15 May 2002 Cumulative Patch for Internet Explorer

Discussion in 'other security issues & news' started by Marianna, May 15, 2002.

Thread Status:
Not open for further replies.
  1. Marianna
    Offline

    Marianna Spyware Fighter

    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title:      15 May 2002 Cumulative Patch for Internet Explorer
               (Q321232)
    Date:       15 May 2002
    Software:   Internet Explorer
    Impact:     Six new vulnerabilities, the most serious of which could
               allow code of attacker's choice to run.
    Max Risk:   Critical
    Bulletin:   MS02-023

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS02-023.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    This is a cumulative patch that includes the functionality of all
    previously released patches for IE 5.01, 5.5 and 6.0. In addition,
    it eliminates the following six newly discovered vulnerabilities:


    - A cross-site scripting vulnerability in a Local HTML Resource.
      IE ships with several files that contain HTML on the local file
      system to provide functionality. One of these files contains a
      cross-site scripting vulnerability that could allow a script to
      execute as if it were run by the user herself, causing it to run
      in the local computer zone. An attacker could craft a web page
      with a URL that exploits this vulnerability and then either host
      that page on a web server or send it as HTML email. When the web
      page was viewed and the user clicked on the URL link, the
      attacker's script injected into the local resource, the
      attacker's script would run in the Local Computer zone, allowing
      it to run with fewer restrictions than it would otherwise have.

    - An information disclosure vulnerability related to the use of am
      HTML object provides that support for Cascading Style Sheets that
      could allow an attacker to read, but not add, delete or change,
      data on the local system. An attacker could craft a web page
      that exploits this vulnerability and then either host that page
      on a web server or send it as HTML email. When the page was
      viewed, the element would be invoked. Successfully exploiting this
      vulnerability, however, requires exact knowledge of the location
      of the intended file to be read on the user's system. Further,
      it requires that the intended file contain a single, particular
      ASCII character.

    - An information disclosure vulnerability related to the handling
      of script within cookies that could allow one site to read the
      cookies of another. An attacker could build a special cookie
      containing script and then construct a web page with a hyperlink
      that would deliver that cookie to the user's system and invoke
      it. He could then send that web page as mail or post it on a
      server. When the user clicked the hyperlink and the page invoked
      the script in the cookie, it could potentially read or alter the
      cookies of another site. Successfully exploiting this, however,
      would require that the attacker know the exact name of the
      cookie as stored on the file system to be read successfully.

    - A zone spoofing vulnerability that could allow a web page to be
      incorrectly reckoned to be in the Intranet zone or, in some very
      rare cases, in the Trusted Sites zone. An attacker could construct
      a web page that exploits this vulnerability and attempt to entice
      the user to visit the web page. If the attack were successful,
      the page would be run with fewer security restrictions than
      is appropriate.

    - Two variants of the "Content Disposition" vulnerability
      discussed in Microsoft Security Bulletin MS01-058 affecting how
      IE handles downloads when a downloadable file's
      Content-Disposition and Content-Type headers are
      intentionally malformed. In such a case, it is possible for
      IE to believe that a file is a type safe for automatic
      handling, when in fact it is executable content. An attacker
      could seek to exploit this vulnerability by constructing a
      specially malformed web page and posting a malformed executable
      file. He could then post the web page or mail it to the intended
      target. These two new variants differ from the original
      vulnerability in that they for a system to be vulnerable, it
      must have present an application present that, when it is
      erroneously passed the malformed content, chooses to hand it
      back to the operating system rather than immediately raise
      an error. A successful attack, therefore, would require that
      the attacker know that the intended victim has one of these
      applications present on their system.

    Finally, it introduces a behavior change to the Restricted Sites
    zone. Specifically, it disables frames in the Restricted Sites
    zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 200
    with the Outlook Email Security Update and Outlook 2002 all read
    email in the Restricted Sites zone by default, this enhancement
    means that those products now effectively disable frames in HTML
    email by default. This new behavior makes it impossible for an
    HTML email to automatically open a new window or to launch the
    download of an executable.

    Mitigating Factors:
    ====================
    Cross-Site Scripting in Local HTML Resource:

    - A successful attack requires that a user first click on a
      hyperlink. There is no way to automate an attack using
      this vulnerability.

    - Outlook 98 and 2000 (after installing the Outlook Email
      Security Update), Outlook 2002, and Outlook Express 6 all
      open HTML mail in the Restricted Sites Zone. As a result,
      customers using these products would not be at risk from
      email-borne attacks.

    - Customers using Outlook 2002 SP1 who have enabled the
      "Read as Plain Text" feature would be immune from the HTML
      email attack. This is because this feature disables all
      HTML elements, including scripting, from mail when it
      is displayed.

    - Any limitations on the rights of the user's account
      would also limit the actions of the attacker's script.

    - Customers who exercise caution in what web sites they
      visit or who place unknown or untrusted sites in the
      Restricted Sites zone can potentially protect themselves
      from attempts to exploit this issue on the web.

    Local Information Disclosure through HTML Object:

    - It can only be used to read information. It cannot add,
      change or delete any information.

    - The attacker would need to know the exact name and
      location on the system of any file they attempted to read.

    - Only files that contained a particular, individual ASCII
      character could be read. If this single character is not
      present, the attempt to read the file would fail.

    - Outlook 98 and 2000 (after installing the Outlook Email
      Security Update), Outlook 2002, and Outlook Express 6 all
      open HTML mail in the Restricted Sites Zone. As a result,
      customers using these products would not be at risk from
      email-borne attacks.

    - Customers using Outlook 2002 SP1 who have enabled the
      "Read as Plain Text" feature would be immune from the
      HTML email attack. This is because this feature disables
      all HTML elements, including scripting, from mail when it
      is displayed.

    Script within Cookies Reading Cookies:

    - The specific information an attacker could access would
      depend on what information a site has chosen to store in
      its cookies. Best practices strongly recommend against
      storing sensitive information in cookies.

    - An attacker would have to entice a user to first click on
      a hyperlink to initiate an attempt to exploit this
      vulnerability. There is no way to automate an attack that
      exploits this vulnerability.

    - Mounting a successful attack requires that the attacker
      know the exact name of the target cookie. This
      vulnerability provides no means for an attacker to
      acquire that information.

    - Outlook 98 and 2000 (after installing the Outlook Email
      Security Update), Outlook 2002, and Outlook Express 6
      all open HTML mail in the Restricted Sites Zone. As a
      result, customers using these products would not be at
      risk from email-borne attacks.

    - Customers using Outlook 2002 SP1 who have enabled the
      "Read as Plain Text" feature would be immune from the
      HTML email attack. This is because this feature disables
      all HTML elements, including scripting, from mail when it
      is displayed.

    Zone Spoofing through Malformed Web Page:

    - A successful attack would require NetBIOS connectivity
      between the user and the attacker's site. Any filtering
      of NetBIOS, such as that found by ISP's or at the firewall
      perimeter, would thwart attempts to exploit this
      vulnerability.

    - Any attempt to render a web site in the Trusted Sites zone
      would require very specific knowledge of custom configuration
      made by the user. This aspect of the vulnerability is not
      exploitable by default, nor does the vulnerability give the
      means to acquire the necessary information for that attack.

    New Variants of the "Content Disposition" Vulnerability:

    - Any successful attempt to exploit this vulnerability requires
      that the attacker know that the intended target have specific
      versions of specific applications on their system. The
      vulnerability gives no means for an attacker to know what
      applications or versions are present on the system.

    - Any attempt to exploit the vulnerability requires that the
      attacker host a malicious executable on a server accessible
      to the intended victim. If the hosting server is
      unreachable for any reason, such as DNS blocking or the
      server being taken down, the attack would fail.

    Risk Rating:
    ============
    - Internet systems: Critical
    - Intranet systems: Critical
    - Client systems: Critical

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
      Security Bulletin at
      http://www.microsoft.com/technet/security/bulletin/ms02-023.asp
      for information on obtaining this patch.

    Acknowledgment:
    ===============
    - Jani Laatikainen (jani@laatikainen.net) for reporting one of the
      "Content-Disposition variants.
    - Yuu Arai of LAC SNS Team (http://www.lac.co.jp/security/) for
      reporting one of the "Content-Disposition variants.
    - Cistobal Bielza Lino and Juan Carlos G. Cuartango from
      Instituto Seguridad Internet (www.instisec.com) for reporting
      the Zone Spoofing through Malformed Web Page vulnerability.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
    ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
    WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
    IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES
    WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
    LOSS OF
    BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
    ITS
    SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
    STATES DO
    NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
    OR
    INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQEVAwUBPOLRUY0ZSRQxA/UrAQHuJAf+I9CatGyrjkE6H8uaTNhlrpnXBFhvSXWz
    zAbGD30AkFOpB5DbzFqaz0Wnc7syaR/dqwjQ/l/eAJhVW0EDPtJ1augtCrM7zlUZ
    1b+T3yv5oynDdnd+EoktdrePxzv+bZCAlaogIOwk/cYIQCwV2o9PWH/xF687ilQ8
    Ut2sW6FU8HCrKn7xVPjyrn37XwWKE5qbgBgpg9fcj8rUwlhLMFJCa812cVPVZ9++
    mxCuFRpc0+xp/5AZ8OzkNWyIiEt3dLKIHPfCt52IdC27CpFTYVuXMd6bfpquuOcZ
    y4JyaB/JaAsXaGHKVR3aQxttcouajE1v3LSfTBOn8uAkM8bf9Ugj/g==
    =mw7q
    -----END PGP SIGNATURE-----


    *******************************************************************
  2. javacool
    Offline

    javacool BrightFort Moderator

Thread Status:
Not open for further replies.