Microsoft Security Bulletin MS03-004: Cumulative Patch for Internet Explorer (810847)

["Microsoft" <0_44244_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>]

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (810847)
Released:   5 February 2003
Revised:    12 February 2003(version 2.0)
Software:   Microsoft Internet Explorer 5.01 
            Microsoft Internet Explorer 5.5 
            Microsoft Internet Explorer 6.0 
Impact:     Allow an attacker to execute commands on a user's 
            system. 
Max Risk:   Critical
Bulletin:   MS03-004

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
http://www.microsoft.com/security/security_bulletins/ms03-004.asp
- ----------------------------------------------------------------------

Reason for Revision:
====================
Subsequent to the initial release of this bulletin, a non-security 
issue was discovered with this patch that could affect some users - 
primarily consumers - under certain conditions. Specifically, the 
issue could cause some users to be unable to authenticate to 
certain Internet web sites such as subscription based sites, or MSN 
e-mail. This issue has been resolved, and a hot fix (813951) issued 
to correct it. It is important to note that this hot fix corrects a 
very specific non-security issue, and that the security patch 
discussed in this Security Bulletin was, and still is, effective in 
removing the vulnerabilities discussed later in this bulletin. More 
information, including details of how to obtain the hot fix are 
available at: 
http://www.microsoft.com/windows/ie/downloads/critical/813951/defau
lt.asp and in the Frequently Asked Questions section of this 
bulletin. 

Issue:
======

This is a cumulative patch that includes the functionality of all 
previously released patches for IE 5.01, 5.5, 6.0. In addition, it 
eliminates two newly discovered vulnerabilities involving Internet 
Explorer's cross-domain security model - which keeps windows of 
different domains from sharing information. These flaws results in 
Internet Explorer because incomplete security checking causes 
Internet Explorer to allow one website to potentially access 
information from another domain when using certain dialog boxes. 
In order to exploit this flaw, an attacker would have to host a 
malicious web site that contained a web page designed to exploit 
this particular vulnerability and then persuade a user to visit 
that site. Once the user has visited the malicious web site, it 
would be possible for the attacker to run malicious script by 
misusing a dialog box and cause that script to access information 
in a different domain. In the worst case, this could enable the web 
site operator to load malicious code onto a user's system. In 
addition, this flaw could also enable an attacker to invoke an 
executable that was already present on the local system. 

A related cross-domain vulnerability allows Internet Explorer's 
showHelp() functionality to execute without proper security 
checking. showHelp() is one of the help methods used to display an 
HTML page containing help content. showHelp() allows more types of 
pluggable protocols than necessary, and this could potentially 
allow an attacker to access user information, invoke executables 
already present on a user's local system or load malicious code 
onto a user's local system. 

The requirements to exploit this vulnerability are the same as for 
the issue described above: an attacker would have to host and lure 
a user to a malicious web site. In this scenario, the attacker 
could open a showHelp window to a known local file on the visiting 
user's local system and gain access to information from that file 
by sending a specially crafted URL to a second showHelp window. The 
attacker could also potentially access user information or run code 
of attacker's choice. 

This cumulative patch will cause window.showHelp( ) to cease to 
function. When the latest HTML Help update - which is being 
released via Windows Update with this patch - is installed, 
window.showHelp( ) will function again, but with some limitations 
(see the caveats section later in this bulletin). This has been 
necessary in order to block the attack vector that might allow a 
web site operator to invoke an executable that was already present 
on a user's local system.

Mitigating Factors:
====================
- -The attacker would have to host a web site that contained a 
 web page used to exploit either of these cross-domain 
 vulnerabilities. 
- -The attacker would have no way to force users to visit the 
 site. Instead, the attacker would need to lure them there, 
 typically by getting them to click on a link that would take them 
 to the attacker's site. 
- -By default, Outlook Express 6.0 and Outlook 2002 open HTML 
 mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000 
 open HTML mail in the Restricted Sites Zone if the Outlook Email 
 Security Update has been installed. Customers who use any of these 
 products would be at no risk from an e-mail borne attack that 
 attempted to exploit this vulnerability unless the user clicked a 
 malicious link in the email. 
- -Internet Explorer 5.01 users are not affected by the first 
 vulnerability.

Risk Rating:
============
 - Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   http://www.microsoft.com/technet/security/bulletin/ms03-004.asp
   http://www.microsoft.com/security/security_bulletins/ms03-004.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks  Andreas Sandblad, Sweden for reporting the 
cross domain vulnerability using showHelp and for working with us 
to protect customers.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES 
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO 
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR 
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPkr/nI0ZSRQxA/UrAQGFGgf/exOegUuF3NqVgKxAPGpDglQe1rryTDfW
fGyh09RaaH+9+6y/91GdC7NU6t7x6rV0ia4Kt+Vhj087/ybcyCJH+pcqXzWcz63n
UtjfMvXTOS+WUdO5FiNMo/9xHMYXo/72GYikXpnQFLBnhCR1DUhmjF2tgMQfoKbi
3Gm1mBpNwm1SiC16oiGaDbXrrlxT0GYDIZaiVQ54kwskddsR/JEMv74nTMUTcDIM
yIIyHMK7FjqMCsSh47wAcmWUYS70dhMnSCzKKwzSPOCzFKIajLIFSDkZJCtmGSt1
qjwpWkBExEyLSRKDBLIK8dFO5poKNMZYoubTpmJaFMA0P+ID5FZlcw==
=g93V
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.