Date: 05 December 2002
References: ESB-2003.0073 ESB-2003.0087
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.677 -- Microsoft Security Bulletin MS02-068
Cumulative Patch for Internet Explorer (324929)
05 December 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Internet Explorer 5.5
Internet Explorer 6.0
Vendor: Microsoft
Impact: Read-only Data Access
Reduced Security
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (Q324929)
Date: 04 December 2002
Software: Microsoft(r) Internet Explorer
Impact: Information Disclosure
Max Risk: Moderate
Bulletin: MS02-068
Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/security/security_bulletins/MS02-068.asp
http://www.microsoft.com/technet/security/bulletin/MS02-068.asp.
- - ----------------------------------------------------------------------
Issue:
======
This is a cumulative patch for Internet Explorer 5.5 and 6.0. In
addition to including the functionality of all previously released
patches for Internet Explorer 5.5 and 6.0, it also eliminates a
newly discovered flaw in Internet Explorer's cross-domain security
model. This flaw occurs because the security checks that Internet
Explorer carries out when particular object caching techniques are
used in web pages are incomplete. This could have the effect of
allowing a website in one domain to access information in another,
including the user's local system.
Exploiting the vulnerability could enable an attacker to read, but
not change, any file on the user's local computer. In addition, the
attacker could invoke an executable that was already present on the
local system. The attacker would need to know the exact location of
the executable, and would not be able to pass parameters to it.
Microsoft is not aware of any executable that ships by default as
part of Windows and, when run without parameters, could be
dangerous.
An attacker could exploit the vulnerability by constructing a web
page that uses a cached programming technique, and could then
either host it on a web site or send it to a user via email. In the
case of the web-based attack vector the page could be automatically
opened when a user visited the site In the case of the HTML mail-
based attack vector, the page could be opened when the recipient
opened the mail or viewed it using the Preview pane.
Mitigating Factors:
====================
- - -Internet Explorer 5.01 is not affected by this vulnerability.
- - -The web-based attack scenario would provide no way for the
attacker to force users to visit the site. Instead, the attacker
would need to lure them there, typically by getting them to click
on a link that would take them to the attacker's site.
- - -The HTML mail-based attack scenario would be blocked by Outlook
Express 6.0 and Outlook 2002 in their default configurations, and
by Outlook 98 and 2000 if used in conjunction with the Outlook
Email Security Update.
- - -The vulnerability would allow an attacker to read but not add,
delete or modify files on the user's local system.
- - -The attacker would need to know the name and location of any file
on the system to successfully invoke it. If invoked, there would be
no way for an attacker to pass parameters to that executable.
- - -This vulnerability does not provide any way for an attacker to put
a program of their choice onto another user's system.
Risk Rating:
============
Moderate
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-068.asp
for information on obtaining this patch.
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPe5c0o0ZSRQxA/UrAQH9+QgAqG29LelobUVrkeLCN3vE9Jj0P61nj9eX
MYxYheB2OUjFYNF8263tDxASQBLmk7I/RKw3zDTp+d1q1c2ngjEoibvLiDvExik5
n9F8RgvTH8XEo2lnxAes5VS4ASvdBRImT6jTD3hZ6DmhEwN9UAWsnynXsCu+GBOa
tD7JhIlTQWOwASI8f1c3ElMRVjFFs0IK8JX3zrhzPIUPrtO9HrjdSGss7c8jW4rk
c1yPFSO/eKA6bs47Mg5oApHrjPecYMw5OuFRuOtmbiAv9zFG4njCEPtoNkzN/wq3
XyEzR0kAt/VksBewljU7vh1xyyezIr1uuhlC2UQQwukpO2SbQ/SkHQ==
=wAs+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPe9BISh9+71yA2DNAQG1+gP+LGOkyuLLu3IbFmke4E1bPFAwEHoplVrt
cDG323wqnvHhq5PHZ4DyBQ6ifF1oKqFxsKUum5weKRKODdw5VA77nMl8ZlmKPjm4
oLQOlP43SFa3TnBL8AU3FpQwE9hMYK3ZN7X3T7mQOrcGM/C/7ZNkx1o/mUkvxPQZ
PKRXbTRdNHg=
=0CqK
-----END PGP SIGNATURE-----
|