Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.654 -- Microsoft Security Bulletin MS02-066 Cumulative Patch for Internet Explorer (Q328970) 21 November 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internet Explorer 6.0 Internet Explorer 5.5 Internet Explorer 5.01 Vendor: Microsoft Operating System: Windows Impact: Denial of Service Execute Arbitrary Code/Commands Reduced Security Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Cumulative Patch for Internet Explorer (Q328970) Date: 20 November 2002 Software: Internet Explorer Impact: Execute commands on a user's system Max Risk: Important Bulletin: MS02-066 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/security/security_bulletins/ms02-066.asp http://www.microsoft.com/technet/security/bulletin/MS02-066.asp. - - ---------------------------------------------------------------------- Issue: ====== This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities: - - - A buffer overrun vulnerability that occurs because Internet Explorer does not correctly check the parameters of a PNG graphics file when it is opened. To the best of Microsoft's knowledge, this vulnerability could only be used to cause Internet Explorer to fail. The effect of exploiting the vulnerability against Internet Explorer would be relatively minor - the user would only need to restart the browser to restore normal operation. However, a number of other Microsoft products - notably, most Microsoft Office products and Microsoft Index Server - rely on Internet Explorer to render PNG files, and exploiting the vulnerability against such an application would cause them to fail as well. Because of this, Microsoft recommends that customers install this patch regardless of whether they are using Internet Explorer as their primary web browser. - - - An information disclosure vulnerability related to the way that Internet Explorer handles encoded characters in a URL. This vulnerability could allow an attacker to craft a URL containing some encoded characters that would redirect a user to a second web site. If a user followed the URL, the attacker would be able to piggy-back the user's access to the second website. This could allow the attacker to access any information the user shared with the second web site. - - - A vulnerability that occurs because under certain circumstances Internet Explorer does not correctly check the component that the OBJECT tag calls. This could allow an attacker to obtain the name of the Temporary Internet Files folder on the user's local machine. The vulnerability would not allow an attacker to read or modify any files on the user's local system, since the Temporary Internet Files folder resides in the Internet security zone. Knowledge of the name of the Temporary Internet Files folder could allow an attacker to identify the username of the logged-on user and read other information in the Temporary Internet Files folder such as cookies. - - - Three vulnerabilities that although having differing root causes, have the same net effects. All three vulnerabilities result because of incomplete security checks being carried out when using particular programming techniques in web pages, and would have the effect of allowing one website to access information in another domain, including the user's local system. This could enable the web site operator to read, but not change, any file on the user's local computer that could be viewed in a browser window. In addition, this could also enable an attacker to invoke an executable that was already present on the local system. In addition, the patch sets the Kill Bit on a legacy DirectX ActiveX control which has been retired but which has a security vulnerability. This has been done to ensure that the vulnerable control cannot be reintroduced onto users' systems and ensures that users who already have the control on their system are protected. This is discussed further in Microsoft Knowledge Base Article 810202. The patch also makes a further refinement to cross domain verification check that was first introduced in Internet Explorer Service Pack 1. Mitigating Factors: ==================== With the exception of the Malformed PNG Image File Failure, there are common mitigating factors across all of the vulnerabilities: - - - The attacker would have to host a web site that contained a web page used to exploit the particular vulnerability. - - - The attacker would have no way to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site. - - - By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to exploit these vulnerabilities. In addition to there are a number of individual mitigating factors: Malformed PNG Image File Failure - - - Internet Explorer and other affected applications such as Microsoft Office and Microsoft Index Server could be successfully restarted after the failure. - - - Microsoft has not identified a method by which this buffer overrun can be used to execute code of the attacker's choice on the user's system. - - - This vulnerability is not present in Internet Explorer 6 Service Pack 1. Encoded Characters Information Disclosure - - - The vulnerability would not enable an attacker to read, modify or execute any files on the local system. Temporary Internet Files folder Name Reading - - - An attacker could not use this vulnerability to read, delete or modify any files on the user's local system other than information contained in the Temporary Internet Files folder. - - - An attacker could only exploit this vulnerability by having a user visit a malicious web site and then follow a malformed link on this malicious web site to a second web site that the user trusted. - - - This vulnerability is not present in Internet Explorer 6 Service Pack 1. Frames Cross Site Scripting, Cross Domain Verification via Cached Methods & Improper Cross Domain Security Validation with Frames - - - The vulnerabilities would only allow an attacker to read files on the user's local system that can be rendered in a browser window, such as image files, HTML files and text files. - - - The vulnerabilities would not provide any way for an attacker to put a program of their choice onto another user's system. - - - An attacker would need to know the name and location of any file on the system to successfully invoke it. - - - The vulnerabilities could only be used to view or invoke local executables. It could not be used to create, delete, or modify arbitrary or malicious files. Risk Rating: ============ - - - Important Patch Availability: =================== - - - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-066.asp for information on obtaining this patch. Acknowledgment: =============== - - - Microsoft thanks eEye Digital Security for reporting the malformed PNG issue to us and working with us to protect customers. - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPdwp2I0ZSRQxA/UrAQHA4wf/VaLjSusi1GzBeLWUr4A/KGA9g6E0CtGF 5B8TZQzjzA7OqKUS64KcnpF91cZlblTWjbhc3IvqFAIMfCFSH/iW2JY/TZTeIv+w wpCmy0zoxpLD6bcC9dgtgpNHJ7TSEl09GeM3eLevvCtgbNV5kLuBDl3ncJ1Cbq7W aRKgXjZQUGkDm6vL335QeXS77PYYjakbdvM5MPZpy4xvTFLWh6D7NfU1g0mUjtq7 UImmCW5/GCGMvSo6g5wPQs4r4lOb601G3rWhI/Z+jAeBTx6ZGfrPggSpjk7SuMQy ApMSupL0ISDQwnBWN59Tf2l7ohlLWlCFIfV3yMd8KCXnjRiSvTgPpw== =U4K5 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPdzdTSh9+71yA2DNAQHadgP8COetWFqFSpbYQB30ZP1SIDI2VrqHDovd oowNjO37MTSSgOGWkuvCxfCKLXibz9KOPH7DcRUvb2hnEwyiz+LjqZ+0YDRaWnpB F5GhID4pTA+K0drF2n6RZJwK3vorn9u0qba7dcMFuPSzIyco8Ce6BMWjiIDYfBXN l0RPYYSri4g= =nxSC -----END PGP SIGNATURE-----