Privacy and Legal Notice
[CIAC] INFORMATION BULLETIN
M-041: Microsoft Internet Explorer Cumulative Patch
[Microsoft Security Bulletin MS02-005]
February 12, 2002 18:00 GMT
------------------------------------------------------------------------
PROBLEM: Six vulnerabilities have been found in Internet
Explorer, the most serious of which allows an intruder
to remotely run code on another users system.
PLATFORM: Windows Platforms with Internet Explorer 5.01 SP2, 5.5
SP1 and SP2, or 6.0.
DAMAGE: Depending on the vulnerability, an intruder can read
or execute files on a client system and possibly get
remote access to the system.
SOLUTION: Apply the 11 February 2002 Cumulative Patch for
Internet Explorer available on the Microsoft windows
update website.
------------------------------------------------------------------------
VULNERABILITY The risk is HIGH. Remote users can run code on a
ASSESSMENT: clients system and possibly get user access on that
system.
------------------------------------------------------------------------
LINKS:
CIAC http://www.ciac.org/ciac/bulletins/m-041.shtml
BULLETIN:
ORIGINALhttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-005.asp
BULLETIN:
PATCHES:http://windowsupdate.microsoft.com
------------------------------------------------------------------------
[***** Start Microsoft Security Bulletin MS02-005 *****]
Microsoft Security Bulletin MS02-005
11 February 2002 Cumulative Patch for Internet Explorer
Originally posted: February 11, 2002
Summary
Who should read this bulletin: Customers using Microsoft(r) Internet
Explorer
Impact of vulnerability: Six vulnerabilities, the most serious of which
could allow an attacker to run code on another user's system.
Maximum Severity Rating: Critical
Recommendation: Customers using an affected version of IE should install
the patch immediately.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Technical details
Technical description:
This is a cumulative patch that, when installed, eliminates all previously
discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In
addition, it eliminates the following six newly discovered
vulnerabilities:
A buffer overrun vulnerability associated with an HTML directive that's
used to incorporate a document within a web page. By creating a web page
that invokes the directive using specially selected attributes, an
attacker could cause code to run on the user's system.
A vulnerability associated with the GetObject scripting function. Before
providing a handle to an operating system object, GetObject performs a
series of security checks to ensure that the caller has sufficient
privileges to it. However, by requesting a handle to a file using a
specially malformed representation, it would be possible to bypass some
of these checks, thereby allowing a web page to complete an operation
that should be prevented, namely, reading files on the computer of a
visiting user's system.
A vulnerability related to the display of file names in the File
Download dialogue box. When a file download from a web site is
initiated, a dialogue provides the name of the file and lets the user
choose what action to take. However, a flaw exists in the way HTML
header fields (specifically, the Content-Disposition and Content-Type
fields) are handled. This flaw could make it possible for an attacker to
misrepresent the name of the file in the dialogue, in an attempt to
trick a user into opening or saving an unsafe file.
A vulnerability that could allow a web page to open a file on the web
site, using any application installed on a user's system. By design, IE
should only open a file on a web site using the application that's
registered to that type of file, and even then only if it's on a list of
safe applications. However, through a flaw in the handling of the
Content-Type HTML header field, an attacker could circumvent this
restriction, and specify the application that should be invoked to
process a particular file. IE would comply, even if the application was
listed as unsafe.
A vulnerability that could enable a web page to run a script even if the
user has disabled scripting. IE checks for the presence of scripts when
initially rendering a page. However, the capability exists for objects
on a page to respond to asynchronous events; by misusing this capability
in a particular way, it could be possible for a web page to fire a
script after the page has passed the initial security checks.
A newly discovered variant of the "Frame Domain Verification"
vulnerability discussed in Microsoft Security Bulletin MS01-058. The
vulnerability could enable a malicious web site operator to open two
browser windows, one in the web site's domain and the other on the
user's local file system, and to use the Document.open function to pass
information from the latter to the former. This could enable the web
site operator to read, but not change, any file on the user's local
computer that could be opened in a browser window. In addition, this
could be used to mis-represent the URL in the address bar in a window
opened from their site.
Mitigating factors:
Buffer Overrun in HTML Directive:
The vulnerability could not be exploited if the "Run ActiveX Controls
and Plugins" security option were disabled in the Security Zone in which
the page was rendered. This is the default condition in the Restricted
Sites Zone, and can be disabled manually in any other Zone.
Outlook 98 and 2000 (after installing the Outlook Email Security
Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the
Restricted Sites Zone. As a result, customers using these products would
not be at risk from email-borne attacks.
The buffer overrun would allow code to run in the security context of
the user rather than the system. The specific privileges the attacker
could gain through this vulnerability would therefore depend on the
privileges accorded to the user.
File Reading via GetObject function:
This vulnerability could only be used to read files. It could not be
used to create, change, delete, or execute them.
The attacker would need to know the name and location of the file on the
user's computer.
Some files that would be of interest to an attacker - most notably, the
SAM Database - are locked by the operating system and therefore could
not be read even using this vulnerability.
The email-borne attack scenario would be blocked if the user were using
any of the following: Outlook 98 or 2000 with the Outlook Email Security
Update installed; Outlook 2002; or Outlook Express 6.
The web-based attack scenario could be blocked by judicious use of the
IE Security Zones mechanism such as using the Restricted Sites zone.
File Download Dialogue Spoofing via Content-Type and Content-Disposition fields:
Exploiting this vulnerability would not give an attacker the ability to
force code to run on a user's system. It would only enable the attacker
to misrepresent the file name and type in the File Download dialogue.
The download operation would not occur without the user's approval, and
the user could cancel at any time.
The vulnerability could not be exploited if File Downloads have been
disabled in the Security Zone in which the e-mail is rendered. This is
not a default setting in any zone, however.
On versions of IE prior to 6.0, the default selection in the file
download dialogue is to save, rather than open, the file. (In IE 6.0,
the default is to open the file; however, this behavior is
inappropriate, and the patch changes IE 6.0 to conform with the behavior
of previous versions).
Application invocation via Content-Type field:
An attacker could only exploit this vulnerability if the application
specified through the Content-Type field was actually installed on the
user's system.
The vulnerability does not provide any way for the attacker to inventory
the applications installed on the user's system and select one, nor does
it provide any way to force the user to install a particular
application.
The vulnerability would not provide any way to circumvent the security
features of the application or to reconfigure it.
Outlook 2002 users who have configured Outlook to render HTML mail as
plaintext would be at no risk from attack through HTML mail.
Script execution:
This vulnerability extends only to allowing scripts to run - it does not
allow any other security restrictions to be bypassed. So, for instance,
although an attacker could use this vulnerability to run a script, the
script would still be subject to all other expected security settings.
Frame Domain Verification Variant via Document.Open function:
The vulnerability could only be used to view files. It could not be used
to create, delete, modify or execute them.
The vulnerability would only allow an attacker to read files that can be
opened in a browser window, such as image files, HTML files and text
files. Other file types, such as binary files, executable files, Word
documents, and so forth, could not be read.
The attacker would need to specify the exact name and location of the
file in order to read it.
Severity Rating:
Buffer Overrun in HTML Directive:
Internet Servers Intranet Server Client Systems
Internet Explorer 5.01 None None None
Internet Explorer 5.5 Critical Critical Critical
Internet Explorer 6.0 Critical Critical Critical
File Reading via GetObject function:
Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01 Moderate Moderate Critical
Internet Explorer 5.5 Moderate Moderate Critical
Internet Explorer 6.0 Moderate Moderate Critical
File Download Dialogue Spoofing via Content-Type and Content-ID fields:
Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01 Moderate Moderate Moderate
Internet Explorer 5.5 Moderate Moderate Moderate
Internet Explorer 6.0 Moderate Moderate Moderate
Application Invocation via Content-Type field:
Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01 Moderate Moderate Moderate
Internet Explorer 5.5 Moderate Moderate Moderate
Internet Explorer 6.0 Moderate Moderate Moderate
Script Execution:
Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01 None None None
Internet Explorer 5.5 Moderate Moderate Moderate
Internet Explorer 6.0 Moderate Moderate Moderate
Frame Domain Verification Variant via Document.open function:
Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01 None None None
Internet Explorer 5.5 Moderate Moderate Critical
Internet Explorer 6.0 Moderate Moderate Critical
Aggregate severity of all vulnerabilities eliminated by patch:
Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01 Moderate Moderate Critical
Internet Explorer 5.5 Critical Critical Critical
Internet Explorer 6.0 Critical Critical Critical
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier:
Buffer overrun: CAN-2002-0022
File reading via GetObject function: CAN-2002-0023
File download spoofing via Content-Type and Content-ID fields: CAN-2002-
0024
Application Invocation via Content-Type field: CAN-2002-0025
Script execution: CAN-2002-0026
Frame Domain Verification Variant via Document.open function: CAN-2002-
0027
Patch availability
Download locations for this patch
http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp
Additional information about this patch
Installation platforms:
The IE 5.01 patch can be applied to Windows 2000 Systems with Service
Pack 2 running IE 5.01.
The IE 5.5 patch can be installed on systems running IE 5.5 Service Pack
1 or Service Pack 2.
The IE 6.0 patch can be installed on system running IE 6.0 Gold.
Inclusion in future service packs:
The fixes for these issues will be included in IE 6.0 Service Pack 1.
The fixes for the issues affecting IE 5.01 Service Pack 2 will be
included in Windows 2000 Service Pack 3.
Reboot needed:
Yes
Superseded patches:
This patch supersedes the one provided in Microsoft Security Bulletin
MS01-058, which is itself a cumulative patch.
Verifying patch installation:
To verify that the patch has been installed on the machine, open IE,
select Help, then select About Internet Explorer and confirm that
Q316059 is listed in the Update Versions field.
To verify the individual files, use the patch manifest provided in
Knowledge Base article Q316059.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed
in "Patch Availability"
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and
can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web
site
All patches available via WindowsUpdate also are available in a
redistributable form from the WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks the following people for working with us to protect
customers:
The dH team and SECURITY.NNOV team for reporting the buffer overrun
vulnerability.
Sandro Gauci of GFI security labs (http://www.gfi.com) for reporting the
application invocation vulnerability.
Support:
Microsoft Knowledge Base articles Q316059, Q317727, Q317726, Q317745,
Q317729, and Q317742 discuss these issues and will be available
approximately 24 hours after the release of this bulletin. Knowledge
Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (February 11, 2002): Bulletin Created.
[***** End Microsoft Security Bulletin MS02-005 *****]
------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of Microsoft Security Team for
the information contained in this bulletin.
------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)
------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
------------------------------------------------------------------------
UCRL-MI-119788
[Privacy and Legal Notice]
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
