[prev in list] [next in list] [prev in thread] [next in thread]
List: ntbugtraq
Subject: Alert: Microsoft Security Bulletin - MS03-015
From: Russ <Russ.Cooper () RC ! ON ! CA>
Date: 2003-04-23 17:20:30
[Download RAW message or body]
http://www.microsoft.com/technet/security/bulletin/MS03-015.asp
Cumulative Patch for Internet Explorer (813489)
Originally posted: April 23, 2003
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer.
Impact of vulnerability: Four new vulnerabilities, the most serious of which could \
enable an attacker to execute arbitrary code on a user's system if the user either \
browsed to a hostile web site or opened a specially crafted HTML email message.
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch immediately
Affected Software:
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0
Technical description:
This is a cumulative patch that includes the functionality of all previously released \
patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the \
following four newly discovered vulnerabilities:
- A buffer overrun vulnerability in URLMON.DLL that occurs because Internet Explorer \
does not correctly check the parameters of information being received from a web \
server. It could be possible for an attacker to exploit this vulnerability to run \
arbitrary code on a user's system. A user simply visiting an attacker's website \
could allow the attacker to exploit the vulnerability without any \
other user action.
- A vulnerability in the Internet Explorer file upload control that allows input from \
a script to be passed to the upload control. This vulnerability could allow an \
attacker to supply a file name to the file upload control and automatically upload a \
file from the user's system to a web server.
- A flaw in the way Internet Explorer handles the rendering of third party files. \
The vulnerability results because the Internet Explorer method for rendering third \
party file types does not properly check parameters passed to it. An attacker could \
create a specially formed URL that would inject script during the rendering of a \
third party file format and cause the script to execute in the security context of \
the user.
- A flaw in the way modal dialogs are treated by Internet Explorer that occurs \
because an input parameter is not properly checked. This flaw could allow an \
attacker to use an injected script to provide access to files stored on a user's \
computer. Although a user who visited the attacker's website could allow the attacker \
to exploit the vulnerability without any other user action, an attacker would have no \
way to force the user to visit the website.
In addition to eliminating the above vulnerabilities, this patch also includes a fix \
for Internet Explorer 6.0 SP1 that corrects the method by which Internet Explorer \
displays help information in the local computer zone. While we are not aware of a \
method to exploit this vulnerability by itself, if it were possible to exploit it, it \
could allow an attacker to read local files on a visiting user's system.
This patch also sets the Kill Bit on the Plugin.ocx ActiveX control which has a \
security vulnerability. This killbit has been set in order to ensure that the \
vulnerable control cannot be reintroduced onto users' systems and to ensure that \
users who already have the vulnerable control on their system are protected. This \
issue is discussed further in Microsoft Knowledge Base Article 813489.
Like the previous Internet Explorer cumulative patch released with bulletin MS03-004, \
this cumulative patch will cause window.showHelp( ) to cease to function if you have \
not applied the HTML Help update. If you have installed the updated HTML Help control \
from Knowledge Base article 811830, you will still be able to use HTML Help \
functionality after applying this patch.
Mitigating factors:
There are common mitigating factors across all of the vulnerabilities:
- The attacker would have to host a web site that contained a web page used to \
exploit the particular vulnerability.
- By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted \
Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites \
Zone if the Outlook Email Security Update has been installed. Customers who use any \
of these products would be at no risk from an e-mail borne attack that attempted to \
automatically exploit these vulnerabilities. The attacker would have no way to force \
users to visit a malicious web site. Instead, the attacker would need to lure them \
there, typically by getting them to click on a link that would take them to the \
attacker's site.
In addition to the common factors, there are a number of individual mitigating \
factors:
URLMON.DLL Buffer Overrun:
- Code that executed on the system would only run under the privileges of the locally \
logged in user.
File Upload Control vulnerability:
- The attacker would have to know the explicit path and name of the file to be \
uploaded in advance.
Third Party plug-in rendering:
- The third party plugin would have to be present on the user's system in order for \
it to be exploited
Vulnerability identifier:
- URLMON.DLL Buffer Overrun: CAN-2003-0113
- File Upload Control vulnerability: CAN-2003-0114
- Third Party plug-in rendering: CAN-2003-0115
- Model Dialog script execution: CAN-2003-0116
This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?
Need assistance crafting the format or translating your advisory to English?
Need to verify it, or having problems contacting the Vendor?
Contact mailto:Advisories@NTBugtraq.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic