Alert: Microsoft Security Bulletin - MS03-004

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 02/05/03

  • Next message: Russ: "Alert: Microsoft Security Bulletin - MS03-005"
    Date:         Wed, 5 Feb 2003 14:10:27 -0500
    From: Russ <Russ.Cooper@RC.ON.CA>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    http://www.microsoft.com/technet/security/bulletin/MS03-004.asp

    Cumulative Patch for Internet Explorer (810847)

    Originally posted: February 5, 2003

    Summary

    Who should read this bulletin: Customers using Microsoft® Internet Explorer.

    Impact of vulnerability: Allow an attacker to execute commands on a user's system.

    Maximum Severity Rating: Critical

    Recommendation: Customers should install the patch immediately.

    Affected Software:
    - Microsoft Internet Explorer 5.01
    - Microsoft Internet Explorer 5.5
    - Microsoft Internet Explorer 6.0

    End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-004.asp

    Technical description:

    This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5, 6.0. In addition, it eliminates two newly discovered vulnerabilities involving Internet Explorer's cross-domain security model - which keeps windows of different domains from sharing information. These flaws results in Internet Explorer because incomplete security checking causes Internet Explorer to allow one website to potentially access information from another domain when using certain dialog boxes.

    In order to exploit this flaw, an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site. Once the user has visited the malicious web site, it would be possible for the attacker to run malicious script by misusing a dialog box and cause that script to access information in a different domain. In the worst case, this could enable the web site operator to load malicious code onto a user's system. In addition, this flaw could also enable an attacker to invoke an executable that was already present on the local system.

    A related cross-domain vulnerability allows Internet Explorer's showHelp() functionality to execute without proper security checking. showHelp() is one of the help methods used to display an HTML page containing help content. showHelp() allows more types of pluggable protocols than necessary, and this could potentially allow an attacker to access user information, invoke executables already present on a user's local system or load malicious code onto a user's local system.

    The requirements to exploit this vulnerability are the same as for the issue described above: an attacker would have to host and lure a user to a malicious web site. In this scenario, the attacker could open a showHelp window to a known local file on the visiting user's local system and gain access to information from that file by sending a specially crafted URL to a second showHelp window. The attacker could also potentially access user information or run code of attacker's choice.

    This cumulative patch will cause window.showHelp( ) to cease to function. When the latest HTML Help update - which is being released via Windows Update with this patch - is installed, window.showHelp( ) will function again, but with some limitations (see the caveats section later in this bulletin). This has been necessary in order to block the attack vector that might allow a web site operator to invoke an executable that was already present on a user's local system.

    Mitigating factors:
    - The attacker would have to host a web site that contained a web page used to exploit either of these cross-domain vulnerabilities.
    - The attacker would have no way to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.
    - By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to exploit this vulnerability unless the user clicked a malicious link in the email.
    - Internet Explorer 5.01 users are not affected by the first vulnerability.

    Vulnerability identifier:
    - Improper Cross Domain Security Validation with dialog box CAN-2003-1326
    - Improper Cross Domain Security Validation with ShowHelp functionality CAN-2003-1328

    This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

    I can only hope that the information it does contain can be read well enough to serve its purpose.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



    Relevant Pages

    • Re: Microsoft Security Bulletin MS03-040 - 828750
      ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ...
      (microsoft.public.security)
    • Re: Microsoft Security Bulletin MS03-040 - 828750
      ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ...
      (microsoft.public.security.virus)
    • Re: Microsoft Security Bulletin MS03-040 - 828750
      ... cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have ... Cumulative Patch for Internet Explorer ... A vulnerability that occurs because Internet Explorer does not ... It could be possible for an attacker who exploited this ...
      (microsoft.public.win2000.security)
    • [NT] Cumulative Security Update for Internet Explorer (MS06-021)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Improper memory and user input handling with Internet Explorer allows ... A remote code execution vulnerability exists in the way Internet Explorer ...
      (Securiteam)
    • [NT] Cumulative Security Update for Internet Explorer (MS06-013)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Microsoft Internet Explorer allow attackers to execute arbitrary code, ... A remote code execution vulnerability exists in the way Internet Explorer ...
      (Securiteam)