MS03-015 : Cumulative Patch for Internet Explorer

[Steven]

-----BEGIN PGP SIGNED MESSAGE-----

- -------------------------------------------------------------------

Title: Cumulative Patch for Internet Explorer (813489)

Date: 23 April 2003

Software: Microsoft © Internet Explorer

Impact: Run code of the attacker's choice on a user's machine.

Max Risk: Critical

Bulletin: MS03-015

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/technet/security/...in/MS03-015.asp

http://www.microsoft.com/security/security...ns/ms03-015.asp

- -------------------------------------------------------------------

Issue:

======

This is a cumulative patch that includes the functionality of all

previously released patches for Internet Explorer 5.01, 5.5 and

6.0. In addition, it eliminates the following four newly discovered

vulnerabilities:

- -A buffer overrun vulnerability in URLMON.DLL that occurs because

Internet Explorer does not correctly check the parameters of

information being received from a web server. It could be possible

for an attacker to exploit this vulnerability to run arbitrary code

on a user's system. A user simply visiting an attacker's website

could allow the attacker to exploit the vulnerability without any

other user action.

- -A vulnerability in the Internet Explorer file upload control that

allows input from a script to be passed to the upload control. This

vulnerability could allow an attacker to supply a file name to the

file upload control and automatically upload a file from the user's

system to a web server.

- -A flaw in the way Internet Explorer handles the rendering of third

party files. The vulnerability results because the Internet

Explorer method for rendering third party file types does not

properly check parameters passed to it. An attacker could create a

specially formed URL that would inject script during the rendering

of a third party file format and cause the script to execute in the

security context of the user.

- -A flaw in the way modal dialogs are treated by Internet Explorer

that occurs because an input parameter is not properly checked.

This flaw could allow an attacker to use an injected script to

provide access to files stored on a user's computer. Although a

user who visited the attacker's website could allow the attacker to

exploit the vulnerability without any other user action, an

attacker would have no way to force the user to visit the website.

In addition to eliminating the above vulnerabilities, this patch

also includes a fix for Internet Explorer 6.0 SP1 that corrects the

method by which Internet Explorer displays help information in the

local computer zone. While we are not aware of a method to exploit

this vulnerability by itself, if it were possible to exploit it, it

could allow an attacker to read local files on a visiting user's

system.

This patch also sets the Kill Bit on the Plugin.ocx ActiveX control

which has a security vulnerability. This killbit has been set in

order to ensure that the vulnerable control cannot be reintroduced

onto users' systems and to ensure that users who already have the

vulnerable control on their system are protected. This issue is

discussed further in Microsoft Knowledge Base Article 813489.

Like the previous Internet Explorer cumulative patch released with

bulletin MS03-004, this cumulative patch will cause

window.showHelp( ) to cease to function if you have not applied the

HTML Help update. If you have installed the updated HTML Help

control from Knowledge Base article 811830, you will still be able

to use HTML Help functionality after applying this patch.

Mitigating factors:

====================

There are common mitigating factors across all of the

vulnerabilities:

- -The attacker would have to host a web site that contained a web

page used to exploit the particular vulnerability.

- -By default, Outlook Express 6.0 and Outlook 2002 open HTML mails

in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open

HTML mails in the Restricted Sites Zone if the Outlook Email

Security Update has been installed. Customers who use any of these

products would be at no risk from an e-mail borne attack that

attempted to automatically exploit these vulnerabilities. The

attacker would have no way to force users to visit a malicious web

site. Instead, the attacker would need to lure them there,

typically by getting them to click on a link that would take them

to the attacker's site.

In addition to the common factors, there are a number of individual

mitigating factors:

URLMON.DLL Buffer Overrun:

- -Code that executed on the system would only run under the

privileges of the locally logged in user.

File Upload Control vulnerability:

- -The attacker would have to know the explicit path and name of the

file to be uploaded in advance.

Third Party plug-in rendering:

- -The third party plugin would have to be present on the user's

system in order for it to be exploited

Risk Rating:

============

- Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletins at

http://www.microsoft.com/technet/security/...in/ms03-015.asp

http://www.microsoft.com/security/security...ns/ms03-015.asp

for information on obtaining this patch.

- ----------------------------------------------------------------

Edited April 25, 2003 by xStainDx

[PROGAME]

http://www.microsoft.com/downloads/details...&DisplayLang=en

Date Published:

4/3/2003

a typo? :happy: