MS Sec Notification mailing list archives

Microsoft Security Bulletin MS03-032: Cumulative Patch for Internet Explorer (Q822925)

From: "Microsoft" <0_51324_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>
Date: Wed, 20 Aug 2003 13:31:49 -0700
-----BEGIN PGP SIGNED MESSAGE-----

- -----------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (822925)
Date:       20 August 2003
Software:   

 - Microsoft Internet Explorer 5.01 
 - Microsoft Internet Explorer 5.5 
 - Microsoft Internet Explorer 6.0 
 - Microsoft Internet Explorer 6.0 for Windows Server 2003 

Impact:     Run code of the attacker's choice
Max Risk:   Critical
Bulletin:   MS03-032

Microsoft encourages customers to review the Security Bulletins 
at: 
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
http://www.microsoft.com/security/security_bulletins/ms03-032.asp
- -----------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all 
previously released patches for Internet Explorer 5.01, 5.5 and 
6.0. In addition, it eliminates the following newly discovered 
vulnerabilities: 


 - A vulnerability involving the cross-domain security model of 
Internet Explorer, which keeps windows of different domains from 
sharing information. This flaw could result in the execution of 
script in the My Computer zone. To exploit this flaw, an attacker 
would have to host a malicious Web site that contained a Web page 
designed to exploit this particular vulnerability and then 
persuade a user to visit that site. After the user has visited 
the malicious Web site, it would be possible for the attacker to 
run malicious script by misusing the method Internet Explorer 
uses to retrieve files from the browser cache, and cause that 
script to access information in a different domain. In the worst 
case, this could enable the Web site operator to load malicious 
script code onto a user's system in the security context of the 
My Computer zone. In addition, this flaw could also enable an 
attacker to run an executable file that was already present on 
the local system or view files on the computer. The flaw exists 
because a file from the Internet or intranet with a maliciously 
constructed URL can appear in the browser cache running in the My 
Computer zone. 

 - A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server. It 
could be possible for an attacker who exploited this 
vulnerability to run arbitrary code on a user's system. If a user 
visited an attacker's Web site, it would be possible for the 
attacker to exploit this vulnerability without any other user 
action. An attacker could also craft an HTML-based e-mail that 
would attempt to exploit this vulnerability. 

This patch also sets the Kill Bit on the BR549.DLL ActiveX 
control. This control implemented support for the Windows 
Reporting Tool, which is no longer supported by Internet 
Explorer. The control has been found to contain a security 
vulnerability. To protect customers who have this control 
installed, the patch prevents the control from running or from 
being reintroduced onto users' systems by setting the Kill Bit 
for this control. This issue is discussed further in Microsoft 
Knowledge Base article 822925. 

In addition to these vulnerabilities, a change has been made to 
the way Internet Explorer renders HTML files. This change 
addresses a flaw in the way Internet Explorer renders Web pages 
that could cause the browser or Outlook Express to fail. Internet 
Explorer does not properly render an input type tag. A user 
visiting an attacker's Web site could allow the attacker to 
exploit the vulnerability by viewing the site. In addition, an 
attacker could craft a specially formed HTML-based e-mail that 
could cause Outlook Express to fail when the e-mail was opened or 
previewed.

This patch also contains a modification to the fix for the Object 
Type vulnerability (CAN-2003-0344) corrected in Microsoft 
Security Bulletin MS03-020. The modification corrects the 
behavior of the fix to prevent the attack on specific languages.

To exploit these flaws, the attacker would have to create a 
specially formed HTML-based e-mail and send it to the user. 
Alternatively an attacker would have to host a malicious Web site 
that contained a Web page designed to exploit these 
vulnerabilities. The attacker would then have to persuade a user 
to visit that site. 

As with the previous Internet Explorer cumulative patches 
released with bulletins MS03-004, MS03-015, and MS03-020 this 
cumulative patch will cause window.showHelp( ) to cease to 
function if you have not applied the HTML Help update. If you 
have installed the updated HTML Help control from Knowledge Base 
article 811630, you will still be able to use HTML Help 
functionality after applying this patch. 

Mitigating Factors:
====================
 - By default, Internet Explorer on Windows Server 2003 runs in 
Enhanced Security Configuration. This default configuration of 
Internet Explorer blocks these attacks. If Internet Explorer 
Enhanced Security Configuration has been disabled, the 
protections put in place that prevent these vulnerabilities from 
being exploited would be removed. 
 - In the Web-based attack scenario, the attacker would have to 
host a Web site that contained a Web page used to exploit these 
vulnerabilities. An attacker would have no way to force users to 
visit a malicious Web site outside the HTML-based e-mail vector. 
Instead, the attacker would need to lure them there, typically by 
getting them to click a link that would take them to the 
attacker's site. 
 - Code that executed on the system would only run under the 
privileges of the logged-on user.

Risk Rating:
============
 - Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read
   the Security Bulletins at:

   http://www.microsoft.com/technet/security/bulletin/ms03-
032.asp
   http://www.microsoft.com/security/security_bulletins/ms03-
032.asp

   for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks  the following for working with us to protect 
customers: 

 - Yu-Arai of LAC for reporting the language specific variant of 
the MS03-020 Object Type vulnerability (CAN-2003-0344), as well 
as the Browser Cache Script Execution in My Computer Zone problem 
to us.

 - eEye Digital Security for reporting the Object Type 
vulnerability to us.

 - Greg Jones from KPMG UK for reporting the BR549.DLL Buffer 
Overrun problem to us.

- -----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL 
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT 
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL 
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP0LcJo0ZSRQxA/UrAQFr5ggAj7MsZCVe85jqaSWQZ9Nt3nHtgK3wu8A6
GAQX9jKPs1Sa52FY8LvLKcsD5DGXYnTZkmdevYFypGeTFyNaxaCri8OEtntMisyy
k4t03ntnZWYCQ46AbRHjSYNpC9EgCdExixZVqCyGEaaCIR0KOjgR2shSaL/zU9Fc
qad+eFL+Zdu7i7wjgPIQWijRaRE4eVFs4Ep88F4MtErABmvxjsKVEF/+t7tfSUsG
p2kxwRSYMBDSAvxxNJuyvJp6oNIE6g219fnwhH32dTorDRewuy+KaENi+Hx+ieTR
du2EUZoA6GNuEpKriKPkIIbgyj1S62yVPLdCTbkY5ZJqZAONAo8qpw==
=i/Uu
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.
Current thread:

Microsoft Security Bulletin MS03-032: Cumulative Patch for Internet Explorer (Q822925) Microsoft (Aug 20)