[NT] Cumulative Patch for Internet Explorer
From: support@securiteam.com
Date: 04/24/03
- Previous message: support@securiteam.com: "[NT] MHTML vulnerability in Outlook Express"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 24 Apr 2003 19:54:10 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Cumulative Patch for Internet Explorer
------------------------------------------------------------------------
SUMMARY
Microsoft has released a cumulative patch for Internet Explorer, fixing
several new vulnerabilities discovered.
These vulnerabilities allow a remote attacker to read user's local files
and execute arbitrary code.
DETAILS
Vulnerable systems:
Internet Explorer 5.01 (Service Pack 3 required to install update)
Internet Explorer 5.5 (Service Pack 2 required to install update)
Internet Explorer 6.0 Service Pack 1 (SP1)
Internet Explorer 6.0
* Internet Explorer versions 5.0 and earlier are no longer supported.
These versions may or may not be affected.
The information in this article applies to:
Microsoft Internet Explorer 6.0 SP1, when used with:
Microsoft Windows XP SP1
Microsoft Windows 2000 SP2
Microsoft Windows 2000 SP3
Microsoft Windows NT 4.0 SP6
Microsoft Windows Millennium Edition
Microsoft Windows 98 Second Edition
Microsoft Internet Explorer 6.0, when used with:
the operating system: Microsoft Windows XP
Microsoft Internet Explorer 5.5 SP2, when used with:
Windows 2000 SP3
Microsoft Windows NT 4.0 SP6a
Microsoft Windows Millennium Edition
Microsoft Windows 98 Second Edition
Microsoft Internet Explorer 5.01 SP3, when used with:
Microsoft Windows 2000 SP3
Vulnerabilities Description:
1) A buffer overrun vulnerability in Urlmon.dll that occurs because
Internet Explorer does not correctly check the parameters of return
communications requests from a Web server. An attacker might be able to
use this vulnerability to run arbitrary code on your computer. Although
just visiting an attacker's Web site might exploit the vulnerability
without any other action on your part, an attacker has no way to force you
to visit the Web site.
2) A vulnerability in the Internet Explorer file upload control that
permits input from a script to be passed to the control. This might allow
an attacker to automatically input a file name in the file upload control
and automatically upload a file to a Web server.
3) A problem in the way that Internet Explorer handles the rendering of
third-party files. This problem occurs because the Internet Explorer
method for rendering third-party file types does not correctly check
parameters that are passed to the method. An attacker can create a
specially formed URL to inject script during the rendering of a
third-party file format that runs in your context.
4) A flaw in Internet Explorer may permit a malicious Web site operator to
access information in another Internet domain, or on the user's local
system, by injecting specially crafted code when certain dialog boxes were
presented to the user. In the worst case, this vulnerability may permit an
attacker to load a malicious executable onto the system and then run it.
Although just visiting the Web site might exploit the vulnerability
without any other action on your part, an attacker has no way to force you
to visit the Web site.
5) A flaw in Internet Explorer may permit an attacker to use the showHelp
functionality to either read a local file on a user's local system or,
potentially, to disclose user information. An attacker must lure a user to
a malicious Web site, and the attacker also must either know the exact
path of the local file or persuade the user to click a link at the
malicious Web site and therefore disclose the user's information. An
attacker can also exploit this vulnerability to run local executables with
parameters.
The attacker has no way to force a user to a malicious Web site. By
default, Microsoft Outlook Express 6.0 and Microsoft Outlook 2002 open
HTML e-mail in the Restricted sites zone. Additionally, Microsoft Outlook
98 and Microsoft Outlook 2000 open HTML e-mail in the Restricted sites
zone if the Outlook E-mail Security Update has been installed. Customers
who use any of these products are at no risk from an e-mail-borne attack
that tries to automatically take a user to a malicious Web site and
exploit this vulnerability.
Important: The patch discussed in this article addresses the vulnerability
by making sure that the correct cross-domain security checks occur
whenever showHelp functionality is used. However, when you apply the
patch, this disables HTML Help functionality because HTML Help was one of
the attack vectors. To restore HTML Help functionality, you are also
encouraged to download the update to HTML Help update after you apply this
cumulative patch. For additional information about this issue, click the
following article number to view the article in the Microsoft Knowledge
Base:
811630 HTML Help Update to Limit Functionality When It Is Invoked with the
Window.showHelp( ) Method
Note This patch also addresses an issue that prevented previous cumulative
patches for Internet Explorer from successfully installing on Microsoft
Windows XP-based computers in noninteractive mode (for example, by using
Windows Task Scheduler, Microsoft Systems Management Server, or the IBM
Tivoli software).
For more information about this patch, visit the following Microsoft Web
site:
http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
Note This patch also includes a fix for Internet Explorer 6.0 Service Pack
1 (SP1) to correct the method that Internet Explorer uses to show Help
information in the Local Computer zone. Although Microsoft is not aware of
a method to exploit this vulnerability by itself, if the vulnerability
were exploited, an attacker might read local files on the computer. This
patch also sets the Kill bit on the Plugin.ocx ActiveX control because
this control has a security vulnerability. This was done to help prevent
the vulnerable control from being reintroduced onto your computer, and to
help to protect you if you already have the control on you computer. For
additional information about the Kill bit, click the following article
number to view the article in the Microsoft Knowledge Base:
240797 How to Stop an ActiveX Control from Running in Internet Explorer
Like the previous Internet Explorer cumulative patch in bulletin MS03-004,
this cumulative patch causes the window.showHelp method to stop
functioning if you have not applied the HTML Help update. If you have
installed the updated HTML Help control from Microsoft Knowledge Base
article 811630, you can still use HTML Help functionality after you apply
this update. For additional information, click the following article
number to view the article in the Microsoft Knowledge Base:
811630 HTML Help Update to Limit Functionality When It Is Invoked with the
window.showHelp( ) Method
This patch also addresses an issue that prevents previous cumulative
patches for Internet Explorer from being installed successfully on
Microsoft Windows XP-based computers in non-interactive mode (for example,
by using Windows Task Scheduler, Microsoft Systems Management Server, or
the IBM Tivoli software).
For more information about this patch, visit the following Microsoft Web
site:
<http://www.microsoft.com/technet/security/bulletin/MS03-015.asp>
http://www.microsoft.com/technet/security/bulletin/MS03-015.asp
Download Information
To download and install this update, visit the following Microsoft Windows
Update Web site and install Critical Update 813489:
<http://windowsupdate.microsoft.com> http://windowsupdate.microsoft.com
ADDITIONAL INFORMATION
The original Microsoft advisory can be found at:
<http://support.microsoft.com/?id=813489>
http://support.microsoft.com/?id=813489
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] MHTML vulnerability in Outlook Express"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
