[NT] 15 May 2002 Cumulative Patch for Internet Explorer

From: support@securiteam.com
Date: 05/18/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 18 May 2002 22:30:25 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  15 May 2002 Cumulative Patch for Internet Explorer
------------------------------------------------------------------------

SUMMARY

This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and 6.0. In addition, it
eliminates the following six newly discovered vulnerabilities:
 * A cross-site scripting vulnerability in a Local HTML Resource. IE ships
with several files that contain HTML on the local file system to provide
functionality. One of these files contains a cross-site scripting
vulnerability that could allow a script to execute as if it were run by
the user herself, causing it to run in the local computer zone. An
attacker could construct a web page that exploits this vulnerability and
then either host that page on a web server or send it as HTML email. When
the web page was viewed and the attacker's script run, the attacker's
script would be injected into the local resource, where it would run in
the Local Computer zone, allowing it to run with fewer restrictions than
it would in the Internet Zone.

 * An information disclosure vulnerability related to the use of am HTML
object provides that support for Cascading Style Sheets that could allow
an attacker to read, but not add, delete or change, data on the local
system. An attacker could construct a web page that exploits this
vulnerability and then either host that page on a web server or send it as
HTML email. When the page was viewed, the element would be invoked.
Successfully exploiting this vulnerability, however, requires exact
knowledge of the location of the intended file to be read on the user's
system. Further, it requires that the intended file contain a single,
particular ASCII character.

 * An information disclosure vulnerability related to the handling of
script within cookies that could allow one site to read the cookies of
another. An attacker could build a special cookie containing script and
then construct a web page that would deliver that cookie to the user's
system and invoke it. He could then send that web page as mail or post it
on a server. When the page executed and invoked the script in the cookie,
it could potentially read or alter the cookies of another site.
Successfully exploiting this, however, would require that the attacker
know the exact name of the cookie as stored on the file system to be read
successfully.

 * A zone spoofing vulnerability that could allow a web page to be
incorrectly reckoned to be in the Intranet zone or, in some very rare
cases, in the Trusted Sites zone. An attacker could construct a web page
that exploits this vulnerability and attempt to entice the user to visit
the web page. If the attack were successful, the page would be run with
fewer security restrictions than is appropriate.

 * Two variants of the "Content Disposition" vulnerability discussed in
Microsoft Security Bulletin MS01-058 affecting how IE handles downloads
when a downloadable file's Content-Disposition and Content-Type headers
are intentionally malformed. In such a case, it is possible for IE to
believe that a file is a type safe for automatic handling, when in fact it
is executable content. An attacker could seek to exploit this
vulnerability by constructing an especially malformed web page and posting
a malformed executable file. He could then post the web page or mail it to
the intended target. These two new variants differ from the original
vulnerability in that they for a system to be vulnerable, it must have
present an application present that, when it is erroneously passed the
malformed content, chooses to hand it back to the operating system rather
than immediately raise an error. A successful attack, therefore, would
require that the attacker know that the intended victim has one of these
applications present on their system.

Finally, it introduces a behavior change to the Restricted Sites zone.
Specifically, it disables frames in the Restricted Sites zone. Since the
Outlook Express 6.0, Outlook 98, and Outlook 2000 with the Outlook Email
Security Update and Outlook 2002 all read, email in the Restricted Sites
zone by default, this enhancement means that those products now
effectively disable frames in HTML email by default. This new behavior
makes it impossible for an HTML email to automatically open a new window
or to launch the download of an executable.

DETAILS

Affected Software:
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.5
 * Microsoft Internet Explorer 6.0

Mitigating factors:
Cross-Site Scripting in Local HTML Resource:
 * Outlook 98 and 2000 (after installing the Outlook Email Security
Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the
Restricted Sites Zone. As a result, customers using these products would
not be at risk from automated email-borne attacks. However, these
customers can still be attacked if they choose to click on a hyperlink in
a malicious HTML email.
 * Customers using Outlook 2002 SP1 who have enabled the "Read as Plain
Text" feature would be immune from the HTML email attack. This is because
this feature disables all HTML elements, including scripting, from mail
when it is displayed.
 * Any limitations on the rights of the user's account would also limit
the actions of the attacker's script.
 * Customers who exercise caution in what web sites they visit or who
place unknown or untrusted sites in the Restricted Sites zone can
potentially protect themselves from attempts to exploit this issue on the
web.

Local Information Disclosure through HTML Object:
 * It can only be used to read information. It cannot add, change, or
delete any information.
 * The attacker would need to know the exact name and location on the
system of any file they attempted to read.
 * Only files that contained a particular, individual ASCII character
could be read. If this single character were not present, the attempt to
read the file would fail.
 * Outlook 98 and 2000 (after installing the Outlook Email Security
Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the
Restricted Sites Zone. As a result, customers using these products would
not be at risk from automated email-borne attacks. However, these
customers can still be attacked if they choose to click on a hyperlink in
a malicious HTML email.
 * Customers using Outlook 2002 SP1 who have enabled the "Read as Plain
Text" feature would be immune from the HTML email attack. This is because
this feature disables all HTML elements, including scripting, from mail
when it is displayed.

Script within Cookies Reading Cookies:
 * The specific information an attacker could access would depend on what
information a site has chosen to store in its cookies. Best practices
strongly recommend against storing sensitive information in cookies.
 * Mounting a successful attack requires that the attacker know the exact
name and location of the target cookie. This vulnerability provides no
means for an attacker to acquire that information.
 * Outlook 98 and 2000 (after installing the Outlook Email Security
Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the
Restricted Sites Zone. As a result, customers using these products would
not be at risk from automated email-borne attacks. However, these
customers can still be attacked if they choose to click on a hyperlink in
a malicious HTML email.
 * Customers using Outlook 2002 SP1 who have enabled the "Read as Plain
Text" feature would be immune from the HTML email attack. This is because
this feature disables all HTML elements, including scripting, from mail
when it is displayed.

Zone Spoofing through Malformed Web Page:
 * A successful attack would require NetBIOS connectivity between the user
and the attacker's site. Any filtering of NetBIOS, such as that found by
ISP's or at the firewall perimeter, would thwart attempts to exploit this
vulnerability.
 * Any attempt to render a web site in the Trusted Sites zone would
require very specific knowledge of custom configuration made by the user.
This aspect of the vulnerability is not exploitable by default, nor does
the vulnerability give the means to acquire the necessary information for
that attack.

New Variants of the "Content Disposition" Vulnerability:
 * Any successful attempt to exploit this vulnerability requires that the
attacker know that the intended target have specific versions of specific
applications on their system. The vulnerability gives no means for an
attacker to know what applications or versions are present on the system.
 * Any attempt to exploit the vulnerability requires that the attacker
host a malicious executable on a server accessible to the intended victim.
If the hosting server were unreachable for any reason, such as DNS
blocking or the server being taken down, the attack would fail.

Patch availability:
Download locations for this patch:
<http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp> http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_31262_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages