MS Sec Notification mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Security Bulletin MS02-068: Cumulative Patch for Internet Explorer (324929)

From: "Microsoft" <0_41748_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>
Date: Wed, 4 Dec 2002 16:04:08 -0800
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (Q324929)
Date:       04 December 2002
Software:   Microsoft(r) Internet Explorer
Impact:     Information Disclosure
Max Risk:   Moderate
Bulletin:   MS02-068

Microsoft encourages customers to review the Security Bulletins at: 
http://www.microsoft.com/security/security_bulletins/MS02-068.asp
http://www.microsoft.com/technet/security/bulletin/MS02-068.asp.
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch for Internet Explorer 5.5 and 6.0. In 
addition to including the functionality of all previously released 
patches for Internet Explorer 5.5 and 6.0, it also eliminates a 
newly discovered flaw in Internet Explorer's cross-domain security 
model. This flaw occurs because the security checks that Internet 
Explorer carries out when particular object caching techniques are 
used in web pages are incomplete. This could have the effect of 
allowing a website in one domain to access information in another, 
including the user's local system.

Exploiting the vulnerability could enable an attacker to read, but 
not change, any file on the user's local computer. In addition, the 
attacker could invoke an executable that was already present on the 
local system. The attacker would need to know the exact location of 
the executable, and would not be able to pass parameters to it. 
Microsoft is not aware of any executable that ships by default as 
part of Windows and, when run without parameters, could be 
dangerous. 

An attacker could exploit the vulnerability by constructing a web 
page that uses a cached programming technique, and could then 
either host it on a web site or send it to a user via email. In the 
case of the web-based attack vector the page could be automatically 
opened when a user visited the site In the case of the HTML mail-
based attack vector, the page could be opened when the recipient 
opened the mail or viewed it using the Preview pane.

Mitigating Factors:
====================
- -Internet Explorer 5.01 is not affected by this vulnerability. 
- -The web-based attack scenario would provide no way for the 
 attacker to force users to visit the site. Instead, the attacker 
 would need to lure them there, typically by getting them to click 
 on a link that would take them to the attacker's site. 
- -The HTML mail-based attack scenario would be blocked by Outlook 
 Express 6.0 and Outlook 2002 in their default configurations, and 
 by Outlook 98 and 2000 if used in conjunction with the Outlook 
 Email Security Update. 
- -The vulnerability would allow an attacker to read but not add, 
 delete or modify files on the user's local system. 
- -The attacker would need to know the name and location of any file 
 on the system to successfully invoke it. If invoked, there would be 
 no way for an attacker to pass parameters to that executable. 
- -This vulnerability does not provide any way for an attacker to put 
 a program of their choice onto another user's system.

Risk Rating:
============

Moderate

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-068.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPe5c0o0ZSRQxA/UrAQH9+QgAqG29LelobUVrkeLCN3vE9Jj0P61nj9eX
MYxYheB2OUjFYNF8263tDxASQBLmk7I/RKw3zDTp+d1q1c2ngjEoibvLiDvExik5
n9F8RgvTH8XEo2lnxAes5VS4ASvdBRImT6jTD3hZ6DmhEwN9UAWsnynXsCu+GBOa
tD7JhIlTQWOwASI8f1c3ElMRVjFFs0IK8JX3zrhzPIUPrtO9HrjdSGss7c8jW4rk
c1yPFSO/eKA6bs47Mg5oApHrjPecYMw5OuFRuOtmbiAv9zFG4njCEPtoNkzN/wq3
XyEzR0kAt/VksBewljU7vh1xyyezIr1uuhlC2UQQwukpO2SbQ/SkHQ==
=wAs+
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.
Previous By Date Next
Previous By Thread Next

Current thread: