Alert: Microsoft Security Bulletin - MS02-023

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 05/15/02


Date:         Wed, 15 May 2002 17:11:14 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-023.asp

15 May 2002 Cumulative Patch for Internet Explorer (Q321232)

Originally posted: May 15, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Internet Explorer

Impact of vulnerability: Six new vulnerabilities, the most serious of which could allow code of attacker's choice to run.

Maximum Severity Rating: Critical

Recommendation: Consumers using the affected versions of IE should install the patch immediately.

Affected Software:
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0

Technical description:

This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:
- A cross-site scripting vulnerability in a Local HTML Resource. IE ships with several files that contain HTML on the local file system to provide functionality. One of these files contains a cross-site scripting vulnerability that could allow a script to execute as if it were run by the user herself, causing it to run in the local computer zone. An attacker could craft a web page with a URL that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the web page was viewed and the user clicked on the URL link, the attacker's script injected into the local resource, the attacker's script would run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have.
- An information disclosure vulnerability related to the use of am HTML object provides that support for Cascading Style Sheets that could allow an attacker to read, but not add, delete or change, data on the local system. An attacker could craft a web page that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the page was viewed, the element would be invoked. Successfully exploiting this vulnerability, however, requires exact knowledge of the location of the intended file to be read on the user's system. Further, it requires that the intended file contain a single, parcicular ASCII character.
- An information disclosure vulnerability related to the handling of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page with a hyperlink that would deliver that cookie to the user's system and invoke it. He could then send that web page as mail or post it on a server. When the user clicked the hyperlink and the page invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully.
- A zone spoofing vulnerability that could allow a web page to be incorrectly reckoned to be in the Intranet zone or, in some very rare cases, in the Trusted Sites zone. An attacker could construct a web page that exploits this vulnerability and attempt to entice the user to visit the web page. If the attack were successful, the page would be run with fewer security restrictions than is appropriate.
- Two variants of the "Content Disposition" vulnerability discussed in Microsoft Security Bulletin MS01-058 affecting how IE handles downloads when a downloadable file's Content-Disposition and Content-Type headers are intentionally malformed. In such a case, it is possible for IE to believe that a file is a type safe for automatic handling, when in fact it is executable content. An attacker could seek to exploit this vulnerability by constructing a specially malformed web page and posting a malformed executable file. He could then post the web page or mail it to the intended target. These two new variants differ from the original vulnerability in that they for a system to be vulnerable, it must have present an application present that, when it is erroneously passed the malformed content, chooses to hand it back to the operating system rather than immediately raise an error. A successful attack, therefore, would require that the attacker know that the intended victim has one of these applications present on their system.

Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 200 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable.

Mitigating factors:

Cross-Site Scripting in Local HTML Resource:
- A successful attack requires that a user first click on a hyperlink. There is no way to automate an attack using this vulnerability.
- Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks.
- Customers using Outlook 2002 SP1 who have enabled the "Read as Plain Text" feature would be immune from the HTML email attack. This is because this feature disables all HTML elements, including scripting, from mail when it is displayed.
- Any limitations on the rights of the user's account would also limit the actions of the attacker's script.
- Customers who exercise caution in what web sites they visit or who place unknown or untrusted sites in the Restricted Sites zone can potentially protect themselves from attempts to exploit this issue on the web.

Local Information Disclosure through HTML Object:
- It can only be used to read information. It cannot add, change or delete any information.
- The attacker would need to know the exact name and location on the system of any file they attempted to read.
- Only files that contained a particular, individual ASCII character could be read. If this single character is not present, the attempt to read the file would fail.
- Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks.
- Customers using Outlook 2002 SP1 who have enabled the "Read as Plain Text" feature would be immune from the HTML email attack. This is because this feature disables all HTML elements, including scripting, from mail when it is displayed.

Script within Cookies Reading Cookies:
- The specific information an attacker could access would depend on what information a site has chosen to store in its cookies. Best practices strongly recommend against storing sensitive information in cookies.
- An attacker would have to entice a user to first click on a hyperlink to initiate an attempt to exploit this vulnerability. There is no way to automate an attack that exploits this vulnerability.
- Mounting a successful attack requires that the attacker know the exact name of the target cookie. This vulnerability provides no means for an attacker to acquire that information.
- Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks.
- Customers using Outlook 2002 SP1 who have enabled the "Read as Plain Text" feature would be immune from the HTML email attack. This is because this feature disables all HTML elements, including scripting, from mail when it is displayed.Zone Spoofing through Malformed Web Page:
- A successful attack would require NetBIOS connectivity between the user and the attacker's site. Any filtering of NetBIOS, such as that found by ISP's or at the firewall perimeter, would thwart attempts to exploit this vulnerability.
- Any attempt to render a web site in the Trusted Sites zone would require very specific knowledge of custom configuration made by the user. This aspect of the vulnerability is not exploitable by default, nor does the vulnerability give the means to acquire the necessary information for that attack.New Variants of the "Content Disposition" Vulnerability:
- Any successful attempt to exploit this vulnerability requires that the attacker know that the intended target have specific versions of specific applications on their system. The vulnerability gives no means for an attacker to know what applications or versions are present on the system.
- Any attempt to exploit the vulnerability requires that the attacker host a malicious executable on a server accessible to the intended victim. If the hosting server is unreachable for any reason, such as DNS blocking or the server being taken down, the attack would fail.

Vulnerability identifiers:

- Cross-Site Scripting in Local HTML Resource: CAN-2002-0189
- Local Information Disclosure through HTML object: CAN-2002-0191
- Script within Cookies Reading Cookies: CAN-2002-0192
- Zone Spoofing through Malformed Web Page: CAN-2002-0190
- "Content Disposition" Variants: CAN-2002-0193, CAN-2002-0188

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor