Date: 05 June 2003
References: ESB-2003.0315
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.09 -- AUSCERT ALERT
Cumulative Patch for Internet Explorer (818529)
Microsoft Security Bulletin MS03-020
05 June 2003
===========================================================================
AusCERT Alert Summary
---------------------
Product: Internet Explorer 6.0
Internet Explorer 5.5
Internet Explorer 5.01
Publisher: Microsoft
Operating System: Windows Server 2003
Windows XP
Windows 2000
Windows NT
Windows ME
Windows 98 SE
Impact: Execute Arbitrary Code/Commands
Access Required: Remote
CVE Names: CAN-2003-0309, CAN-2003-0344
Ref: ESB-2003.0315
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - - ------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (818529)
Date: 04 June 2003
Software: Microsoft(r) Microsoft Internet Explorer(r) 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 for Windows Server 2003
Impact: Allow an attacker to execute code of their choice
Max Risk: Critical
Bulletin: MS03-020
Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-020.asp
http://www.microsoft.com/security/security_bulletins/ms03-020.asp
- - - ------------------------------------------------------------------
Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates two newly discovered vulnerabilities:
- A buffer overrun vulnerability that occurs because Internet
Explorer does not properly determine an object type returned from a
web server. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's website, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML email that attempted to exploit
this vulnerability.
- A flaw that results because Internet Explorer does not implement
an appropriate block on a file download dialog box. It could be
possible for an attacker to exploit this vulnerability to run
arbitrary code on a user's system. If a user simply visited an
attacker's website, it would be possible for the attacker to exploit
this vulnerability without any other user action. An attacker could
also craft an HTML email that attempted to exploit this
vulnerability.
In order to exploit these flaws, the attacker would have to create a
specially formed HTML email and send it to the user. Alternatively
an attacker would have to host a malicious web site that contained a
web page designed to exploit these vulnerabilities. The attacker
would then have to persuade a user to visit that site.
As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004 and MS03-015, this cumulative patch will
cause window.showHelp( ) to cease to function if you have not
applied the HTML Help update. If you have installed the updated HTML
Help control from Knowledge Base article 811630, you will still be
able to use HTML Help functionality after applying this patch.
Mitigating factors:
====================
The following mitigating factors apply to both vulnerabilities
discussed in this bulletin:
- By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of
Internet Explorer blocks these attacks. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent these vulnerabilities from being exploited
would be removed.
- In the Web based attack scenario, the attacker would have to host
a web site that contained a web page used to exploit these
vulnerabilities. An attacker would have no way to force users to
visit a malicious web site outside of the HTML email vector.
Instead, the attacker would need to lure them there, typically by
getting them to click on a link that would take them to the
attacker's site.
- Code that executed on the system would only run under the
privileges of the logged in user.
Risk Rating:
============
Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/ms03-020.asp
http://www.microsoft.com/security/security_bulletins/ms03-020.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com/)
- - - ------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPt4h7I0ZSRQxA/UrAQGN8Qf+Pw+jcDSFRSRkTKrDpDukp1UDXx/zH0gZ
KwqcKa+cxjmkU6oo9ZiUTB+aTy4px/LWJPstri0CICgD8poVLeqGLRwLpUzpwWOP
EBRuN1Y5IgDV2J6HmvLBNg8E1CpwMii2LIdo07w6xkGtBPOcxhn9S884jlBw1CQE
mNQjTCiGBZWunsUVCeQiaJnV+7fH5BHRFPu3qi3PvQxNCgXvziCBgyTxf33u7U1K
XFW7bZKDcKYhKJ385qmvbs2yV+rDv5s4b3SlemIxnH6VdoUUKhRuWoMcia9dqFLh
5sovuW2MjxprNUrzA0A8Tm1GCnAHQM/M2c35ML18wGh15SJr2c5Y8A==
=DxHQ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1977
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPt8h1yh9+71yA2DNAQHw0AP/QsvjqKOfRz2pWFIXMsO7oXQuQAcKo8r4
WUCGZnbNHVQX8D86RwGjNoVxjCDiQHSNUaUpkyoRNEpLielEx8PJE9LFUFyV4DzU
N1dLwMFzm2PZzR5RldoyuLhPLezu7YgvWpH4wfLokIonW1hiUKZisHMKMUv/9WxV
olL4+Y1pFm0=
=WH+E
-----END PGP SIGNATURE-----
|