Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Alert: Microsoft Security Bulletin - MS03-015
From: Russ (Russ.CooperRC.ON.CA)
Date: Wed Apr 23 2003 - 12:20:30 CDT
Cumulative Patch for Internet Explorer (813489)
Originally posted: April 23, 2003
Who should read this bulletin: Customers using Microsoft® Internet Explorer.
Impact of vulnerability: Four new vulnerabilities, the most serious of which could enable an attacker to execute arbitrary code on a user's system if the user either browsed to a hostile web site or opened a specially crafted HTML email message.
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch immediately
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0
This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following four newly discovered vulnerabilities:
- A buffer overrun vulnerability in URLMON.DLL that occurs because Internet Explorer does not correctly check the parameters of information being received from a web server. It could be possible for an attacker to exploit this vulnerability to run arbitrary code on a user's system. A user simply visiting an attacker's website could allow the attacker to exploit the vulnerability without any other user action.
- A vulnerability in the Internet Explorer file upload control that allows input from a script to be passed to the upload control. This vulnerability could allow an attacker to supply a file name to the file upload control and automatically upload a file from the user's system to a web server.
- A flaw in the way Internet Explorer handles the rendering of third party files. The vulnerability results because the Internet Explorer method for rendering third party file types does not properly check parameters passed to it. An attacker could create a specially formed URL that would inject script during the rendering of a third party file format and cause the script to execute in the security context of the user.
- A flaw in the way modal dialogs are treated by Internet Explorer that occurs because an input parameter is not properly checked. This flaw could allow an attacker to use an injected script to provide access to files stored on a user's computer. Although a user who visited the attacker's website could allow the attacker to exploit the vulnerability without any other user action, an attacker would have no way to force the user to visit the website.
In addition to eliminating the above vulnerabilities, this patch also includes a fix for Internet Explorer 6.0 SP1 that corrects the method by which Internet Explorer displays help information in the local computer zone. While we are not aware of a method to exploit this vulnerability by itself, if it were possible to exploit it, it could allow an attacker to read local files on a visiting user's system.
This patch also sets the Kill Bit on the Plugin.ocx ActiveX control which has a security vulnerability. This killbit has been set in order to ensure that the vulnerable control cannot be reintroduced onto users' systems and to ensure that users who already have the vulnerable control on their system are protected. This issue is discussed further in Microsoft Knowledge Base Article 813489.
Like the previous Internet Explorer cumulative patch released with bulletin MS03-004, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811830, you will still be able to use HTML Help functionality after applying this patch.
There are common mitigating factors across all of the vulnerabilities:
- The attacker would have to host a web site that contained a web page used to exploit the particular vulnerability.
- By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to automatically exploit these vulnerabilities. The attacker would have no way to force users to visit a malicious web site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.
In addition to the common factors, there are a number of individual mitigating factors:
URLMON.DLL Buffer Overrun:
- Code that executed on the system would only run under the privileges of the locally logged in user.
File Upload Control vulnerability:
- The attacker would have to know the explicit path and name of the file to be uploaded in advance.
Third Party plug-in rendering:
- The third party plugin would have to be present on the user's system in order for it to be exploited
- URLMON.DLL Buffer Overrun: CAN-2003-0113
- File Upload Control vulnerability: CAN-2003-0114
- Third Party plug-in rendering: CAN-2003-0115
- Model Dialog script execution: CAN-2003-0116
This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?
Need assistance crafting the format or translating your advisory to English?
Need to verify it, or having problems contacting the Vendor?