[MS02-68] IE5/6SP1-December 2002, Cumulative Patch


Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Cumulative Patch for Internet Explorer (324929)

Released: 04 December 2002

Revised: 06 December 2002 (version 2.0)

Software: Microsoft® Internet Explorer

Impact: Allow an attacker to execute commands on a user's

system.

Max Risk: Critical

Bulletin: MS02-068

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/security/security...ns/ms02-068.asp

http://www.microsoft.com/technet/security/...in/MS02-068.asp.

- ----------------------------------------------------------------------

Reason for Revision:

====================

This is an updated bulletin describing a cumulative patch for

Internet Explorer 5.5 and 6.0. The original patch released on

December 4, 2002 is unchanged. However since releasing the

patch, Microsoft has received a report suggesting that the

vulnerability addressed by this bulletin could be exploited to

run arbitrary code on a user's machine. Microsoft investigated

that report, and was able to develop a demonstration that

exploits the vulnerability to run arbitrary code. We have

released this updated bulletin to advise customers of our new

assessment of the potential impact of the vulnerability, and

of its updated severity rating.

Issue:

======

This is an updated bulletin describing a cumulative patch for

Internet Explorer 5.5 and 6.0. The original patch is unchanged and,

in addition to including the functionality of all previously

released patches for Internet Explorer 5.5 and 6.0, eliminates one

additional flaw in Internet Explorer's cross-domain security model.

This flaw occurs because the security checks that Internet Explorer

carries out when particular object caching techniques are used in

web pages are incomplete. This could have the effect of allowing an

attacker to execute commands on a user's system.

Exploiting the vulnerability could enable an attacker to invoke an

executable that was already present on the local system. It could

also allow an attacker to load a malicious executable onto a user's

system, or to pass parameters to an executable. However, a registry

key setting discussed in Microsoft Knowledge Base Article 810687

disables shortcuts in HTML Help, which significantly reduces the

scope of this vulnerability as it removes the ability to load a

malicious executable on a user's system or to pass parameters to an

executable.

An attacker could exploit the vulnerability by constructing a web

page that uses a cached programming technique, and could then

either host it on a web site or send it to a user via email. In the

case of the web-based attack vector the page could be automatically

opened when a user visited the site. In the case of the HTML mail-

based attack vector, the page could be opened when the recipient

opened the mail or viewed it using the Preview pane.

On December 4, 2002, Microsoft released the original version of

this bulletin. Subsequent to that time, Microsoft received a report

suggesting that the vulnerability addressed by this bulletin could

be exploited to run arbitrary code on a user's machine. Microsoft

investigated that report, and was able to develop a demonstration

that exploits the vulnerability to run arbitrary code. We have

released this updated bulletin to advise customers of our new

assessment of the potential impact of the vulnerability, and of its

updated severity rating.

The original patch released with this bulletin was and is effective

in preventing exploitation of the vulnerability. It is also

effective in eliminating all vulnerabilities addressed by prior

bulletins that could allow a malicious party to run code on the

machine of a user who visited a hostile web site or opened a

malicious HTML email message. Microsoft strongly urges all

customers to install the patch.

Mitigating Factors:

====================

- -Internet Explorer 5.01 is not affected by this vulnerability.

- -The web-based attack scenario would provide no way for the attacker

to force users to visit the site. Instead, the attacker would need

to lure them there, typically by getting them to click on a link

that would take them to the attacker's site.

- -The HTML mail-based attack scenario would be blocked by Outlook

Express 6.0 and Outlook 2002 in their default configurations, and

by Outlook 98 and 2000 if used in conjunction with the Outlook

Email Security Update.

- -If the steps described in Microsoft Knowledge Base Article 810687

have been taken to restrict shortcuts in HTML Help, then the

following mitigating factors apply:

-The vulnerability would allow an attacker to read but not add,

delete or modify files on the user's local system.

-The attacker would need to know the name and location of any file

on the system to successfully invoke it. If invoked, there would

be

no way for an attacker to pass parameters to that executable.

-The vulnerability would not provide any way for an attacker to put

a program of their choice onto another user's system.

Risk Rating:

============

Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-068.asp

for information on obtaining this patch.

- ---------------------------------------------------------------------

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.