MS Sec Notification mailing list archives

Previous By Date Next
Previous By Thread Next

Revised: Microsoft Security Bulletin MS02-068: Cumulative Patch for Internet Explorer (324929)

From: "Microsoft" <0_41834_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>
Date: Fri, 6 Dec 2002 16:14:10 -0800
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (324929)
Released:   04 December 2002
Revised:    06 December 2002 (version 2.0)
Software:   Microsoft(r) Internet Explorer
Impact:     Allow an attacker to execute commands on a user's 
            system.
Max Risk:   Critical
Bulletin:   MS02-068

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/security/security_bulletins/ms02-068.asp
http://www.microsoft.com/technet/security/bulletin/MS02-068.asp.
- ----------------------------------------------------------------------

Reason for Revision:
====================
This is an updated bulletin describing a cumulative patch for 
Internet Explorer 5.5 and 6.0. The original patch released on 
December 4, 2002 is unchanged. However since releasing the 
patch, Microsoft has received a report suggesting that the 
vulnerability addressed by this bulletin could be exploited to 
run arbitrary code on a user's machine. Microsoft investigated 
that report, and was able to develop a demonstration that 
exploits the vulnerability to run arbitrary code. We have 
released this updated bulletin to advise customers of our new 
assessment of the potential impact of the vulnerability, and 
of its updated severity rating.

Issue:
======
This is an updated bulletin describing a cumulative patch for 
Internet Explorer 5.5 and 6.0. The original patch is unchanged and, 
in addition to including the functionality of all previously 
released patches for Internet Explorer 5.5 and 6.0, eliminates one 
additional flaw in Internet Explorer's cross-domain security model. 
This flaw occurs because the security checks that Internet Explorer 
carries out when particular object caching techniques are used in 
web pages are incomplete. This could have the effect of allowing an 
attacker to execute commands on a user's system. 

Exploiting the vulnerability could enable an attacker to invoke an 
executable that was already present on the local system. It could 
also allow an attacker to load a malicious executable onto a user's 
system, or to pass parameters to an executable. However, a registry 
key setting discussed in Microsoft Knowledge Base Article 810687 
disables shortcuts in HTML Help, which significantly reduces the 
scope of this vulnerability as it removes the ability to load a 
malicious executable on a user's system or to pass parameters to an 
executable. 

An attacker could exploit the vulnerability by constructing a web 
page that uses a cached programming technique, and could then 
either host it on a web site or send it to a user via email. In the 
case of the web-based attack vector the page could be automatically 
opened when a user visited the site. In the case of the HTML mail-
based attack vector, the page could be opened when the recipient 
opened the mail or viewed it using the Preview pane. 

On December 4, 2002, Microsoft released the original version of 
this bulletin. Subsequent to that time, Microsoft received a report 
suggesting that the vulnerability addressed by this bulletin could 
be exploited to run arbitrary code on a user's machine. Microsoft 
investigated that report, and was able to develop a demonstration 
that exploits the vulnerability to run arbitrary code. We have 
released this updated bulletin to advise customers of our new 
assessment of the potential impact of the vulnerability, and of its 
updated severity rating. 

The original patch released with this bulletin was and is effective 
in preventing exploitation of the vulnerability. It is also 
effective in eliminating all vulnerabilities addressed by prior 
bulletins that could allow a malicious party to run code on the 
machine of a user who visited a hostile web site or opened a 
malicious HTML email message. Microsoft strongly urges all 
customers to install the patch.

Mitigating Factors:
====================
- -Internet Explorer 5.01 is not affected by this vulnerability. 
- -The web-based attack scenario would provide no way for the attacker 
 to force users to visit the site. Instead, the attacker would need 
 to lure them there, typically by getting them to click on a link 
 that would take them to the attacker's site. 
- -The HTML mail-based attack scenario would be blocked by Outlook 
 Express 6.0 and Outlook 2002 in their default configurations, and 
 by Outlook 98 and 2000 if used in conjunction with the Outlook 
 Email Security Update. 
- -If the steps described in Microsoft Knowledge Base Article 810687 
 have been taken to restrict shortcuts in HTML Help, then the 
 following mitigating factors apply: 
  -The vulnerability would allow an attacker to read but not add, 
   delete or modify files on the user's local system. 
  -The attacker would need to know the name and location of any file 
   on the system to successfully invoke it. If invoked, there would
be 
   no way for an attacker to pass parameters to that executable. 
  -The vulnerability would not provide any way for an attacker to put
   a program of their choice onto another user's system.

Risk Rating:
============
Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-068.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES 
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO 
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR 
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPfEh+40ZSRQxA/UrAQE1WQf/RCZNbq2aVCbvaJi1iRxWdW2E9Ah45lLj
CT33JUR6d9+TmUazFfglWFM0zLXcBctERZDkAyLWjvgO3Yc+usIOdo4BQNl5Mf+o
V739TyR7rfumnpnKr9qlepFJRLkaBPnPPNh/Yphd8LbLBlJ7DfTjDxuUS966gTKb
GkxgOl8zBvDwaCpCrWyBHEaOIpBivUxj8HKBGzrcj0n82y4C9ZOd9i0AsFwqyrsa
FSBPo3r55cZB6w/De+CIQ0siftgbvvWR0WtRk/2RETi0+wzTnF0SK04GNndFm3nl
V8UckCD9Jv2BzPlFWp6qDKEPaFHdUzrbIZYYwZsBesZzwbsP+2pusg==
=n7GV
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.
Previous By Date Next
Previous By Thread Next

Current thread: