From: Russ (Russ.CooperRC.ON.CA)
Date: Mon Feb 02 2004 - 14:53:47 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft Security Bulletin MS04-004:
Cumulative Security Update for Internet Explorer (832894)

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS04-004.asp

Summary:
 Version Number: V1.0
 Revision Date: 02-02-2004
 Impact of Vulnerability: Remote Code Execution
 Maximum Severity Rating: Critical
 Patch(es) Replaced: This update replaces the one that is provided in
Microsoft Security Bulletin MS03-048, which is itself a cumulative
update.
 Caveats: None
 CVE Number(s): CAN-2003-1026,CAN-2003-1027,CAN-2003-1025

Tested Software:
 Affected Software:
 * Microsoft Windows NT(r) Workstation 4.0 Service Pack 6a
 * Microsoft Windows NT Server 4.0 Service Pack 6a
 * Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack
6
 * Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
 * Microsoft Windows XP, Microsoft Windows XP Service Pack 1
 * Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit
Edition Service Pack 1
 * Microsoft Windows XP 64-Bit Edition Version 2003
 * Microsoft Windows Server(r) 2003
 * Microsoft Windows Server 2003, 64-Bit Edition
 * Internet Explorer 6 Service Pack 1: Download the update.
 * Internet Explorer 6 Service Pack 1 (64-Bit Edition): Download the
update.
 * Internet Explorer 6 for Windows Server 2003: Download the update.
 * Internet Explorer 6 for Windows Server 2003 (64-Bit Edition):
Download the update.
 * Internet Explorer 6: Download the update.
 * Internet Explorer 5.5 Service Pack 2: Download the update.
 * Internet Explorer 5.01 Service Pack 4: Download the update.
 * Internet Explorer 5.01 Service Pack 3: Download the update.
 * Internet Explorer 5.01 Service Pack 2: Download the update.

 Affected Components:
 * Internet Explorer 6 Service Pack 1
<http://www.ntbugtraq.com/link/70530968-B59A-47C0-90D3-0C884910BC97.asp>
 * Internet Explorer 6 Service Pack 1 (64-Bit Edition)
<http://www.ntbugtraq.com/link/326EFFDA-8D86-4683-BC77-9BF410BC620D.asp>
 * Internet Explorer 6 for Windows Server 2003
<http://www.ntbugtraq.com/link/D78AE4F7-8852-4A04-B8F6-1DE327E598F0.asp>
 * Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)
<http://www.ntbugtraq.com/link/6A7894F0-789F-4152-9AE4-8DCB43404149.asp>
 * Internet Explorer 6
<http://www.ntbugtraq.com/link/BE0C18BC-7F9A-4196-BFDE-29EBA8CF7A50.asp>
 * Internet Explorer 5.5 Service Pack 2
<http://www.ntbugtraq.com/link/EFFE87F6-7ACA-4A54-B767-5597DDE95C6F.asp>
 * Internet Explorer 5.01 Service Pack 4
<http://www.ntbugtraq.com/link/F5E74139-6E0E-49FD-9AA2-36D2D8454A92.asp>
 * Internet Explorer 5.01 Service Pack 3
<http://www.ntbugtraq.com/link/202D3AAC-6B56-4F4A-8C0F-4183C77B6B51.asp>
 * Internet Explorer 5.01 Service Pack 2
<http://www.ntbugtraq.com/link/17904608-DCEE-4C99-A780-81D6DBC48DD5.asp>

 Software Not Affected:

Technical Description:

This is a cumulative update that includes the functionality of all the
previously-released updates for Internet Explorer 5.01, Internet
Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the
following three newly-discovered vulnerabilities:

 * A vulnerability that involves the cross-domain security model of
Internet Explorer. The cross domain security model of Internet Explorer
keeps windows of different domains from sharing information. This
vulnerability could result in the execution of script in the Local
Machine zone. To exploit this vulnerability, an attacker would have to
host a malicious Web site that contained a Web page designed to exploit
the vulnerability and then persuade a user to view the Web page. The
attacker could also create an HTML e-mail message designed to exploit
the vulnerability and persuade the user to view the HTML e-mail message.
After the user has visited the malicious Web site or viewed the
malicious HTML e-mail message an attacker who exploited this
vulnerability could access information from other Web sites, access
files on a user's system, and run arbitrary code on a user's system.
This code would run in the security context of the currently logged on
user.
 * A vulnerability that involves performing a drag-and-drop operation
with function pointers during dynamic HTML (DHTML) events in Internet
Explorer. This vulnerability could allow a file to be saved in a target
location on the user's system if the user clicked a link. No dialog box
would request that the user approve this download. To exploit this
vulnerability, an attacker would have to host a malicious Web site that
contained a Web page that had a specially-crafted link. The attacker
would then have to persuade a user to click that link. The attacker
could also create an HTML e-mail message that had a specially-crafted
link, and then persuade the user to view the HTML e-mail message and
then click the malicious link. If the user clicked this link, code of
the attacker's choice would not be executed, but could be saved on the
user's computer in a targeted location.
 * A vulnerability that involves the incorrect parsing of URLs that
contain special characters. When combined with a misuse of the basic
authentication feature that has "username:password" at the beginning of
a URL, this vulnerability could result in a misrepresentation of the URL
in the address bar of an Internet Explorer window. To exploit this
vulnerability, an attacker would have to host a malicious Web site that
contained a Web page that had a specially-crafted link. The attacker
would then have to persuade a user to click that link. The attacker
could also create an HTML e-mail message that had a specially-crafted
link, and then persuade the user to view the HTML e-mail message and
then click the malicious link. If the user clicked this link, an
Internet Explorer window could open with a URL of the attacker's choice
in the address bar, but with content from a Web Site of the attacker's
choice inside the window. For example, an attacker could create a link
that once clicked on by a user would display http://www.tailspintoys.com
in the address bar, but actually contained content from another Web
Site, such as http://www.wingtiptoys.com. (Note: these web sites are
provided as an example only, and both redirect to
http://www.microsoft.com.)

As with the previous Internet Explorer cumulative updates that were
released with bulletins MS03-004, MS03-015, MS03-020, MS03-032,
MS03-040, and MS03-048, this cumulative update causes the
window.showHelp( ) control to no longer work if you have not applied the
HTML Help update. If you have installed the updated HTML Help control
from Microsoft Knowledge Base article 811630, you will still be able to
use HTML Help functionality after you apply this update.

This Internet Explorer cumulative update also includes a change to the
functionality of a Basic Authentication feature in Internet Explorer.
The update removes support for handling user names and passwords in HTTP
and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft
Internet Explorer. The following URL syntax is no longer supported in
Internet Explorer or Windows Explorer after you install this software
update:

http(s)://username:passwordserver/resource.ext

For more information about this change, please see Microsoft Knowledge
Base article 834489.

Additionally, this update will disallow navigation to
"username:passwordhost.com" URLs for XMLHTTP.

Microsoft is currently creating an update to MSXML that will address
this issue specifically for XMLHTTP and we will provide more information
in this bulletin when the update becomes available.

The update also refines a change made in Internet Explorer 6 Service
Pack 1, which prevents web pages in the Internet Security zone from
navigating to the local computer zone. This is discussed further in the
"Frequently Asked Questions" section of this bulletin.

This email is sent to NTBugtraq automagically as a service to my
subscribers. (v2.3)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]