'Alert: Microsoft Security Bulletin - MS03-015'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Alert: Microsoft Security Bulletin - MS03-015
From:       Russ <Russ.Cooper () RC ! ON ! CA>
Date:       2003-04-23 17:20:30
[Download RAW message or body]

http://www.microsoft.com/technet/security/bulletin/MS03-015.asp

Cumulative Patch for Internet Explorer (813489)

Originally posted: April 23, 2003

Summary

Who should read this bulletin: Customers using Microsoft® Internet Explorer.

Impact of vulnerability: Four new vulnerabilities, the most serious of which could \
enable an attacker to execute arbitrary code on a user's system if the user either \
browsed to a hostile web site or opened a specially crafted HTML email message.  

Maximum Severity Rating: Critical

Recommendation: System administrators should install the patch immediately

Affected Software: 
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5 
- Microsoft Internet Explorer 6.0

Technical description: 

This is a cumulative patch that includes the functionality of all previously released \
patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the \
                following four newly discovered vulnerabilities: 
- A buffer overrun vulnerability in URLMON.DLL that occurs because Internet Explorer \
does not correctly check the parameters of information being received from a web \
server. It could be possible for an attacker to exploit this vulnerability to run \
arbitrary code on a user's system.  A user simply visiting an attacker's website \
                could allow the attacker to exploit the vulnerability without any \
                other user action.
- A vulnerability in the Internet Explorer file upload control that allows input from \
a script to be passed to the upload control.  This vulnerability could allow an \
attacker to supply a file name to the file upload control and automatically upload a \
                file from the user's system to a web server.
- A flaw in the way Internet Explorer handles the rendering of third party files.  \
The vulnerability results because the Internet Explorer method for rendering third \
party file types does not properly check parameters passed to it.  An attacker could \
create a specially formed URL that would inject script during the rendering of a \
third party file format and cause the script to execute in the security context of \
                the user.
- A flaw in the way modal dialogs are treated by Internet Explorer that occurs \
because an input parameter is not properly checked.  This flaw could allow an \
attacker to use an injected script to provide access to files stored on a user's \
computer. Although a user who visited the attacker's website could allow the attacker \
to exploit the vulnerability without any other user action, an attacker would have no \
way to force the user to visit the website.

In addition to eliminating the above vulnerabilities, this patch also includes a fix \
for Internet Explorer 6.0 SP1 that corrects the method by which Internet Explorer \
displays help information in the local computer zone.  While we are not aware of a \
method to exploit this vulnerability by itself, if it were possible to exploit it, it \
could allow an attacker to read local files on a visiting user's system. 

This patch also sets the Kill Bit on the Plugin.ocx ActiveX control which has a \
security vulnerability. This killbit has been set in order to ensure that the \
vulnerable control cannot be reintroduced onto users' systems and to ensure that \
users who already have the vulnerable control on their system are protected. This \
issue is discussed further in Microsoft Knowledge Base Article 813489. 

Like the previous Internet Explorer cumulative patch released with bulletin MS03-004, \
this cumulative patch will cause window.showHelp( ) to cease to function if you have \
not applied the HTML Help update. If you have installed the updated HTML Help control \
from Knowledge Base article 811830, you will still be able to use HTML Help \
functionality after applying this patch.

Mitigating factors:

There are common mitigating factors across all of the vulnerabilities: 
- The attacker would have to host a web site that contained a web page used to \
                exploit the particular vulnerability.  
- By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted \
Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites \
Zone if the Outlook Email Security Update has been installed. Customers who use any \
of these products would be at no risk from an e-mail borne attack that attempted to \
automatically exploit these vulnerabilities. The attacker would have no way to force \
users to visit a malicious web site. Instead, the attacker would need to lure them \
there, typically by getting them to click on a link that would take them to the \
attacker's site.   

In addition to the common factors, there are a number of individual mitigating \
factors: 

URLMON.DLL Buffer Overrun: 
- Code that executed on the system would only run under the privileges of the locally \
logged in user. 

File Upload Control vulnerability:
- The attacker would have to know the explicit path and name of the file to be \
uploaded in advance.

Third Party plug-in rendering:
- The third party plugin would have to be present on the user's system in order for \
it to be exploited

Vulnerability identifier: 
- URLMON.DLL Buffer Overrun: CAN-2003-0113
- File Upload Control vulnerability: CAN-2003-0114
- Third Party plug-in rendering: CAN-2003-0115
- Model Dialog script execution: CAN-2003-0116



This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:Advisories@NTBugtraq.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic