Microsoft Security Bulletin MS02-047: Cumulative Patch for Internet Ex


Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Cumulative Patch for Internet Explorer (Q323759)

Date: 22 August 2002

Software: Internet Explorer

Impact: Six new vulnerabilities, the most serious of which

could enable an attacker to execute commands on a

user's system.

Max Risk: Critical

Bulletin: MS02-047

Microsoft encourages customers to review the Security Bulletin at:

http://www.microsoft.com/technet/security/...in/MS02-047.asp.

- ----------------------------------------------------------------------

Issue:

======

This is a cumulative patch that includes the functionality of all

previously released patches for IE 5.01, 5.5 and 6.0. In addition,

it eliminates the following six newly discovered vulnerabilities:

- A buffer overrun vulnerability affecting the Gopher protocol

handler. This vulnerability was originally discussed in

Microsoft Security Bulletin MS02-027, which provided workaround

instructions while the patch provided here was being completed.

- A buffer overrun vulnerability affecting an ActiveX control used

to display specially formatted text. The control contains a buffer

overrun vulnerability that could enable an attacker to run code

on a user?s system in the context of the user.

- A vulnerability involving how Internet Explorer handles an HTML

directive that displays XML data. By design, the directive

should only allow XML data from the web site itself to be

displayed. However, it does not correctly check for the case

where a referenced XML data source is in fact redirected to a

data source in a different domain. This flaw could enable an

attacker?s web page to open an XML-based files residing a

remote system within a browser window that the site could

read, thereby enabling the attacker to read contents from

websites that users had access to but the attacker was not

able to navigate to.

- A vulnerability involving how Internet Explorer represents the

origin of a file in the File Download Dialogue box. This flaw

could enable an attacker to misrepresent the source of a file

offered for download in an attempt to fool users into

accepting a file download from an untrusted source believing

it to be coming from a trusted source.

- A Cross Domain verification vulnerability that occurs because

of improper domain checking in conjunction with the Object tag.

As a result, the vulnerability could enable a malicious web

site operator to access data across different domains, for

example one in a web site?s domain and the other on the

user?s local file system and then pass information from the

latter to the former. This could enable the web site operator

to read, but not change, any file on the user?s local computer

that could be viewed n a browser window. In addition, this can

also enable an attacker to invoke, but not pass parameters to,

an executable on the local system, much like the

"Local Executable Invocation via Object tag" vulnerability

discussed in MS02-015.

- A newly reported variant of the "Cross-Site Scripting in Local

HTML Resource" vulnerability originally discussed in

Microsoft Security Bulletin MS02-023. Like the original

vulnerability, this variant could enable an attacker to create

a web page that, when opened, would run in the Local Computer

zone, allowing it to run with fewer restrictions than it would

in the Internet Zone.

In addition, the patch sets the Kill Bit on the MSN Chat ActiveX

control discussed in Microsoft Security Bulletin MS02-022 as well

as the TSAC ActiveX control discussed in Microsoft Security

Bulletin MS02-046. This has been done to ensure that vulnerable

controls cannot be introduced onto users? systems. Customers

who use the MSN Chat control should ensure that they have applied

the updated version of the control discussed in MS02-022 and

customers who use the TSAC control should ensure that they

have applied the updated version of the control discussed

in MS02-046 .

Mitigating Factors:

====================

Buffer Overrun in Gopher Protocol Handler:

- The vulnerability would provide the attacker with user?s own

privileges on the system. Customers who run with fewer than

full privileges on the system would therefore be at lower risk.

Buffer Overrun in Legacy Text Formatting ActiveX Control:

- The vulnerable ActiveX control is not installed by default as

part of a current version of IE. Upon learning of the

vulnerability, Microsoft removed the download from its site

to minimize the likelihood that users would have the control

on their systems.

- The vulnerability would provide the attacker with the user?s

own privileges on the system. Customers who run with fewer

than full privileges on the system would therefore be at

lower risk.

- Customers who use Outlook Express 6.0 or Outlook 2002

(or Outlook 98 or 2000 in conjunction with the Outlook Email

Security Update) would by default by protected against

email-borne attacks via this vulnerability unless they

specifically clicked a link within the email message.

XML File Reading via Redirect:

- The vulnerability only provides a capability to read

XML-based files that they know the complete path to.

- The vulnerability could not be used to add, change or delete

files.

- Customers who use Outlook Express 6.0 or Outlook 2002

(or Outlook 98 or 2000 in conjunction with the Outlook Email

Security Update) would by default by protected against

email-borne attacks via this vulnerability.

File Origin spoofing:

- The vulnerability does not give an attacker the means to

place or run executables directly on the system: user

interaction is required in a successful attack.

Cross Domain Verification in Object Tag:

- The vulnerability would not enable the attacker to pass any

parameters to an executable program. Microsoft is not aware

of any programs installed by default in any version of

Windows that, when called with no parameters, could be used

to compromise the system.

- An attacker could only invoke a file on the victim?s local

machine. The vulnerability could not be used to execute a

program on a remote share or web site.

- The vulnerability would not provide any way for an attacker

to put a program of his choice onto another user?s system.

- An attacker would need to know the name and location of any

file on the system to successfully invoke it.

- The vulnerability could only be used to view or invoke files.

It could not be used to create, delete, or modify them.

- The vulnerability would only allow an attacker to read files

that can be rendered in a browser window, such as image files,

HTML files and ext files. Other file types, such as binary

files, executable files, Word documents, and so forth, could

not be read.

- Outlook 98 and 2000 (after installing the Outlook Email Security

Update), Outlook 2002, and Outlook Express 6 all open HTML mail

in the Restricted Sites Zone. As a result, customers using

these products would not be at risk from email-borne attacks.

Variant of Cross-Site Scripting in Local HTML Resource:

- Outlook 98 and 2000 (after installing the Outlook Email

Security Update), Outlook 2002, and Outlook Express 6 all

open HTML mail in the Restricted Sites Zone. As a result,

customers using these products would not be at risk from

automated email-borne attacks. However, these customers can

still be attacked if they choose to click on a hyperlink in a

malicious HTML email.

- Customers using Outlook 2002 SP1 who have enabled the "Read as

Plain Text" feature would be immune from the HTML email

attack. This is because this feature disables all HTML

elements, including scripting, from mail when it is displayed.

- Any limitations on the rights of the user's account would

also limit the actions of the attacker's script.

- Customers who exercise caution in what web sites they visit

or who place unknown or untrusted sites in the Restricted

Sites zone can potentially protect themselves from attempts

to exploit this issue on the web.

Aggregate Severity of all issues included in this patch

(including issues addressed in previously released patches):

============

- Internet systems: Critical

- Intranet systems: Critical

- Client systems: Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-047.asp

for information on obtaining this patch.

Acknowledgment:

===============

- GreyMagic Software (http://sec.greymagic.com/news/) for

reporting the XML File Reading via Redirect vulnerability.

- Mark Litchfield of Next Generation Security Software Ltd.

(http://www.nextgenss.com/) for reporting the Buffer Overrun

in Legacy Text Formatting ActiveX Control vulnerability.

- Jouko Pynnonen of Oy Online Solutions Ltd for reporting

the File Origin Spoofing vulnerability.

- ---------------------------------------------------------------------

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.