Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2003.0073 -- Microsoft Security Bulletin MS03-004 Cumulative Patch for Internet Explorer (810847) 06 February 2003 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internet Explorer 5.01 Internet Explorer 5.5 Internet Explorer 6.0 Vendor: Microsoft Operating System: Windows 98SE Windows ME Windows NT Windows 2000 Windows XP Platform: i386 IA-64 Impact: Execute Arbitrary Code/Commands Access Privileged Data Access Required: Remote Ref: ESB-2002.677 Comment: CVE Id: CAN-2002-1326 CAN-2002-1328 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ------------------------------------------------------------------- Title: Cumulative Patch for Internet Explorer (810847) Date: 05 February 2003 Software: Microsoft Internet Explorer Impact: Allow an attacker to execute commands on a user's system. Max Risk: Critical Bulletin: MS03-004 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/ms03-004.asp http://www.microsoft.com/security/security_bulletins/ms03-004.asp - - ------------------------------------------------------------------- Issue: ====== This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5, 6.0. In addition, it eliminates two newly discovered vulnerabilities involving Internet Explorer's cross-domain security model - which keeps windows of different domains from sharing information. These flaws results in Internet Explorer because incomplete security checking causes Internet Explorer to allow one website to potentially access information from another domain when using certain dialog boxes. In order to exploit this flaw, an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site. Once the user has visited the malicious web site, it would be possible for the attacker to run malicious script by misusing a dialog box and cause that script to access information in a different domain. In the worst case, this could enable the web site operator to load malicious code onto a user's system. In addition, this flaw could also enable an attacker to invoke an executable that was already present on the local system. A related cross-domain vulnerability allows Internet Explorer's showHelp() functionality to execute without proper security checking. showHelp() is one of the help methods used to display an HTML page containing help content. showHelp() allows more types of pluggable protocols than necessary, and this could potentially allow an attacker to access user information, invoke executables already present on a user's local system or load malicious code onto a user's local system. The requirements to exploit this vulnerability are the same as for the issue described above: an attacker would have to host and lure a user to a malicious web site. In this scenario, the attacker could open a showHelp window to a known local file on the visiting user's local system and gain access to information from that file by sending a specially crafted URL to a second showHelp window. The attacker could also potentially access user information or run code of attacker's choice. This cumulative patch will cause window.showHelp( ) to cease to function. When the latest HTML Help update - which is being released via Windows Update with this patch - is installed, window.showHelp( ) will function again, but with some limitations (see the caveats section later in this bulletin). This has been necessary in order to block the attack vector that might allow a web site operator to invoke an executable that was already present on a user's local system. Mitigating Factors: ==================== - The attacker would have to host a web site that contained a web page used to exploit either of these cross-domain vulnerabilities. - The attacker would have no way to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site. - By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to exploit this vulnerability unless the user clicked a malicious link in the email. - Internet Explorer 5.01 users are not affected by the first vulnerability. Risk Rating: ============ - Internet Explorer 5.01: Critical - Internet Explorer 5.5: Critical - Internet Explorer 6.0: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-004.asp http://www.microsoft.com/security/security_bulletins/ms03-004.asp for information on obtaining this patch. Acknowledgment: =============== - Andreas Sandblad, Sweden for reporting the cross domain vulnerability using showhelp. Home User Security Notification Service ======================================= Microsoft is now offering the Microsoft Security Update, a security bulletin notification service for home users. To learn more about this service, please go to: http://www.microsoft.com/security/security_bulletins/decision.asp - - ------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPkFrFI0ZSRQxA/UrAQHlSwf7B/TI09fbp5QgCyJ9tKNovkIZKdkYpWq/ V3R6r7Kc59LF2wNgn+f2SGR8Os0WQofRFiEY2hI1UaT4D8gDyloMmHVIF03HrQ8s z9KTq41JD3WRX6mnGvReUM9mOI47/XV4IW1A4qfTqhla1S5A1OO74y0zGH7TjNnk kx3vN+6ihvBq+kJz6/hKXSwPJFAg4lMtiRWCZoxBphaVcYWxBGSX2JxevOHN8XD+ Ufc9tHMOC3K0NesA+KCIolRokO2SYjSi1IWfeL0fZc7BDdUns2/KZ9G75SCtZJEZ ImLXOwlIH+Ah8qGON5WWE+ha3D7AC6ZO91eX2vWJUXLEu8ZISCyo+A== =m/kr - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBPkKYIih9+71yA2DNAQE69QP+Kz8zDdLpkBMeSadJ/Cru9B7hznSs0BHw EUXVFcbBF3pB3r/q2fxhp8htQH5pijWAIdnBzc0BuHxbhSZgzeDqpS/+ebIT86NU ObMelJlJIyqBpOSNDdfigacQvAWi3xdEpC9FZ9A4pPbd4CVCMufupRYwgboD2UZr i3HhbTRoajo= =iQbr -----END PGP SIGNATURE-----