[NT] Cumulative Security Update for Internet Explorer (889293, MS04-040)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/02/04

  • Next message: SecuriTeam: "[TOOL] AIRT - Advanced Incident Response Tool"
    To: list@securiteam.com
    Date: 2 Dec 2004 12:30:54 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Cumulative Security Update for Internet Explorer (889293, MS04-040)
    ------------------------------------------------------------------------

    SUMMARY

    This update resolves a newly-discovered publicly reported vulnerability. A
    vulnerability exists in Internet Explorer that could allow remote code
    execution on an affected system.

    If a user is logged on with administrative privileges, an attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system, including installing programs; viewing, changing, or
    deleting data; or creating new accounts with full privileges. Users whose
    accounts are configured to have fewer privileges on the system would be at
    less risk than users who operate with administrative privileges.

    Microsoft recommends that customers install the update immediately.

    DETAILS

    Affected Software:
     * Microsoft Windows NT Server 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
     * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
    Service Pack 4
     * Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (Me) Review the FAQ section of this
    bulletin for details about these operating systems.

    Non-Affected Software:
     * Microsoft Windows XP Service Pack 2
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-Bit Edition

    Affected Components:
     * Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service
    Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows
    XP Service Pack 1:
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=3A9DBD51-4348-4EE6-9BC1-D9A1E12963EC> Download the update

     * Internet Explorer 6 Service Pack 1 on Microsoft Windows NT Server 4.0
    Service Pack 6a, on Microsoft Windows NT Server 4.0 Terminal Service
    Edition Service Pack 6, on Microsoft Windows 98, on Microsoft Windows 98
    SE, or on Microsoft Windows Me:
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=96DE6C13-4F67-4581-8F51-2C8A90E11C57> Download the update

     * Internet Explorer 6 for Windows XP Service Pack 1 (64-Bit Edition):
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=1e9105cf-eb5b-4af5-b73d-03e8969e0b5c> Download the update

    Non-Affected Components:
     * Internet Explorer 5.01 Service Pack 3 on Windows 2000 SP3
     * Internet Explorer 5.01 Service Pack 4 on Windows 2000 SP4
     * Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Me
     * Internet Explorer 6 for Windows Server 2003
     * Internet Explorer 6 for Windows Server 2003 64-Bit Edition and Windows
    XP 64-Bit Edition Version 2003
     * Internet Explorer 6 for Windows XP Service Pack 2

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1050>
    CAN-2004-1050

    HTML Elements Vulnerability:
    A remote code execution vulnerability exists in Internet Explorer that
    could allow remote code execution on an affected system. An attacker could
    exploit the vulnerability by constructing a malicious Web Page that could
    potentially allow remote code execution if a user visited a malicious Web
    site. An attacker who successfully exploited this vulnerability could take
    complete control of an affected system.

    Mitigating Factors for HTML Elements Vulnerability
     * In a Web-based attack scenario, an attacker would have to host a Web
    site that contains a Web page that is used to exploit this vulnerability.
    An attacker would have no way to force users to visit a malicious Web
    site. Instead, an attacker would have to persuade them to visit the Web
    site, typically by getting them to click a link that takes them to the
    attacker's site.

     * An attacker who successfully exploited this vulnerability could gain
    the same privileges as the user. Users whose accounts are configured to
    have fewer privileges on the system would be at less risk than users who
    operate with administrative privileges.

     * By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
    e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
    Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
    Outlook E-mail Security Update has been installed. Outlook Express 5.5
    Service Pack 2 opens HTML e-mail in the Restricted sites zone if Microsoft
    Security Bulletin MS04-018 has been installed. The Restricted sites zone
    helps reduce attacks that could attempt to exploit this vulnerability.

    The risk of attack from the HTML e-mail vector can be significantly
    reduced if you meet all the following conditions:
     * Install the update that is included with Microsoft Security Bulletin
    MS03-040 or a later Cumulative Security Update for Internet Explorer.

     * Use Microsoft Outlook 98 and Outlook 2000 with the Microsoft Outlook
    E-mail Security Update installed

     * Use Microsoft Outlook Express 6 or later or Microsoft Outlook 2000
    Service Pack 2 or later in their default configuration.

    The following software is not affected by this vulnerability.
     * Internet Explorer 5.01 Service Pack 3
     * Internet Explorer 5.01 Service Pack 4
     * Internet Explorer 5.5 Service Pack 2
     * Internet Explorer 6 on Windows Server 2003
     * Internet Explorer 6 on Windows XP Service Pack 2

    Workarounds for HTML Elements Vulnerability:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    below.

     * Install the Outlook E-mail Security Update if you are using Outlook
    2000 SP1 or earlier.

    By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
    e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
    Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
    Outlook E-mail Security Update has been applied.

    Customers who use any of these products could be at a reduced risk from an
    e-mail-borne attack that tries to exploit this vulnerability unless the
    user clicks a malicious link in the e-mail message.

    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. If a user is logged on with
    administrative privileges, an attacker who successfully exploited this
    vulnerability could take complete control of an affected system, including
    installing programs; viewing, changing, or deleting data; or creating new
    accounts that have full privileges. Users whose accounts are configured to
    have fewer privileges on the system would be at less risk than users who
    operate with administrative privileges.

    What causes the vulnerability?
    An unchecked buffer in Internet Explorer processing of certain HTML
    elements such as FRAME and IFRAME elements.

    What are IFRAME elements?
    Inline Floating Frames (IFRAME) is a technology that allows Web authors to
    have increased control of the design and interaction of their Web pages.
    For more information about IFRAME elements, visit this Microsoft Developer
    Network (MSDN) Web site.

    How could an attacker exploit the vulnerability?
    An attacker could exploit this vulnerability by creating a malicious Web
    page and persuading the user to visit the page. When the user has visited
    the page, the attacker could access information from other Web sites,
    access local files on the system, or cause malicious code to run as the
    locally logged on user.

    What systems are primarily at risk from the vulnerability?
    This vulnerability requires a user to view Web sites for malicious action
    to occur. Therefore, any systems where Internet Explorer is used
    frequently, such as users workstations or terminal servers, are at the
    most risk from this vulnerability. Systems that are not typically used to
    visit Web sites, such as most server systems, are at a reduced risk.

    It should be noted that FRAME and IFRAME elements are not rendered in the
    restricted zone, which is the zone where Outlook Express and Outlook by
    default open HTML email messages. Exploitation of this vulnerability
    through e-mail therefore requires user interaction in the form of a
    malicious link in the e-mail message. See the Workarounds Section in this
    bulletin for more information about this.

    Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
    critically affected by this vulnerability?
    Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition
    are critically affected by this vulnerability. A Critical security update
    for these platforms is available and is provided as part of this security
    bulletin and can be downloaded from the Windows Update Web site. For more
    information about severity ratings, visit this Microsoft Web site.

    What does the update do?
    The update removes the vulnerability by modifying the way that Internet
    Explorer validates the length of a message while processing HTML elements.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    Yes. This vulnerability has been publicly disclosed. It has been assigned
    Common Vulnerability and Exposure number CAN-2004-1050.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    Yes. When the security bulletin was released, Microsoft had received
    information that this vulnerability was being exploited.

    ADDITIONAL INFORMATION

    The information has been provided by Microsoft Product Security.
    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[TOOL] AIRT - Advanced Incident Response Tool"

    Relevant Pages