Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.077 -- Microsoft Security Bulletin MS02-005 11 February 2002 Cumulative Patch for Internet Explorer 18 February 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internet Explorer 5.01 Internet Explorer 5.5 Internet Explorer 6 Outlook 98 Outlook 2000 Outlook 2002 Outlook Express 6 Vendor: Microsoft Operating System: Windows Impact: Execute Arbitrary Code/Commands Provide Misleading Information Access Privileged Data Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - - - - ---------------------------------------------------------------------- Title: 11 February 2002 Cumulative Patch for Internet Explorer Date: 11 February 2002 Software: Internet Explorer Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS02-005 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-005.asp. - - - - - ---------------------------------------------------------------------- Issue: ====== This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In addition, it eliminates the following six newly discovered vulnerabilities: - A buffer overrun vulnerability associated with an HTML directive that's used to incorporate a document within a web page. By creating a web page that invokes the directive using specially selected attributes, an attacker could cause code to run on the user's system. - A vulnerability associated with the GetObject scripting function. Before providing a handle to an operating system object, GetObject performs a series of security checks to ensure that the caller has sufficient privileges to it. However, by requesting a handle to a file using a specially malformed representation, it would be possible to bypass some of these checks, thereby allowing a web page to complete an operation that should be prevented, namely, reading files on the computer of a visiting user's system. - A vulnerability related to the display of file names in the File Download dialogue box. When a file download from a web site is initiated, a dialogue provides the name of the file and lets the user choose what action to take. However, a flaw exists in the way HTML header fields (specifically, the Content-Disposition and Content-Type fields) are handled. This flaw could make it possible for an attacker to misrepresent the name of the file in the dialogue, in an attempt to trick a user into opening or saving an unsafe file. - A vulnerability that could allow a web page to open a file on the web site, using any application installed on a user's system. By design, IE should only open a file on a web site using the application that's registered to that type of file, and even then only if it's on a list of safe applications. However, through a flaw in the handling of the Content-Type HTML header field, an attacker could circumvent this restriction, and specify the application that should be invoked to process a particular file. IE would comply, even if the application was listed as unsafe. - A vulnerability that could enable a web page to run a script even if the user has disabled scripting. IE checks for the presence of scripts when initially rendering a page. However, the capability exists for objects on a page to respond to asynchronous events; by misusing this capability in a particular way, it could be possible for a web page to fire a script after the page has passed the initial security checks. - A newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-058. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web site's domain and the other on the user's local file system, and to use the Document.open function to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user's local computer that could be opened in a browser window. In addition, this could be used to mis-represent the URL in the address bar in a window opened from their site. Mitigating Factors: ==================== Buffer Overrun in HTML Directive: - The vulnerability could not be exploited if the "Run ActiveX Controls and Plugins" security option were disabled in the Security Zone in which the page was rendered. This is the default condition in the Restricted Sites Zone, and can be disabled manually in any other Zone. - Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks. - The buffer overrun would allow code to run in the security context of the user rather than the system. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges accorded to the user. File Reading via GetObject function: - This vulnerability could only be used to read files. It could not be used to create, change, delete, or execute them. - The attacker would need to know the name and location of the file on the user's computer. - Some files that would be of interest to an attacker - most notably,the SAM Database - are locked by the operating system and therefore could not be read even using this vulnerability. - The email-borne attack scenario would be blocked if the user were using any of the following: Outlook 98 or 2000 with the Outlook Email Security Update installed; Outlook 2002; or Outlook Express 6. - The web-based attack scenario could be blocked by judicious use of the IE Security Zones mechanism such as using the Restricted Sites zone. File Download Dialogue Spoofing via Content-Type and Content-Disposition fields: - Exploiting this vulnerability would not give an attacker the ability to force code to run on a user's system. It would only enable the attacker to misrepresent the file name and type in the File Download dialogue. The download operation would not occur without the user's approval, and the user could cancel at any time. - The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however. - On versions of IE prior to 6.0, the default selection in the file download dialogue is to save, rather than open, the file. (In IE 6.0, the default is to open the file; however, this behavior is inappropriate, and the patch changes IE 6.0 to conform with the behavior of previous versions). Application invocation via Content-Type field: - An attacker could only exploit this vulnerability if the application specified through the Content-Type field was actually installed on the user's system. - The vulnerability does not provide any way for the attacker to inventory the applications installed on the user's system and select one, nor does it provide any way to force the user to install a particular application. - The vulnerability would not provide any way to circumvent the security features of the application or to reconfigure it. - Outlook 2002 users who have configured Outlook to render HTML mail as plaintext would be at no risk from attack through HTML mail. Script execution: - This vulnerability extends only to allowing scripts to run - it does not allow any other security restrictions to be bypassed. So, for instance, although an attacker could use this vulnerability to run a script, the script would still be subject to all other expected security settings. Frame Domain Verification Variant via Document.Open function: - The vulnerability could only be used to view files. It could not be used to create, delete, modify or execute them. - The vulnerability would only allow an attacker to read files that can be opened in a browser window, such as image files, HTML files and text files. Other file types, such as binary files, executable files, Word documents, and so forth, could not be read. - The attacker would need to specify the exact name and location of the file in order to read it. Risk Rating: ============ - Internet systems: Critical - Intranet systems: Critical - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-005.asp for information on obtaining this patch. Acknowledgment: =============== - The dH team and SECURITY.NNOV (http://www.security.nnov.ru/) team for reporting the buffer overrun vulnerability. - Sandro Gauci of GFI security labs (http://www.gfi.com) for reporting the application invocation vulnerability. - - - - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPGhVAY0ZSRQxA/UrAQHZqQgAnxfxdxKB3/QdWdJlMPse6n0lqDFUavkI Ak64iU08ndTO3qBEdttNS3lAwqYTL5gtyw5k4zxcrvM9mMu5x3ZgJXfFmp9kMOKy AhN+AkGqjRgDNAmrCaN2C7I3rOsTGnf6tsg2Qg7ElmnCmPcerI2qWrw/C4/6aIqg iuI5UGoAMCJoxst3pK0Y0ZWNj1NDsxTjPeBiOHYqnr2YUNKffLW3bsldqpBPkNLL AqOQMJhHYAZb+DcEjKzhPqFmJTf9Ng/lb81NNPbuR18zcgrIS6KNlbW5YyFlIEu/ +tSAKgeScNroeAw6bE4QRymv7tR/rrfEux1rmyZxFS0aIpPlNeCO+g== =FiIM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPHEsqyh9+71yA2DNAQGBtgP/Tk3Yo2GMr2Aelb8mZk1K5hD07NO1+qoj 5Ttbv9JbmSotlQEnHOL0YgNKbQXYFVXl2N16z1DpqbVCBS4gXpLJfLPfGLGY+PXx 7FARkf1dC3NJixwbBguicj5VJrAy6Y3gB+ktqt8S6wnmEHW3Ns4ZTQAIkNOFZgS9 s8nD6DEE4YU= =4vr7 -----END PGP SIGNATURE-----