Date: 09 December 2002
References: ESB-2002.677
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2002.15 -- AUSCERT ALERT
Cumulative Patch for Internet Explorer (324929) (Revised)
Microsoft Security Bulletin MS02-068
09 December 2002
===========================================================================
AusCERT Alert Summary
---------------------
Product: Internet Explorer 5.5
Internet Explorer 6.0
Vendor: Microsoft
Impact: Execute Arbitrary Code/Commands
Read-only Data Access
Reduced Security
Access Required: Remote
Ref: ESB-2002.677
This Microsoft bulletin (which we redistributed as ESB-2002.677) has been
re-issued due to an increase in the impact of the vulnerability.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (324929)
Released: 04 December 2002
Revised: 06 December 2002 (version 2.0)
Software: Microsoft(r) Internet Explorer
Impact: Allow an attacker to execute commands on a user's
system.
Max Risk: Critical
Bulletin: MS02-068
Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/security/security_bulletins/ms02-068.asp
http://www.microsoft.com/technet/security/bulletin/MS02-068.asp.
- - ----------------------------------------------------------------------
Reason for Revision:
====================
This is an updated bulletin describing a cumulative patch for
Internet Explorer 5.5 and 6.0. The original patch released on
December 4, 2002 is unchanged. However since releasing the
patch, Microsoft has received a report suggesting that the
vulnerability addressed by this bulletin could be exploited to
run arbitrary code on a user's machine. Microsoft investigated
that report, and was able to develop a demonstration that
exploits the vulnerability to run arbitrary code. We have
released this updated bulletin to advise customers of our new
assessment of the potential impact of the vulnerability, and
of its updated severity rating.
Issue:
======
This is an updated bulletin describing a cumulative patch for
Internet Explorer 5.5 and 6.0. The original patch is unchanged and,
in addition to including the functionality of all previously
released patches for Internet Explorer 5.5 and 6.0, eliminates one
additional flaw in Internet Explorer's cross-domain security model.
This flaw occurs because the security checks that Internet Explorer
carries out when particular object caching techniques are used in
web pages are incomplete. This could have the effect of allowing an
attacker to execute commands on a user's system.
Exploiting the vulnerability could enable an attacker to invoke an
executable that was already present on the local system. It could
also allow an attacker to load a malicious executable onto a user's
system, or to pass parameters to an executable. However, a registry
key setting discussed in Microsoft Knowledge Base Article 810687
disables shortcuts in HTML Help, which significantly reduces the
scope of this vulnerability as it removes the ability to load a
malicious executable on a user's system or to pass parameters to an
executable.
An attacker could exploit the vulnerability by constructing a web
page that uses a cached programming technique, and could then
either host it on a web site or send it to a user via email. In the
case of the web-based attack vector the page could be automatically
opened when a user visited the site. In the case of the HTML mail-
based attack vector, the page could be opened when the recipient
opened the mail or viewed it using the Preview pane.
On December 4, 2002, Microsoft released the original version of
this bulletin. Subsequent to that time, Microsoft received a report
suggesting that the vulnerability addressed by this bulletin could
be exploited to run arbitrary code on a user's machine. Microsoft
investigated that report, and was able to develop a demonstration
that exploits the vulnerability to run arbitrary code. We have
released this updated bulletin to advise customers of our new
assessment of the potential impact of the vulnerability, and of its
updated severity rating.
The original patch released with this bulletin was and is effective
in preventing exploitation of the vulnerability. It is also
effective in eliminating all vulnerabilities addressed by prior
bulletins that could allow a malicious party to run code on the
machine of a user who visited a hostile web site or opened a
malicious HTML email message. Microsoft strongly urges all
customers to install the patch.
Mitigating Factors:
====================
- - -Internet Explorer 5.01 is not affected by this vulnerability.
- - -The web-based attack scenario would provide no way for the attacker
to force users to visit the site. Instead, the attacker would need
to lure them there, typically by getting them to click on a link
that would take them to the attacker's site.
- - -The HTML mail-based attack scenario would be blocked by Outlook
Express 6.0 and Outlook 2002 in their default configurations, and
by Outlook 98 and 2000 if used in conjunction with the Outlook
Email Security Update.
- - -If the steps described in Microsoft Knowledge Base Article 810687
have been taken to restrict shortcuts in HTML Help, then the
following mitigating factors apply:
-The vulnerability would allow an attacker to read but not add,
delete or modify files on the user's local system.
-The attacker would need to know the name and location of any file
on the system to successfully invoke it. If invoked, there would
be
no way for an attacker to pass parameters to that executable.
-The vulnerability would not provide any way for an attacker to put
a program of their choice onto another user's system.
Risk Rating:
============
Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-068.asp
for information on obtaining this patch.
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPfEh+40ZSRQxA/UrAQE1WQf/RCZNbq2aVCbvaJi1iRxWdW2E9Ah45lLj
CT33JUR6d9+TmUazFfglWFM0zLXcBctERZDkAyLWjvgO3Yc+usIOdo4BQNl5Mf+o
V739TyR7rfumnpnKr9qlepFJRLkaBPnPPNh/Yphd8LbLBlJ7DfTjDxuUS966gTKb
GkxgOl8zBvDwaCpCrWyBHEaOIpBivUxj8HKBGzrcj0n82y4C9ZOd9i0AsFwqyrsa
FSBPo3r55cZB6w/De+CIQ0siftgbvvWR0WtRk/2RETi0+wzTnF0SK04GNndFm3nl
V8UckCD9Jv2BzPlFWp6qDKEPaFHdUzrbIZYYwZsBesZzwbsP+2pusg==
=n7GV
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1977
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPfRtLSh9+71yA2DNAQEmGgP/TuKOnxLaW1M5PE1JtTAbRBH9Qytsxyfs
dkedu2dKw6H1TF6w8TTIX8CgVIfE45H1j6ConWwblETYdHXW0KWour6tAxdDY0U4
xxuHjX2iI35AYao6Xcf0Uq7KpT2EmrYkJp+WEpJp17v6JA+sTdKOkgItBkv1/JBW
vf6Lozzvk8E=
=gyDK
-----END PGP SIGNATURE-----
|