A 6% fix from Microsoft Security Bulletin MS03-040 - 828750

From: Me2 (nospam_at_nospam.com)
Date: 10/04/03 

Date: Sat, 4 Oct 2003 00:54:53 -0700

Jupiter, so, it's ok to mass post... Let e'r rip...

With MS03-040 M$ released a 6% fix with some good descriptions of what to
change with IE
security setting.

What I can not figure out is what exactly this is supposed to fix.
Trojan.QHosts? Something other kind of Trojan/virus/worm. The technical
details and FAQs have a lot of wording about this and that - all good stuff.
But it looks like it all comes down to two fixes (three if you include the
Media player update):

  a.. Object Tag vulnerability in Popup Window: CAN-2003-0838
  b.. Object Tag vulnerability with XML data binding: CAN-2003-0809

The odd thing is the two "CAN-xxxx-xxxx" links don't work in the security
bulletin. If I try to match it up to the 31 IE vulnerabilities listed on
"http://www.pivx.com/larholm/unpatched" then it looks like M$ fixed 2 of the
31 (6%) leaving us with 29 (94%) IE vulnerabilities to go.

Still waiting for the other 94% of the IE fixes...

"Jupiter Jones [MVP]" <jones_jupiter@hotnomail.com> wrote in message
news:%23DN9ImkiDHA.2420@TK2MSFTNGP10.phx.gbl...
> I am viewing this thread through the Microsoft servers and I do see a
> difference.
> Perhaps you need to read more posts.
> People often point out that this information does not get enough
> publicity in these newsgroups.
> Now Microsoft posts this very information to the newsgroups and people
> complain.
> Microsoft will lose no matter what they do.
> Some of the patches need massive exposure.
> In a 2 hour time frame, I saw the information about this patch from at
> least 4 different methods.
> This is what it is sometimes necessary to do.
>
> You can pick all you want, the point is the information is getting out
> in a non threatening way.
> There are NO attachments.
> If you would like to panic over a legitimate post, what did you do
> when all the viruses were here?
>
> I obviously realize a lot more than you think, a point that should be
> obvious to you if you only look.
>
> --
> Jupiter Jones [MVP]
> An easier way to read newsgroup messages:
> http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
> http://dts-l.org/index.html
>
>
> "Invisible Dance" <dark.apostle@mindspring.com> wrote in message
> news:xqufb.19635$f11.11521@newsread1.news.atl.earthlink.net...
> > Since "Jerry Bryant [MSFT] massively cross-posted (the same
> technique the
> > 'swen' worm uses in posting to newsgroups), this is somewhat
> difficult to
> > explain, so I'll append an example of the same information that was
> posted
> > to microsoft.public.security.virus (not cross-posted as the 'swen'
> worm
> > cross-posts fake Microsoft Security bulletins [which, by the way,
> ALSO have
> > valid hot-links to appropriate Microsoft websites, it's just that
> they also
> > have a malformed header and an infected attachment]) in a much
> better
> > fashion. If you are not viewing this thread in the
> > microsoft.public.security.virus you may not realize how bad the post
> from
> > "Jerry Bryant [MSFT] looks in context.
> >
> > Realize that millons of fake, infected "Microsoft Security
> Bulletins" are
> > being sent out hourly by systems and networks infected by the 'swen'
> worm.
> > Some of us are geting a thousand or more each day. That makes it
> extremely
> > important to make every effort to insure any legitimate information
> > purporting to be from Microsoft to distinguish itself from that
> provided by
> > the 'swen' worm.
> >
> > Just in case you need a glimpse of the 'swen' worm product, look at
> (but be
> > very, very sure that you have all necessary Microsoft security
> patches and
> > Service Packs installed AND have an antivirus program with the
> latest virus
> > definitions scanning all operations of your computer before looking)
> the
> > post to microsoft.public.security.virus
> >
> > Watch this security patch
> > From: Karol
> > Sent: 02OCT03 4:18 PM EDT
> >
> >
> > The post generated by the 'swen' worm has a malformed header AND has
> the ~
> > 106,000 byte infectious attachment. Open this attached file and,
> without
> > up-to-date antivirus protection on your Windows 98 and up operating
> system
> > and your system WILL be infected.
> > ______________________
> > Quote Begins
> > ______________________
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > - ------------------------------------------------------------------
> ----
> > Title: Cumulative Patch for Internet Explorer (828750)
> > Date: October 3, 2003
> > Software: Internet Explorer 5.01
> > Internet Explorer 5.5
> > Internet Explorer 6.0
> > Internet Explorer 6.0 for Windows Server 2003
> > Impact: Run code of attacker's choice
> > Max Risk: Critical
> > Bulletin: MS03-040
> >
> > Microsoft encourages customers to review the Security Bulletins at:
> > http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
> >
> http://www.microsoft.com/security/security_bulletins/MS03-040.asp
> > - ------------------------------------------------------------------
> ----
> >
> > Issue:
> > ======
> > This is a cumulative patch that includes the functionality of all
> > previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
> > In addition, it eliminates the following newly discovered
> > vulnerabilities:
> >
> > A vulnerability that occurs because Internet Explorer does not
> > properly determine an object type returned from a Web server in a
> > popup window. It could be possible for an attacker who exploited
> this
> > vulnerability to run arbitrary code on a user's system. If a user
> > visited an attacker's Web site, it would be possible for the
> attacker
> > to exploit this vulnerability without any other user action. An
> > attacker could also craft an HTML-based e-mail that would attempt to
> > exploit this vulnerability.
> >
> > A vulnerability that occurs because Internet Explorer does not
> > properly determine an object type returned from a Web server during
> > XML data binding. It could be possible for an attacker who exploited
> > this vulnerability to run arbitrary code on a user's system. If a
> > user visited an attacker's Web site, it would be possible for the
> > attacker to exploit this vulnerability without any other user
> action.
> > An attacker could also craft an HTML-based e-mail that would attempt
> > to exploit this vulnerability.
> >
> > A change has been made to the method by which Internet Explorer
> > handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
> > Restricted Zone. It could be possible for an attacker exploiting a
> > separate vulnerability (such as one of the two vulnerabilities
> > discussed above) to cause Internet Explorer to run script code in
> the
> > security context of the Internet Zone. In addition, an attacker
> could
> > use Windows Media Player's (WMP) ability to open URL's to construct
> > an attack. An attacker could also craft an HTML-based e-mail that
> > could attempt to exploit this behavior.
> >
> > To exploit these flaws, the attacker would have to create a
> specially
> > formed HTML-based e-mail and send it to the user. Alternatively an
> > attacker would have to host a malicious Web site that contained a
> Web
> > page designed to exploit these vulnerabilities. The attacker would
> > then have to persuade a user to visit that site.
> >
> > As with the previous Internet Explorer cumulative patches released
> > with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
> > cumulative patch will cause window.showHelp( ) to cease to function
> > if you have not applied the HTML Help update. If you have installed
> > the updated HTML Help control from Knowledge Base article 811630,
> you
> > will still be able to use HTML Help functionality after applying
> this
> > patch.
> >
> > In addition to applying this security patch it is recommended that
> > users also install the Windows Media Player update referenced in
> > Knowledge Base Article 828026. This update is available from
> Windows
> > Update as well as the Microsoft Download Center for all supported
> > versions of Windows Media Player. While not a security patch, this
> > update contains a change to the behavior of Windows Media Player's
> > ability to launch URL's to help protect against DHTML behavior based
> > attacks. Specifically, it restricts Windows Media Player's ability
> > to launch URL's in the local computer zone from other zones.
> >
> > Mitigating Factors:
> > ====================
> > - -By default, Internet Explorer on Windows Server 2003 runs in
> > Enhanced
> > Security Configuration. This default configuration of Internet
> > Explorer
> > blocks automatic exploitation of this attack. If Internet Explorer
> > Enhanced Security Configuration has been disabled, the protections
> > put in place that prevent this vulnerability from being
> automatically
> > exploited would be removed.
> >
> > - -In the Web-based attack scenario, the attacker would have to host
> a
> > Web site that contained a Web page used to exploit this
> > vulnerability. An attacker would have no way to force a user to
> > visit a malicious Web Site. Instead, the attacker would need to lure
> > them there, typically by getting them to click a link that would
> take
> > them to the attacker's site.
> >
> > - -Exploiting the vulnerability would allow the attacker only the
> same
> > privileges as the user. Users whose accounts are configured to have
> > few privileges on the system would be at less risk than ones who
> > operate with administrative privileges.
> >
> > Risk Rating:
> > ============
> > -Critical
> >
> > Patch Availability:
> > ===================
> > - A patch is available to fix this vulnerability. Please read the
> > Security Bulletins at
> > http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
> >
> http://www.microsoft.com/security/security_bulletins/MS03-040.asp
> > for information on obtaining this patch.
> >
> >
> > - ------------------------------------------------------------------
> ---
> >
> > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
> > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
> > ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
> > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
> > IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
> > FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
> > CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
> > MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
> > POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
> > OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
> SO
> > THE FOREGOING LIMITATION MAY NOT APPLY.
> >
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 7.1
> >
> > iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
> > IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
> > 922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
> > 3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
> > CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
> > 7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
> > =vhUD
> > -----END PGP SIGNATURE-----
> >
> >
> > --
> > Larry Samuels MS-MVP (Windows-Shell/User)
> > Associate Expert
> > Unofficial FAQ for Windows Server 2003 at
> > http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
> > Expert Zone - www.microsoft.com/windowsxp/expertzone
> >
> >
> > _______________
> > Quote Ends
> > --
> > Invisible Dance, dark.apostle@mindspring.com
> >
> > "Jupiter Jones [MVP]" <jones_jupiter@hotnomail.com> wrote in message
> > news:e4DzU2jiDHA.3324@TK2MSFTNGP11.phx.gbl...
> > > Phil;
> > > Why are you posting "It is meant to sound harsh"?
> > > This is a newsgroup.
> > > One purpose is to exchange of information.
> > > Jerry gave information about an important Critical Update.
> > > How much more of an explanation is needed.
> > > Instead of wasting bandwidth, Jerry posted the relevant link,
> click
> > > it, the link works.
> >
> >
>
>

Relevant Pages

  • [NT] Microsoft Office 2003 Brazilian Portuguese Grammar Checker Code Execution (MS07-001)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Office 2003 Brazilian Portuguese Grammar Checker Code Execution ... A remote code execution vulnerability exists in Office 2003 Brazilian ... If a user were logged on with administrative user rights, an attacker who ...
    (Securiteam)
  • A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... Object Tag vulnerability with XML data binding: ... > Now Microsoft posts this very information to the newsgroups and people ... It could be possible for an attacker who exploited ... >> user visited an attacker's Web site, it would be possible for the ...
    (microsoft.public.security)
  • A 6% fix from Microsoft Security Bulletin MS03-040 - 828750
    ... Object Tag vulnerability with XML data binding: ... > Now Microsoft posts this very information to the newsgroups and people ... It could be possible for an attacker who exploited ... >> user visited an attacker's Web site, it would be possible for the ...
    (microsoft.public.win2000.security)
  • [NT] Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS06-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Vulnerabilities in Microsoft Office Could Allow Remote Code Execution ... an attacker who successfully exploited this ... vulnerability could take complete control of the client workstation. ...
    (Securiteam)
  • [NT] Flaw in Microsoft VM JDBC Classes Could Allow Code Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Microsoft VM is a virtual machine for the Win32 operating environment. ... An attacker would likely create a web page that, when opened, ... The first vulnerability involves the Java Database Connectivity ...
    (Securiteam)