Alert: Microsoft Security Bulletin - MS03-040

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 10/04/03

  • Next message: Jeff Tucker: "Re: Half-Life 2 source code stolen through IE exploit"
    Date:         Fri, 3 Oct 2003 22:01:27 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

    Cumulative Patch for Internet Explorer (828750)

    Originally posted: October 3, 2003

    Summary

    Who should read this bulletin: Users running Microsoft Internet Explorer.

    Impact of vulnerability: Run code of attacker's choice.

    Maximum Severity Rating: Critical

    Recommendation: Customers should apply the patch immediately.

    End User Bulletin:
    An end user version of this bulletin is available at:

    http://www.microsoft.com/security/security_bulletins/ms03-040.asp

    Protect your PC:
    Additional information on how you can help protect your PC is available at the following locations:
    - End Users can visit http://www.microsoft.com/protect
    - IT Professionals can visit http://www.microsoft.com/technet/protect

    Affected Software:
    - Internet Explorer 5.01
    - Internet Explorer 5.5
    - Internet Explorer 6.0
    - Internet Explorer 6.0 for Windows Server 2003

    Technical description:

    This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following newly discovered vulnerabilities:

     
    - A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a popup window. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML-based e-mail that would attempt to exploit this vulnerability.
    - A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML-based e-mail that would attempt to exploit this vulnerability.

    In addition, a change has been made to the method by which Internet Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted Zone. It could be possible for an attacker exploiting a separate vulnerability (such as one of the two vulnerabilities discussed above) to cause Internet Explorer to run script code in the security context of the Internet Zone. In addition, an attacker could use Windows Media Player's (WMP) ability to open URLs to construct an attack. An attacker could also craft an HTML-based e-mail that could attempt to exploit this behavior.

    To exploit these flaws, the attacker would have to create a specially formed HTML-based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit these vulnerabilities.

    As with the previous Internet Explorer cumulative patches released with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch.

    In addition to applying this security patch it is recommended that users also install the Windows Media Player update referenced in Knowledge Base Article 828026. This update is available from Windows Update as well as the Microsoft Download Center for all supported versions of Windows Media Player. While not a security patch, this update contains a change to the behavior of Windows Media Player's ability to launch URLs to help protect against DHTML behavior based attacks. Specifically, it restricts Windows Media Player's ability to launch URLs in the local computer zone from other zones.

    Mitigating factors:
    - By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections put in place that prevent this vulnerability from being automatically exploited would be removed.
    - In the Web-based attack scenario, the attacker would have to host a Web site that contained a Web page used to exploit this vulnerability.
    - Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have user level privileges on the system would be at less risk than ones who operate with administrative privileges.

    Vulnerability identifier:
    - Object Tag vulnerability in Popup Window: CAN-2003-0838
    - Object Tag vulnerability with XML data binding: CAN-2003-0809

    This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    -----
    Most viruses these days use spoofed email addresses. As such, using an Anti-
    Virus product which automatically notifies the perceived sender of a message
    it believes is infected may well cause more harm than good. Someone who did
    not actually send you a virus may receive the notification and scramble
    their support staff to find an infection which never existed in the first
    place. Suggest such notifications be disabled by whomever is responsible for
    your AV, or at least that the idea is considered.
    -----


  • Next message: Jeff Tucker: "Re: Half-Life 2 source code stolen through IE exploit"

    Relevant Pages

    • [NT] Cumulative Security Update for Internet Explorer (MS06-021)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Improper memory and user input handling with Internet Explorer allows ... A remote code execution vulnerability exists in the way Internet Explorer ...
      (Securiteam)
    • [NT] Cumulative Security Update for Internet Explorer (MS06-013)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Microsoft Internet Explorer allow attackers to execute arbitrary code, ... A remote code execution vulnerability exists in the way Internet Explorer ...
      (Securiteam)
    • [NT] Cumulative Security Update for Internet Explorer (MS05-038)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... A buffer overflow vulnerability within Internet Explorer allows attackers ...
      (Securiteam)
    • [NT] Cumulative Security Update For Internet Explorer (MS04-004)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... previously-released updates for Internet Explorer 5.01, ... vulnerability could result in the execution of a script in the Local ...
      (Securiteam)
    • [NT] Internet Explorer Bundled Flash Player Code Execution (MS06-020)
      ... Internet Explorer Bundled Flash Player Code Execution ... Microsoft Internet Explorer 6 by default. ... A remote code execution vulnerability exists in Macromedia Flash Player ... Applications and Web sites that require the Flash ...
      (Securiteam)