Alert: Microsoft Security Bulletin - MS02-068

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 12/04/02

  • Next message: Russ: "Alert: Microsoft Security Bulletin - MS02-067"
    Date:         Wed, 4 Dec 2002 16:40:31 -0500
    From: Russ <Russ.Cooper@RC.ON.CA>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    http://www.microsoft.com/technet/security/bulletin/MS02-068.asp

    Cumulative Patch for Internet Explorer (Q324929)

    Originally posted: December 04, 2002

    Summary

    Who should read this bulletin: Customers using Microsoft® Internet Explorer

    Impact of vulnerability: Information Disclosure

    Maximum Severity Rating: Moderate

    Recommendation: Customers should consider deploying the patch.

    Affected Software:
    - Microsoft Internet Explorer 5.5
    - Microsoft Internet Explorer 6.0 End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms02-068.asp

    Technical description:

    This is a cumulative patch for Internet Explorer 5.5 and 6.0. In addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, it also eliminates a newly discovered flaw in Internet Explorer's cross-domain security model. This flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing a website in one domain to access information in another, including the user's local system.

    Exploiting the vulnerability could enable an attacker to read, but not change, any file on the user's local computer. In addition, the attacker could invoke an executable that was already present on the local system. The attacker would need to know the exact location of the executable, and would not be able to pass parameters to it. Microsoft is not aware of any executable that ships by default as part of Windows and, when run without parameters, could be dangerous.

    An attacker could exploit the vulnerability by constructing a web page that uses a cached programming technique, and could then either host it on a web site or send it to a user via email. In the case of the web-based attack vector the page could be automatically opened when a user visited the site In the case of the HTML mail-based attack vector, the page could be opened when the recipient opened the mail or viewed it using the Preview pane.

    Mitigating factors:
    - Internet Explorer 5.01 is not affected by this vulnerability.
    - The web-based attack scenario would provide no way for the attacker to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.
    - The HTML mail-based attack scenario would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update.
    - The vulnerability would allow an attacker to read but not add, delete or modify files on the user's local system.
    - The attacker would need to know the name and location of any file on the system to successfully invoke it. If invoked, there would be no way for an attacker to pass parameters to that executable.
    - This vulnerability does not provide any way for an attacker to put a program of their choice onto another user's system.

    Vulnerability identifier: CAN-2002-1262

    This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

    I can only hope that the information it does contain can be read well enough to serve its purpose.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Demonstrate your knowledge and understanding of core IT Security, become
    TICSA certified.

    Are you responsible for IT security in job function, but not necessarily
    in title? Do you want to prove your IT security knowledge and increase
    opportunities? Interested? Visit;

    http://www.trusecure.com/solutions/certifications/ticsa/

    for more information.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



    Relevant Pages

    • Re: Microsoft Security Bulletin MS03-040 - 828750
      ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ...
      (microsoft.public.security)
    • Re: Microsoft Security Bulletin MS03-040 - 828750
      ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ...
      (microsoft.public.security.virus)
    • Re: Microsoft Security Bulletin MS03-040 - 828750
      ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ...
      (microsoft.public.win2000.security)
    • [NT] Cumulative Patch for Internet Explorer (MS03-040)
      ... Get your security news from a reliable source. ... all previously released patches for Internet Explorer 5.01, ... * A vulnerability that occurs because Internet Explorer does not properly ... could be possible for an attacker who exploited this vulnerability to run ...
      (Securiteam)
    • Re: Bulletin: MS03-040 Cumulative Patch for Internet Explorer (828750)
      ... Cumulative Patch for Internet Explorer ... It could be possible for an attacker who exploited this ... > vulnerability to run arbitrary code on a user's system. ...
      (microsoft.public.security.virus)