[NT] November 2001 Cumulative Patch for IE
From: support@securiteam.comDate: 11/18/01
- Previous message: support@securiteam.com: "[NEWS] Stock Portfolio Sent Via Clear Text in Datek Streamer Application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] November 2001 Cumulative Patch for IE Message-Id: <20011118175949.F043A138BF@mail.der-keiler.de> Date: Sun, 18 Nov 2001 18:59:49 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
November 2001 Cumulative Patch for IE
------------------------------------------------------------------------
SUMMARY
On November 08, 2001, Microsoft released the original version of this
bulletin. In it, Microsoft detailed a work-around procedure that customers
could implement to protect themselves against a publicly disclosed
vulnerability. On November 13, 2001, Microsoft released a patch that, when
applied, eliminates all known vulnerabilities affecting IE 5.5 and IE 6.
Microsoft therefore expanded the scope of the bulletin to discuss all of
the vulnerabilities the patch addresses. Customers who disabled Active
Scripting per the original version of this bulletin can re-enable it after
installing this patch.
In addition to eliminating, all previously discussed vulnerabilities
affecting IE 5.5 Service Pack 2 and IE 6, the patch also eliminates three
newly discovered ones:
* The first two involve how IE handles cookies across domains. Although
the underlying flaws are completely unrelated, the scope is exactly the
same - in each case, a malicious user could potentially construct a URL
that would allow them to gain unauthorized access to a user's cookies and
potentially modify the values contained in them. Because some web sites
store sensitive information in a user's cookies, this could allow personal
information to be compromised. Both vulnerabilities could be exploited
either by hosting specially crafted URL's on a web page or by sending them
to the victim in an HTML email.
* The third vulnerability is a new variant of a vulnerability discussed
in Microsoft Security Bulletin MS01-051 affecting how IE handles URLs that
include dotless IP addresses. If a web site were specified using a dotless
IP format (e.g., http://031713501415 rather than http://207.46.131.13),
and the request were malformed in a particular way, IE would not recognize
that the site was an Internet site. Instead, it would treat the site as an
intranet site, and open pages on the site in the Intranet Zone rather than
the correct zone. This would allow the site to run with fewer security
restrictions than appropriate. This vulnerability does not affect IE 6.
DETAILS
Affected Software:
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
Mitigating factors:
Cookie handling vulnerabilities:
* To exploit either vulnerability, the attacker would need to entice the
user into visiting a particular web site or opening an HTML e-mail
containing the malformed URL.
* The Outlook Email Security Update (which is included as part of Outlook
2002 in Office XP) would protect the user against the mail-borne attack
scenario.
* Users who have set Outlook Express to use the "Restricted Sites" Zone
are not affected by the mail-borne attack scenario, because the
"Restricted Sites" zone sets Active Scripting to disabled. Note that this
is the default setting for Outlook Express 6.0. Users of Outlook Express
6.0 should verify that Active Scripting is still disabled in the
Restricted Sites Zone.
Zone spoofing vulnerability:
* The default settings in the Intranet Zone differ in only a few ways
from those of the Internet Zone. The differences are enumerated in the FAQ
in MS01-051, but none would allow destructive action to be taken.
Patch availability:
Download locations for this patch
* Microsoft Internet Explorer 5.5 and 6.0:
<http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp> http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp
ADDITIONAL INFORMATION
The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Stock Portfolio Sent Via Clear Text in Datek Streamer Application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
