Yet another MS 'cumulative patch' for IE.

Discussion in 'other security issues & news' started by spy1, Mar 29, 2002.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC
    Title: 28 March 2002 Cumulative Patch for Internet Explorer
    Date: 28 March 2002
    Software: Internet Explorer
    Impact: Two vulnerabilities, the most serious of which
    would allow script to run in the Local Computer Zone.
    Max Risk: Critical
    Bulletin: MS02-015

    Microsoft encourages customers to review the Security Bulletin at: ----------------------------------------------------------------------

    This is a cumulative patch that includes the functionality of all
    previously released patches for IE 5.01, 5.5 and IE 6. In addition,
    it eliminates the following two newly discovered vulnerabilities:

    - A vulnerability in the zone determination function that could
    allow a script embedded in a cookie to be run in the Local
    Computer zone. While HTML scripts can be stored in cookies,
    they should be handled in the same zone as the hosting site
    associated with them, in most cases the Internet zone. An
    attacker could place script in a cookie that would be saved
    to the user's hard disk. When the cookie was opened by the
    site the script would then run in the Local Computer zone,
    allowing it to run with fewer restrictions than it would
    otherwise have.

    - A vulnerability in the handling of object tags that could
    allow an attacker to invoke an executable already present
    on the user's machine. A malicious user could create HTML
    web page that includes this object tag and cause a local
    program to run on the victim's machine.

    Mitigating Factors:
    Cookie-based Script Execution:

    - The script would run with the same rights as the user.
    The specific privileges the attacker could gain through
    this vulnerability would therefore depend on the
    privileges accorded to the user. Any limitations on a
    user's account, such as those applied through Group
    Policies, would also limit the actions of any script
    executed by this vulnerability.

    Local Executable Invocation via Object tag:

    - The vulnerability would not enable the attacker to pass
    any parameters to the program. Microsoft is not aware of
    any programs installed by default in any version of
    Windows that, when called with no parameters, could be
    used to compromise the system.

    - An attacker could only execute a file on the victim's
    local machine. The vulnerability could not be used to
    execute a program on a remote share or web site.

    - The vulnerability would not provide any way for an
    attacker to put a program of his choice onto another
    user's system.

    - An attacker would need to know the name and location
    of any executable on the system to successfully invoke it.

    - Outlook 98 and 2000 (after installing the Outlook Email
    Security Update), Outlook 2002, and Outlook Express 6 all
    open HTML mail in the Restricted Sites Zone. As a result,
    customers using these products would not be at risk from
    email-borne attacks.

    Risk Rating:
    - Internet systems: Critical
    - Intranet systems: Critical
    - Client systems: Critical

    Patch Availability:
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    for information on obtaining this patch.

    - Andreas Sandblad, Sweden for reporting the Cookie-based Script
    Execution issue

    *PeteNote - I've d/l'ed the patch but haven't installed it yet. I'm waiting to see if there are any issues arising from the application of the patch itself.
Thread Status:
Not open for further replies.