack scenario could be blocked by judicious use of the
        IE Security Zones mechanism such as using the Restricted Sites zone.

File Download Dialogue Spoofing via Content-Type and Content-Disposition fields:

        Exploiting this vulnerability would not give an attacker the ability to
        force code to run on a user's system. It would only enable the attacker
        to misrepresent the file name and type in the File Download dialogue.
        The download operation would not occur without the user's approval, and
        the user could cancel at any time.

        The vulnerability could not be exploited if File Downloads have been
        disabled in the Security Zone in which the e-mail is rendered. This is
        not a default setting in any zone, however.

        On versions of IE prior to 6.0, the default selection in the file
        download dialogue is to save, rather than open, the file. (In IE 6.0,
        the default is to open the file; however, this behavior is
        inappropriate, and the patch changes IE 6.0 to conform with the behavior
        of previous versions).

Application invocation via Content-Type field:

        An attacker could only exploit this vulnerability if the application
        specified through the Content-Type field was actually installed on the
        user's system.

        The vulnerability does not provide any way for the attacker to inventory
        the applications installed on the user's system and select one, nor does
        it provide any way to force the user to install a particular
        application.

        The vulnerability would not provide any way to circumvent the security
        features of the application or to reconfigure it.

        Outlook 2002 users who have configured Outlook to render HTML mail as
        plaintext would be at no risk from attack through HTML mail.

Script execution:

        This vulnerability extends only to allowing scripts to run - it does not
        allow any other security restrictions to be bypassed. So, for instance,
        although an attacker could use this vulnerability to run a script, the
        script would still be subject to all other expected security settings.

Frame Domain Verification Variant via Document.Open function:

        The vulnerability could only be used to view files. It could not be used
        to create, delete, modify or execute them.

        The vulnerability would only allow an attacker to read files that can be
        opened in a browser window, such as image files, HTML files and text
        files. Other file types, such as binary files, executable files, Word
        documents, and so forth, could not be read.

        The attacker would need to specify the exact name and location of the
        file in order to read it.

Severity Rating:


Buffer Overrun in HTML Directive:

                              Internet Servers   Intranet Server   Client Systems
Internet Explorer 5.01  None                   None                      None
Internet Explorer 5.5   Critical               Critical          Critical
Internet Explorer 6.0   Critical               Critical          Critical


File Reading via GetObject function:

                              Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01  Moderate                Moderate                 Critical
Internet Explorer 5.5   Moderate                Moderate                 Critical
Internet Explorer 6.0   Moderate                Moderate                 Critical


File Download Dialogue Spoofing via Content-Type and Content-ID fields:

                              Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01  Moderate                Moderate                 Moderate
Internet Explorer 5.5   Moderate                Moderate                 Moderate
Internet Explorer 6.0   Moderate                Moderate                 Moderate


Application Invocation via Content-Type field:

                              Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01  Moderate                Moderate                 Moderate
Internet Explorer 5.5   Moderate                Moderate                 Moderate
Internet Explorer 6.0   Moderate                Moderate                 Moderate


Script Execution:

                              Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01  None                    None             None
Internet Explorer 5.5   Moderate                Moderate                 Moderate
Internet Explorer 6.0   Moderate                Moderate                 Moderate


Frame Domain Verification Variant via Document.open function:

                              Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01  None                    None             None
Internet Explorer 5.5   Moderate                Moderate                 Critical
Internet Explorer 6.0   Moderate                Moderate                 Critical


Aggregate severity of all vulnerabilities eliminated by patch:

                              Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01  Moderate                Moderate                 Critical
Internet Explorer 5.5   Critical                Critical                 Critical
Internet Explorer 6.0   Critical                Critical                 Critical

The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier:

        Buffer overrun: CAN-2002-0022

        File reading via GetObject function: CAN-2002-0023

        File download spoofing via Content-Type and Content-ID fields: CAN-2002-
        0024

        Application Invocation via Content-Type field: CAN-2002-0025

        Script execution: CAN-2002-0026

        Frame Domain Verification Variant via Document.open function: CAN-2002-
        0027

Patch availability

Download locations for this patch
http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp

 Additional information about this patch

Installation platforms:

        The IE 5.01 patch can be applied to Windows 2000 Systems with Service
        Pack 2 running IE 5.01.

        The IE 5.5 patch can be installed on systems running IE 5.5 Service Pack
        1 or Service Pack 2.

        The IE 6.0 patch can be installed on system running IE 6.0 Gold.

Inclusion in future service packs:

        The fixes for these issues will be included in IE 6.0 Service Pack 1.

        The fixes for the issues affecting IE 5.01 Service Pack 2 will be
        included in Windows 2000 Service Pack 3.

Reboot needed:
Yes

Superseded patches:

        This patch supersedes the one provided in Microsoft Security Bulletin
        MS01-058, which is itself a cumulative patch.

Verifying patch installation:

        To verify that the patch has been installed on the machine, open IE,
        select Help, then select About Internet Explorer and confirm that
        Q316059 is listed in the Update Versions field.

        To verify the individual files, use the patch manifest provided in
        Knowledge Base article Q316059.

Caveats:
None

Localization:
Localized versions of this patch are available at the locations discussed
in "Patch Availability"

Obtaining other security patches:
Patches for other security issues are available from the following
locations:

        Security patches are available from the Microsoft Download Center, and
        can be most easily found by doing a keyword search for "security_patch".

        Patches for consumer platforms are available from the WindowsUpdate web
        site

        All patches available via WindowsUpdate also are available in a
        redistributable form from the WindowsUpdate Corporate site.

Other information:

Acknowledgments
Microsoft thanks  the following people for working with us to protect
customers:

        The dH team and SECURITY.NNOV team for reporting the buffer overrun
        vulnerability.

        Sandro Gauci of GFI security labs (http://www.gfi.com) for reporting the
        application invocation vulnerability.

Support:

        Microsoft Knowledge Base articles Q316059, Q317727, Q317726, Q317745,
        Q317729, and Q317742 discuss these issues and will be available
        approximately 24 hours after the release of this bulletin. Knowledge
        Base articles can be found on the Microsoft Online Support web site.

        Technical support is available from Microsoft Product Support Services.
        There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.

Revisions:

        V1.0 (February 11, 2002): Bulletin Created.

[***** End Microsoft Security Bulletin MS02-005 *****]

  ------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of Microsoft Security Team for
the information contained in this bulletin.
  ------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

  ------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
  ------------------------------------------------------------------------
UCRL-MI-119788
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH