Re: Microsoft Security Bulletin MS03-040 - 828750

From: Invisible Dance (dark.apostle_at_mindspring.com)
Date: 10/04/03


Date: Sat, 04 Oct 2003 07:16:01 GMT

Since "Jerry Bryant [MSFT] massively cross-posted (the same technique the
'swen' worm uses in posting to newsgroups), this is somewhat difficult to
explain, so I'll append an example of the same information that was posted
to microsoft.public.security.virus (not cross-posted as the 'swen' worm
cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have
valid hot-links to appropriate Microsoft websites, it's just that they also
have a malformed header and an infected attachment]) in a much better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to ensure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at (but be
very, very sure that you have all necessary Microsoft security patches and
Service Packs installed AND have an antivirus program with the latest virus
definitions scanning all operations of your computer before looking) the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT

The post generated by the 'swen' worm has a malformed header AND has the ~
106,000 byte infectious attachment. Open this attached file and, without
up-to-date antivirus protection on your Windows 98 and up operating system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
    Internet Explorer 5.5
            Internet Explorer 6.0
            Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
    http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
    http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
 -Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletins at
    http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
    http://www.microsoft.com/security/security_bulletins/MS03-040.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----

-- 
Larry Samuels MS-MVP  (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone - www.microsoft.com/windowsxp/expertzone
_______________
Quote Ends
-- 
Invisible Dance, dark.apostle@mindspring.com
-- 
Invisible Dance, dark.apostle@mindspring.com
"Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> wrote in message
news:uGRsW$jiDHA.884@TK2MSFTNGP10.phx.gbl...
> Hi Mae,
>
> I also appreciate bulletins like this.  I just wanted to make you aware
that
> Microsoft also has Email updates that you can subscribe to:
> http://www.microsoft.com/security/security_bulletins/decision.asp
>
> -- 
> --Jonathan Maltz [Microsoft MVP - Windows Server]
> http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
> tutorial site :-)
> Only reply by newsgroup.  If I see an email I didn't ask for, it will be
> deleted without reading.
>
>
> "mae" <agrannie@notemail.msn.com> wrote in message
> news:%23lH3yKjiDHA.2960@TK2MSFTNGP11.phx.gbl...
> Thank you and FYI, I rely on these postings you provide in such a timely
> manner.
>  It makes it easier for me and main reason  I subscribe to this group.
>
> mae
> -------------------------------------------------------------
> "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
> news:Ol5il6hiDHA.3712@tk2msftngp13.phx.gbl...
> | Title: Cumulative Patch for Internet Explorer Execution (828750)
> | Date: October 3, 2003
> | Software:
> | Internet Explorer 5.01
> | Internet Explorer 5.5
> | Internet Explorer 6.0
> | Internet Explorer 6.0 for Windows Server 2003
> | Impact: Run code of attacker's choice.
> | Maximum Severity Rating: Critical
> | Bulletin: MS03-040
> |
> | The Microsoft Security Response Center has released Microsoft Security
> | Bulletin MS03-040
> |
> | What Is It?
> | The Microsoft Security Response Center has released Microsoft Security
> | Bulletin MS03-040 which concerns a vulnerability in Internet Explorer.
> | Customers are advised to review the information in the bulletin, test
and
> | deploy the patch immediately in their environments, if applicable.
> |
> | More information is now available at
> | http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
> |
> | If you have any questions regarding the patch or its implementation
after
> | reading the above listed bulletin you should contact Product Support
> | Services in the United States at 1-866-PCSafety (1-866-727-2338).
> | International customers should contact their local subsidiary.
> |
> |
> |
> | -- 
> | Regards,
> |
> | Jerry Bryant - MCSE, MCDBA
> | Microsoft IT Communities
> |
> | Get Secure! www.microsoft.com/security
> |
> |
> | This posting is provided "AS IS" with no warranties, and confers no
> rights.
> |
> |
>
>