MS Sec Notification mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Security Bulletin MS03-020: Cumulative Patch for Internet Explorer (818529)

From: "Microsoft" <0_48703_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>
Date: Wed, 4 Jun 2003 11:35:32 -0700
-----BEGIN PGP SIGNED MESSAGE-----

- - ------------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (818529)
Date:       04 June 2003
Software:   Microsoft(r) Microsoft Internet Explorer(r) 5.01 
            Microsoft Internet Explorer 5.5 
            Microsoft Internet Explorer 6.0 
            Microsoft Internet Explorer 6.0 for Windows Server 2003 
Impact:     Allow an attacker to execute code of their choice
Max Risk:   Critical
Bulletin:   MS03-020

Microsoft encourages customers to review the Security Bulletins at: 
http://www.microsoft.com/technet/security/bulletin/MS03-020.asp
http://www.microsoft.com/security/security_bulletins/ms03-020.asp
- - ------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all 
previously released patches for Internet Explorer 5.01, 5.5 and 6.0. 
In addition, it eliminates two newly discovered vulnerabilities: 


 - A buffer overrun vulnerability that occurs because Internet 
Explorer does not properly determine an object type returned from a 
web server. It could be possible for an attacker who exploited this 
vulnerability to run arbitrary code on a user's system. If a user 
visited an attacker's website, it would be possible for the attacker 
to exploit this vulnerability without any other user action. An 
attacker could also craft an HTML email that attempted to exploit 
this vulnerability. 

 - A flaw that results because Internet Explorer does not implement 
an appropriate block on a file download dialog box. It could be 
possible for an attacker to exploit this vulnerability to run 
arbitrary code on a user's system. If a user simply visited an 
attacker's website, it would be possible for the attacker to exploit 
this vulnerability without any other user action. An attacker could 
also craft an HTML email that attempted to exploit this 
vulnerability. 

In order to exploit these flaws, the attacker would have to create a 
specially formed HTML email and send it to the user. Alternatively 
an attacker would have to host a malicious web site that contained a 
web page designed to exploit these vulnerabilities. The attacker 
would then have to persuade a user to visit that site. 

As with the previous Internet Explorer cumulative patches released 
with bulletins MS03-004 and MS03-015, this cumulative patch will 
cause window.showHelp( ) to cease to function if you have not 
applied the HTML Help update. If you have installed the updated HTML 
Help control from Knowledge Base article 811630, you will still be 
able to use HTML Help functionality after applying this patch.

Mitigating factors: 
====================
The following mitigating factors apply to both vulnerabilities 
discussed in this bulletin:


 - By default, Internet Explorer on Windows Server 2003 runs in 
Enhanced Security Configuration. This default configuration of 
Internet Explorer blocks these attacks. If Internet Explorer 
Enhanced Security Configuration has been disabled, the protections 
put in place that prevent these vulnerabilities from being exploited 
would be removed. 
 - In the Web based attack scenario, the attacker would have to host 
a web site that contained a web page used to exploit these 
vulnerabilities. An attacker would have no way to force users to 
visit a malicious web site outside of the HTML email vector. 
Instead, the attacker would need to lure them there, typically by 
getting them to click on a link that would take them to the 
attacker's site. 
 - Code that executed on the system would only run under the 
privileges of the logged in user.  

Risk Rating:
============
Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
   
http://www.microsoft.com/technet/security/bulletin/ms03-020.asp
http://www.microsoft.com/security/security_bulletins/ms03-020.asp
   
   for information on obtaining this patch.

Acknowledgment:
===============
 - eEye Digital Security (http://www.eeye.com/)

- - ------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPt4h7I0ZSRQxA/UrAQGN8Qf+Pw+jcDSFRSRkTKrDpDukp1UDXx/zH0gZ
KwqcKa+cxjmkU6oo9ZiUTB+aTy4px/LWJPstri0CICgD8poVLeqGLRwLpUzpwWOP
EBRuN1Y5IgDV2J6HmvLBNg8E1CpwMii2LIdo07w6xkGtBPOcxhn9S884jlBw1CQE
mNQjTCiGBZWunsUVCeQiaJnV+7fH5BHRFPu3qi3PvQxNCgXvziCBgyTxf33u7U1K
XFW7bZKDcKYhKJ385qmvbs2yV+rDv5s4b3SlemIxnH6VdoUUKhRuWoMcia9dqFLh
5sovuW2MjxprNUrzA0A8Tm1GCnAHQM/M2c35ML18wGh15SJr2c5Y8A==
=DxHQ
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.
Previous By Date Next
Previous By Thread Next

Current thread: