MS Sec Notification mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft Security Bulletin MS03-040: Cumulative Patch for Internet Explorer (828750)

From: "Microsoft" <0_53070_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>
Date: Fri, 3 Oct 2003 19:37:25 -0700
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (828750)
Date:       October 3, 2003
Software:   Internet Explorer 5.01
            Internet Explorer 5.5
            Internet Explorer 6.0
            Internet Explorer 6.0 for Windows Server 2003
Impact:     Run code of attacker's choice
Max Risk:   Critical
Bulletin:   MS03-040

Microsoft encourages customers to review the Security Bulletins at:
    http://www.microsoft.com/technet/security/bulletin/MS03-040.asp 
    http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all 
previously released patches for Internet Explorer 5.01, 5.5 and 6.0. 
In addition, it eliminates the following newly discovered 
vulnerabilities: 

A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server in a 
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user 
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An 
attacker could also craft an HTML-based e-mail that would attempt to 
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not 
properly determine an object type returned from a Web server during 
XML data binding. It could be possible for an attacker who exploited 
this vulnerability to run arbitrary code on a user's system. If a 
user visited an attacker's Web site, it would be possible for the 
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt 
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer 
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer 
Restricted Zone.  It could be possible for an attacker exploiting a 
separate vulnerability (such as one of the two vulnerabilities 
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct 
an attack. An attacker could also craft an HTML-based e-mail that 
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an 
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would 
then have to persuade a user to visit that site. 

As with the previous Internet Explorer cumulative patches released 
with bulletins MS03-004, MS03-015,  MS03-020, and MS03-032, this 
cumulative patch will cause window.showHelp( ) to cease to function 
if you have not applied the HTML Help update. If you have installed 
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch. 

In addition to applying this security patch it is recommended that 
users also install the Windows Media Player update referenced in 
Knowledge Base Article 828026.  This update is available from Windows
Update as well as the Microsoft Download Center for all supported 
versions of Windows Media Player. While not a security patch, this 
update contains a change to the behavior of Windows Media Player's 
ability to launch URL's to help protect against DHTML behavior based 
attacks.  Specifically, it restricts Windows Media Player's ability 
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced 
Security Configuration. This default configuration of Internet
Explorer 
blocks automatic exploitation of this attack. If Internet Explorer 
Enhanced Security Configuration has been disabled, the protections 
put in place that prevent this vulnerability from being automatically
exploited would be removed. 

- -In the Web-based attack scenario, the attacker would have to host a 
Web site that contained a Web page used to exploit this 
vulnerability.  An attacker would have no way to force a user to 
visit a malicious Web Site. Instead, the attacker would need to lure 
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same 
privileges as the user. Users whose accounts are configured to have 
few privileges on the system would be at less risk than ones who 
operate with administrative privileges. 

Risk Rating:
============
 -Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletins at
    http://www.microsoft.com/technet/security/bulletin/MS03-040.asp 
    http://www.microsoft.com/security/security_bulletins/MS03-040.asp
   for information on obtaining this patch.


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.
Previous By Date Next
Previous By Thread Next

Current thread: