Date: 14 February 2003
References: ESB-2002.677 ESB-2003.0073
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0087 -- Microsoft Security Bulletin MS03-004
Cumulative Patch for Internet Explorer (810847) Updated
14 February 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Vendor: Microsoft
Operating System: Windows 98SE
Windows ME
Windows NT
Windows 2000
Windows XP
Platform: i386
IA-64
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Denial of Service
Access Required: Remote
Ref: ESB-2003.0073
ESB-2002.677
Comment: CVE Id: CAN-2002-1326
CAN-2002-1328
Microsoft has stated that this hot fix corrects a very specific
non-security issue created by the original release of the patch
The security patch discussed in this Security Bulletin was, and
still is, effective in removing the vulnerabilities discussed
later in this bulletin.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (810847)
Released: 5 February 2003
Revised: 12 February 2003(version 2.0)
Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Impact: Allow an attacker to execute commands on a user's
system.
Max Risk: Critical
Bulletin: MS03-004
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
http://www.microsoft.com/security/security_bulletins/ms03-004.asp
- - ----------------------------------------------------------------------
Reason for Revision:
====================
Subsequent to the initial release of this bulletin, a non-security
issue was discovered with this patch that could affect some users -
primarily consumers - under certain conditions. Specifically, the
issue could cause some users to be unable to authenticate to
certain Internet web sites such as subscription based sites, or MSN
e-mail. This issue has been resolved, and a hot fix (813951) issued
to correct it. It is important to note that this hot fix corrects a
very specific non-security issue, and that the security patch
discussed in this Security Bulletin was, and still is, effective in
removing the vulnerabilities discussed later in this bulletin. More
information, including details of how to obtain the hot fix are
available at:
http://www.microsoft.com/windows/ie/downloads/critical/813951/defau
lt.asp and in the Frequently Asked Questions section of this
bulletin.
Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5, 6.0. In addition, it
eliminates two newly discovered vulnerabilities involving Internet
Explorer's cross-domain security model - which keeps windows of
different domains from sharing information. These flaws results in
Internet Explorer because incomplete security checking causes
Internet Explorer to allow one website to potentially access
information from another domain when using certain dialog boxes.
In order to exploit this flaw, an attacker would have to host a
malicious web site that contained a web page designed to exploit
this particular vulnerability and then persuade a user to visit
that site. Once the user has visited the malicious web site, it
would be possible for the attacker to run malicious script by
misusing a dialog box and cause that script to access information
in a different domain. In the worst case, this could enable the web
site operator to load malicious code onto a user's system. In
addition, this flaw could also enable an attacker to invoke an
executable that was already present on the local system.
A related cross-domain vulnerability allows Internet Explorer's
showHelp() functionality to execute without proper security
checking. showHelp() is one of the help methods used to display an
HTML page containing help content. showHelp() allows more types of
pluggable protocols than necessary, and this could potentially
allow an attacker to access user information, invoke executables
already present on a user's local system or load malicious code
onto a user's local system.
The requirements to exploit this vulnerability are the same as for
the issue described above: an attacker would have to host and lure
a user to a malicious web site. In this scenario, the attacker
could open a showHelp window to a known local file on the visiting
user's local system and gain access to information from that file
by sending a specially crafted URL to a second showHelp window. The
attacker could also potentially access user information or run code
of attacker's choice.
This cumulative patch will cause window.showHelp( ) to cease to
function. When the latest HTML Help update - which is being
released via Windows Update with this patch - is installed,
window.showHelp( ) will function again, but with some limitations
(see the caveats section later in this bulletin). This has been
necessary in order to block the attack vector that might allow a
web site operator to invoke an executable that was already present
on a user's local system.
Mitigating Factors:
====================
- - -The attacker would have to host a web site that contained a
web page used to exploit either of these cross-domain
vulnerabilities.
- - -The attacker would have no way to force users to visit the
site. Instead, the attacker would need to lure them there,
typically by getting them to click on a link that would take them
to the attacker's site.
- - -By default, Outlook Express 6.0 and Outlook 2002 open HTML
mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000
open HTML mail in the Restricted Sites Zone if the Outlook Email
Security Update has been installed. Customers who use any of these
products would be at no risk from an e-mail borne attack that
attempted to exploit this vulnerability unless the user clicked a
malicious link in the email.
- - -Internet Explorer 5.01 users are not affected by the first
vulnerability.
Risk Rating:
============
- Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-004.asp
http://www.microsoft.com/security/security_bulletins/ms03-004.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Microsoft thanks Andreas Sandblad, Sweden for reporting the
cross domain vulnerability using showHelp and for working with us
to protect customers.
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPkr/nI0ZSRQxA/UrAQGFGgf/exOegUuF3NqVgKxAPGpDglQe1rryTDfW
fGyh09RaaH+9+6y/91GdC7NU6t7x6rV0ia4Kt+Vhj087/ybcyCJH+pcqXzWcz63n
UtjfMvXTOS+WUdO5FiNMo/9xHMYXo/72GYikXpnQFLBnhCR1DUhmjF2tgMQfoKbi
3Gm1mBpNwm1SiC16oiGaDbXrrlxT0GYDIZaiVQ54kwskddsR/JEMv74nTMUTcDIM
yIIyHMK7FjqMCsSh47wAcmWUYS70dhMnSCzKKwzSPOCzFKIajLIFSDkZJCtmGSt1
qjwpWkBExEyLSRKDBLIK8dFO5poKNMZYoubTpmJaFMA0P+ID5FZlcw==
=g93V
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPk0UlSh9+71yA2DNAQGKKwP+LRd6Pd89xwiZbOqMZNtkMkDhDlCmcMLp
+Sq5BTzp5TxzfrVS5AnT1H4j2JL4XEecuSTF4eJaW2AeqfCD0tPb6/+yadbQK71o
ufbtKg1wuSZ/oV2CwldgZc9sDyR5Jqn1kv9D6Phze5f1ynGDlssvW6niownowrLK
7Q92VkV4tnc=
=hUOU
-----END PGP SIGNATURE-----
|