__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Internet Explorer, Cumulative Vulnerabilities Patch [Microsoft Security Bulletin MS01-055] November 15, 2001 15:00 GMT Number M-016 ______________________________________________________________________________ PROBLEM: Microsoft has released a cumulative patch of all known vulner- abilities in Internet Explorer 5.5 SP2 and 6.0 including three new ones. Two new vulnerbilities exist which could allow malicious user to potentially craft a URL that would allow them to gain unauthorized access to a user's cookies and potentially modify the values contained in them. The third new vulnerability involves how IE handles URLs that include dotless IP addresses. PLATFORM: Microsoft Internet Explorer 5.5 SP2 and 6.0 DAMAGE: Access to the information in a user's cookies could expose personal data including login strings to websites that allow automatic logins. Internet zone spoofing could allow a malicious site to operate in the Intranet zone instead of the Internet zone. The Intranet zone has fewer security restrictions than the Internet zone. SOLUTION: Apply available patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Access to cookies could allow personal ASSESSMENT: information to be compromised including giving an intruder the ability to login as the user to sites that allow automatic logins. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-016.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-055.asp PATCHES: http://www.microsoft.com/windows/ie/downloads/critical /q312461/default.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS01-055 *****] 13 November 2001 Cumulative Patch for IE Originally posted: November 08, 2001 Updated: November 13, 2001 Summary Who should read this bulletin: Customers using Microsoft® Internet Explorer Impact of vulnerability: Exposure and altering of data in cookies. Maximum Severity Rating: Moderate Recommendation: Customers running Internet Explorer 5.5 or 6.0 should apply the patch. Affected Software: Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Technical details Technical description: On November 08, 2001, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. On November 13, 2001, we released a patch that, when applied, eliminates all known vulnerabilities affecting IE 5.5 and IE 6. We therefore expanded the scope of the bulletin to discuss all of the vulnerabilities the patch addresses. Customers who disabled Active Scripting per the original version of this bulletin can re-enable it after installing this patch. In addition to eliminating all previously discussed vulnerabilities affecting IE 5.5 Service Pack 2 and IE 6, the patch also eliminates three newly discovered ones: The first two involve how IE handles cookies across domains. Although the underlying flaws are completely unrelated, the scope is exactly the same in each case, a malicious user could potentially craft a URL that would allow them to gain unauthorized access to a user's cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a user's cookies, this could allow personal information to be compromised. Both vulnerabilities could be exploited either by hosting specially crafted URL's on a web page or by sending them to the victim in an HTML email. The third vulnerability is a new variant of a vulnerability discussed in Microsoft Security Bulletin MS01-051 affecting how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6. Mitigating factors: Cookie Handling Vulnerabilities: To exploit either vulnerability, the attacker would need to entice the user into visiting a particular web site or opening an HTML e-mail containing the malformed URL. The Outlook Email Security Update (which is included as part of Outlook 2002 in Office XP) would protect the user against the mail-borne attack scenario. Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the mail-borne attack scenario, because the "Restricted Sites" zone sets Active Scripting to disabled. Note that this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active Scripting is still disabled in the Restricted Sites Zone. Zone Spoofing Vulnerability: The default settings in the Intranet Zone differ in only a few ways from those of the Internet Zone. The differences are enumerated in the FAQ in MS01-051, but none would allow destructive action to be taken. Severity Rating: Cookie handling vulnerabilities: Internet Servers Intranet Servers Client Systems Internet Explorer 5.5 Moderate Moderate Moderate Internet Explorer 6.0 Moderate Moderate Moderate Zone Spoofing Vulnerability variant: Internet Servers Intranet Servers Client Systems Internet Explorer 5.5 Moderate Moderate Moderate Aggregate severity of all vulnerabilities eliminated by patch: Internet Servers Intranet Servers Client Systems Internet Explorer 5.5 Moderate Moderate Moderate Internet Explorer 6.0 Moderate Moderate Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. In the case of the cookie handling vulnerabilities, the attack scenarios either could be prevented or would require user action in order to succeed. In the case of the Zone Spoofing vulnerability, even a successful attack would not allow any signficant change in privileges under default conditions. Vulnerability identifiers: First Cookie Handling Vulnerability: CAN-2001-0722 Second Cookie Handling Vulnerability: CAN-2001-0723 Zone Spoofing Vulnerability variant: CAN-2001-0724 Tested Versions: Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Patch availability Download locations for this patch Microsoft Internet Explorer 5.5 and 6.0: http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp Additional information about this patch Installation platforms: The IE 5.5 patch can be installed on IE 5.5 Service Pack 2. The IE 6 patch can be installed on IE 6 Gold. Inclusion in future service packs: The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service Pack 1. Reboot needed: Yes Superseded patches: MS01-051. Verifying patch installation: To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q312461 is listed in the Update Versions field. To verify the individual files, use the patch manifest provided in Knowledge Base articles Q312461. Caveats: None Localization: Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks Marc Slemko for reporting one of the cookie handling issues to us and working with us to protect customers. Support: Microsoft Knowledge Base article Q312461 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (November 08, 2001): Bulletin Created. V2.0 (November 13, 2001): Bulletin updated with patch information and to discuss the inclusion of fixes for additional cookie handling vulnerability and a variant of the zone spoofing issue. [***** End Microsoft Security Bulletin MS01-055 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-006: HP-UX telnetd Security Vulnerability M-007: Macintosh OS-X Application Manager Vulnerability M-008: Sun rpc.yppasswdd Security Vulnerability M-009: Red Hat Linux PAM Vulnerability M-010: Red Hat OpenSSH Vulnerability M-011: Oracle Trace Collection Security Vulnerability M-012: Oracle File Overwrite Security Vulnerability M-013: Mac OS X Downloading Applications Vulnerability M-014: UNIX - Multiple Vulnerabilities In LPD M-015: Microsoft Universal Plug and Play Request Vulnerability