[NT] Cumulative Patch for Internet Explorer (MS03-040)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/07/03

Next message: SecuriTeam: "[NT] Mutantpenguin's MPNews and MPWeb Directory Traversal Vulnerability"

Previous message: SecuriTeam: "[NT] Process Killing - Playing with PostThreadMessage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 7 Oct 2003 18:03:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Cumulative Patch for Internet Explorer (MS03-040)
------------------------------------------------------------------------

SUMMARY

Microsoft has issued a cumulative patch that includes the functionality of
all previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered vulnerabilities:

* A vulnerability that occurs because Internet Explorer does not properly
determine an object type returned from a Web server in a popup window. It
could be possible for an attacker who exploited this vulnerability to run
arbitrary code on a user's system. If a user visited an attacker's Web
site, it could be possible for the attacker to exploit this vulnerability
without any other user action. An attacker could also craft an HTML-based
e-mail that would attempt to exploit this vulnerability.

* A vulnerability that occurs because Internet Explorer does not properly
determine an object type returned from a Web server during XML data
binding. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user visited
an attacker's Web site, it could be possible for the attacker to exploit
this vulnerability without any other user action. An attacker could also
craft an HTML-based e-mail that would attempt to exploit this
vulnerability.

In addition, a change has been made to the method by which Internet
Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities discussed
above) to cause Internet Explorer to run script code in the security
context of the Internet Zone. In addition, an attacker could use Windows
Media Player's (WMP) ability to open URLs to construct an attack. An
attacker could also craft an HTML-based e-mail that could attempt to
exploit this behavior.

DETAILS

Vulnerable Systems:
* Internet Explorer 5.01
* Internet Explorer 5.5
* Internet Explorer 6.0
* Internet Explorer 6.0 for Windows Server 2003

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively, an
attacker would have to host a malicious Web site that contained a Web page
designed to exploit these vulnerabilities.

As with the previous Internet Explorer cumulative patches released with
bulletins
<http://www.microsoft.com/technet/security/bulletin/MS03-004.asp>
MS03-004,
<http://www.microsoft.com/technet/security/bulletin/MS03-015.asp>
MS03-015,
<http://www.microsoft.com/technet/security/bulletin/MS03-020.asp>
MS03-020, and
<http://www.microsoft.com/technet/security/bulletin/MS03-032.asp>
MS03-032, this cumulative patch will cause window.showHelp( ) to cease to
function if you have not applied the HTML Help update. If you have
installed the updated HTML Help control from Knowledge Base article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;811630> 811630,
you will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that users
also install the Windows Media Player update referenced in Knowledge Base
Article <http://support.microsoft.com/default.aspx?scid=kb;en-us;828026>
828026. This update is available from Windows Update as well as the
Microsoft Download Center for all supported versions of Windows Media
Player. While not a security patch, this update contains a change to the
behavior of Windows Media Player's ability to launch URLs to help protect
against DHTML behavior based attacks. Specifically, it restricts Windows
Media Player's ability to launch URLs in the local computer zone from
other zones.

Mitigating factors:
* By default, Internet Explorer on Windows Server 2003 runs in Enhanced
Security Configuration. This default configuration of Internet Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections put in
place that prevent this vulnerability from being automatically exploited
would be removed.

* In the Web-based attack scenario, the attacker would have to host a Web
site that contained a Web page used to exploit this vulnerability.

* Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have user
level privileges on the system would be at less risk than ones who operate
with administrative privileges.
Vulnerability identifier:
* Object Tag vulnerability in Popup Window:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0838>
CAN-2003-0838
* Object Tag vulnerability with XML data binding:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0809>
CAN-2003-0809

Frequently asked questions:

What's the scope of the vulnerability?
This is a cumulative patch that incorporates the functionality of all
previously released patches for Internet Explorer. In addition, the patch
eliminates the following newly reported vulnerabilities:

* Two vulnerabilities that could allow an attacker to cause arbitrary
code to run on the user's system.

Are there any other security changes made by the patch?
Yes - A behavioral change has been made to the method by which Internet
Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities discussed
above) to cause Internet Explorer to run script code in the security
context of the Internet Zone. In addition, an attacker could use Windows
Media Player's (WMP) ability to open URL's to construct an attack.
An attacker could also craft an HTML-based e-mail that could attempt to
exploit this behavior.

What are DHTML Behaviors?
DHTML Behaviors are components that allow extra functionality on a
standard HTML page. For example, DHTML Behaviors can be used with an HTML
"unordered list" (<ul>) tag allow a list to be expanded and contracted by
clicking on a list item. More information about DHTML Behaviors can be
found <http://msdn.microsoft.com/workshop/author/behaviors/overview.asp>
here.

Are there any other steps I should take in addition to applying this patch
to help protect my computer?
Yes - In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in Knowledge
Base Article 828026. This update is available from Windows Update as well
as the Microsoft Download Center for all supported versions of Windows
Media Player. While not a security patch, this update contains a change to
the behavior of Windows Media Player's ability to launch URLs to help
protect against DHTML behavior based attacks.
Specifically, it restricts Windows Media Player's ability to launch URLs
in the local computer zone from other zones.

I am running Internet Explorer on Windows Server 2003. Does this mitigate
these vulnerabilities?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a
restricted mode known as Enhanced Security Configuration.

What is Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a group of
preconfigured Internet Explorer settings that reduce the likelihood of a
user or administrator downloading and running malicious Web content on a
server. Internet Explorer Enhanced Security Configuration reduces this
risk by modifying numerous security-related settings, including Security
and Advanced tab settings in Internet Options. Some of the key
modifications include:
* Security level for the Internet zone is set to High. This setting
disables scripts, ActiveX controls, Microsoft virtual machine (Microsoft
VM), HTML content, and file downloads.
* Automatic detection of intranet sites is disabled. This setting assigns
all intranet Web sites and all Universal Naming Convention (UNC) paths
that are not explicitly listed in the Local intranet zone to the Internet
zone.
* Install On Demand and non-Microsoft browser extensions are disabled.
This setting prevents Web pages from automatically installing components
and prevents non-Microsoft extensions from running.
* Multimedia content is disabled. This setting prevents music,
animations, and video clips from running.

Disabling Internet Explorer Enhanced Security Configuration would remove
the protections put in place that help prevent this vulnerability from
being exploited. For more information about Internet Explorer Enhanced
Security Configuration, see the Managing Internet Explorer Enhanced
Security Configuration guide. To do so, visit the following Microsoft Web
site:

<http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en> http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

Is there any configuration of Windows Server 2003 that is likely to have
Internet Explorer Enhanced Security Configuration Disabled?
Yes. Systems Administrators who have deployed Windows Server 2003 as a
Terminal Server would likely disable Internet Explorer Enhanced Security
Configuration to allow users of the Terminal Server to use Internet
Explorer in an unrestricted mode.

CAN-2003-0838: Object Tag vulnerability in a Popup Window

What's the scope of this vulnerability?
A flaw in the way Internet Explorer handles a specific HTTP request could
allow arbitrary code to execute in the context of the logged-on user,
should the user visit a site under the attacker's control.

What causes the vulnerability?
The vulnerability results because Internet Explorer does not properly
check a specially crafted HTTP response that can be encountered when
Internet Explorer handles an object tag in an Internet Explorer windows
created with by a Window.CreatePopup script command.

What's wrong with the way Internet Explorer handles object tags?
There is a flaw in the way Internet Explorer determines an object type.
Internet Explorer does not conduct a proper parameter check on an HTTP
response. The response can point to a particular file type that will then
cause an object to be scripted, and then run. This could allow an attacker
to run arbitrary code on a user's machine.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Internet Explorer to
execute code of the attacker's choice. This would allow an attacker to
take any action on a user's system in the security context of the
currently logged-on user.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by hosting a
specially constructed Web page. If the user visited this Web page,
Internet Explorer could fail and could allow arbitrary code to execute in
the context of the user. Alternatively, an attacker could also craft an
HTML based e-mail that attempts to exploit this vulnerability.

What does the patch do?
The patch addresses the vulnerabilities by ensuring that Internet Explorer
performs proper checks when it receives an HTTP response.

CAN-2003-0809: Object Tag vulnerability with XML data binding

What is XML data binding?
XML data binding is a method that allows a web page author to bind HTML
data to an XML data set. An example of this might be where a web page
author uses XML data binding to have the update the contents of an HTML
table when the XML dataset changes. More information about XML data
binding can be found
<http://msdn.microsoft.com/library/en-us/xmlsdk/htm/xml_concepts2_882p.asp> here.

What's wrong with the way Internet Explorer handles object tags with XML
data binding?
There is a flaw in the way Internet Explorer determines an object type.
Internet Explorer does not conduct a proper parameter check on an HTTP
response. The response can point to a particular file type that will then
cause an object to be scripted, then run. This could allow an attacker to
run arbitrary code on a user's machine.

What does the patch do?
The patch addresses the vulnerabilities by ensuring that Internet Explorer
performs proper checks when it receives an HTTP response.

Workarounds
Are there any workarounds that can be used to block exploitation of this
vulnerability while I test the patch?
Yes. It should be noted that these workarounds should be considered
temporary measures as they just help block paths of attack rather than
correcting the underlying vulnerability. Microsoft encourages installing
the patch at the earliest opportunity.
The following sections are intended to provide you with information to
help protect your computer from attack.

Prompt before running of ActiveX controls in the Internet and Intranet
zones:
You can help protect against this vulnerability by changing your settings
for the Internet security zone to prompt before running ActiveX
components. To do this, perform the following steps:
* In Internet Explorer, select Tools, Internet Options
* Click on the Security tab
* Highlight the Internet icon and click on the Custom Level button
* Scroll through the list to the Active X controls and plug-ins section
* Under Run ActiveX controls and plug-ins click Prompt
* Click OK
* Highlight the Local Intranet icon and click on the Custom Level button
* Scroll through the list to the Active X controls and plug-ins section
* Under Run ActiveX controls and plug-ins click Prompt
* Click OK; then click OK again to return to Internet Explorer

Restrict Web sites to only your trusted Web sites
After requiring a prompt before running ActiveX in the Internet and
Intranet zone, you can add sites that you trust into Internet Explorer's
Trusted sites. This will allow you to continue using trusted Web sites
exactly as you do today, while protecting you from this attack on
un-trusted sites. Microsoft recommends that you only add sites that you
trust to the trusted sites zone.
To do this, perform the following steps:
* In Internet Explorer, select Tools, then Internet Options. Click the
Security tab.
* In the box labeled Select a Web content zone to specify its current
security settings, click Trusted Sites, then click Sites
* If you want to add sites that do not require an encrypted channel,
click to clear the Require server verification (https:) for all sites in
this zone check box.
* In the box labeled Add this Web Site to the zone, type the URL of a
site that you trust, then click the Add button.

Repeat for each site that you want to add to the zone.
* Click OK twice to accept the changes and return to Internet Explorer.
Add any sites that you trust not to take malicious action on your
computer. One in particular that you may want to add is
"*.windowsupdate.microsoft.com" (without the quotes). This is the site
that will host the patch, and it requires the use of an ActiveX control to
install the patch.

If you are using Outlook 2002 or Outlook Express 6.0SP1 or higher, to help
protect yourself from the HTML email attack vector, read email in plain
text format.
Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied
Service Pack 1 and or higher can enable a feature to view all
non-digitally-signed e-mail or non-encrypted e-mail messages in plain text
only.
Digitally signed e-mail or encrypted e-mail messages are not affected by
the setting and may be read in their original formats. Information on
enabling this setting in Outlook 2002 can be found in the following
Knowledge Base article:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;307594>
http://support.microsoft.com/default.aspx?scid=kb;en-us;307594
Information on enabling this setting in Outlook Express 6.0 can be found
in the following Knowledge Base article:
<http://support.microsoft.com/?kbid=291387>
http://support.microsoft.com/?kbid=291387

Are there any side-effects to prompting before running of ActiveX
components?
Yes. Many Web sites on the Internet use ActiveX to provide additional
functionality. For instance, an online e-commerce site or banking site
might use ActiveX controls to provide menus, ordering forms, or even
account statements. Prompting before running ActiveX controls is a global
setting for all Internet and Intranet sites. You will be prompted
frequently when you enable this work-around. For each prompt, if you feel
you trust the site that you are visiting, click Yes to run ActiveX
components. If you do not want to be prompted for all of these sites, you
can instead use the "Restrict Web sites to only your trusted Web sites"
workaround.

Are there any side effects to restricting Web sites from my trusted Web
sites?
Yes. For those sites you have not configured to be in your Trusted sites
zone, their functionality will be impaired if they require ActiveX
controls to function properly. Adding sites to your Trusted sites zone
will allow them to be able to download the ActiveX control required to
function correctly. However, you should only add Web sites you trust to
the Trusted sites zone.

Are there any side-effects to reading email in plain text format?
Yes. E-mail viewed in plain text format cannot contain pictures,
specialized fonts, animations, or other rich content. In addition:
* The changes are applied to the preview pane and open messages.
* Pictures become attachments to avoid loss.
* Since the message is still in Rich Text or HTML format in the store,
the object model (custom code solutions) may behave unexpectedly because
the message is still in Rich Text or HTML format in the mail store.

Patch availability:
Download locations for this patch
*
<http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp> All versions except Microsoft Internet Explorer 6.0 for Windows Server 2003
*
<http://www.microsoft.com/windows/ie/downloads/critical/828750s/default.asp> Microsoft Internet Explorer 6.0 for Windows Server 2003

ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-040.asp> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-040.asp

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] Mutantpenguin's MPNews and MPWeb Directory Traversal Vulnerability"

Previous message: SecuriTeam: "[NT] Process Killing - Playing with PostThreadMessage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]