__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Cumulative Patch for Internet Explorer [Microsoft Security Bulletin MS03-004] February 6, 2003 18:00 GMT Number N-038 ______________________________________________________________________________ PROBLEM: In addition to including the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0, this patch also eliminates two newly discovered vulnerabilities involving Internet Explorer’s cross-domain security model. PLATFORM: Microsoft Internet Explorer 5.01, 5.5, and 6.0 DAMAGE: An attacker could possibly run malicious script by misusing a dialog box and cause a script to access information in a different domain. In addition, this flaw could possibly also enable an attacker to invoke an executable that was already present on the local system. SOLUTION: Apply available patches. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. In order to exploit this flaw, an attacker ASSESSMENT: would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-038.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/MS03-004.asp PATCHES: http://www.microsoft.com/windows/ie/downloads/critical /810847/default.asp ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS03-004 *****] Microsoft Security Bulletin MS03-004 Cumulative Patch for Internet Explorer (810847) Originally posted: February 5, 2003 Summary Who should read this bulletin: Customers using Microsoft® Internet Explorer. Impact of vulnerability: Allow an attacker to execute commands on a user’s system. Maximum Severity Rating: Critical Recommendation: Customers should install the patch immediately. Affected Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-004.asp Technical details Technical description: This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5, 6.0. In addition, it eliminates two newly discovered vulnerabilities involving Internet Explorer’s cross-domain security model - which keeps windows of different domains from sharing information. These flaws results in Internet Explorer because incomplete security checking causes Internet Explorer to allow one website to potentially access information from another domain when using certain dialog boxes. In order to exploit this flaw, an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site. Once the user has visited the malicious web site, it would be possible for the attacker to run malicious script by misusing a dialog box and cause that script to access information in a different domain. In the worst case, this could enable the web site operator to load malicious code onto a user's system. In addition, this flaw could also enable an attacker to invoke an executable that was already present on the local system. A related cross-domain vulnerability allows Internet Explorer’s showHelp() functionality to execute without proper security checking. showHelp() is one of the help methods used to display an HTML page containing help content. showHelp() allows more types of pluggable protocols than necessary, and this could potentially allow an attacker to access user information, invoke executables already present on a user’s local system or load malicious code onto a user’s local system. The requirements to exploit this vulnerability are the same as for the issue described above: an attacker would have to host and lure a user to a malicious web site. In this scenario, the attacker could open a showHelp window to a known local file on the visiting user’s local system and gain access to information from that file by sending a specially crafted URL to a second showHelp window. The attacker could also potentially access user information or run code of attacker’s choice. This cumulative patch will cause window.showHelp( ) to cease to function. When the latest HTML Help update - which is being released via Windows Update with this patch - is installed, window.showHelp( ) will function again, but with some limitations (see the caveats section later in this bulletin). This has been necessary in order to block the attack vector that might allow a web site operator to invoke an executable that was already present on a user’s local system. Mitigating factors: The attacker would have to host a web site that contained a web page used to exploit either of these cross-domain vulnerabilities. The attacker would have no way to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site. By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to exploit this vulnerability unless the user clicked a malicious link in the email. Internet Explorer 5.01 users are not affected by the first vulnerability. Severity Rating: Internet Explorer 5.01 Critical Internet Explorer 5.5 Critical Internet Explorer 6.0 Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: Improper Cross Domain Security Validation with dialog box CAN-2003-1326 Improper Cross Domain Security Validation with ShowHelp functionality CAN-2003-1328 Tested Versions: Microsoft tested Internet Explorer 6.0, 5.5 and 5.01 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability. Patch availability Download locations for this patch http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp Additional information about this patch Installation platforms: The IE 5.01 patch can be installed on the following systems running IE 5.01 Service Pack 3: Windows 2000 Service Pack 3. The IE 5.5 patch can be installed on the following systems running IE 5.5 Service Pack 2: Windows Millennium The IE 6.0 patch can be installed on the following systems running IE 6.0 Gold: Windows XP Gold. The IE 6.0 Service Pack 1 patch can be installed on the following systems running IE 6.0 Service Pack 1: Windows XP Service Pack 1, Windows 2000 Service Pack 3, Windows NT 4.0 Service Pack 6a, Windows Millennium or Windows 98. More in formation on Windows support lifecycles is available at http://www.microsoft.com/windows/lifecycle/desktop/business/components.mspx Inclusion in future service packs: The fixes for the issues affecting Internet Explorer 6.0 will be included in Internet Explorer 6.0 Service Pack 2. Reboot needed: Yes Patch can be uninstalled: No Superseded patches: This patch supersedes the ones provided in Microsoft Security Bulletin MS02-068 and MS02-066, which are also cumulative patches. Verifying patch installation: To verify that the patch has been open IE, select Help, then select About Internet Explorer and confirm that Q810847 is listed in the Update Versions field. To verify the individual files, use the patch manifest provided in Knowledge Base article 810847. Caveats: Users who apply this patch will not be able to use some HTML Help functionality. In order to restore that functionality, users need to download the updated HTML Help control (811630). Users should also note that when the latest version of HTML Help is installed, the following limitations will occur when a help file is opened with the showHelp method: Only supported protocols can be used with showHelp to open a web page or help (chm) file. The shortcut function supported by HTML Help will be disabled when the help file is opened with showHelp This will not affect the shortcut functionality if the same CHM file is opened by the user manually by double-clicking on the help file, or by through an application on the local system using the HTMLHELP( ) API. Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site. Other information: Acknowledgments Microsoft thanks Andreas Sandblad, Sweden for reporting the cross domain vulnerability using showHelp and for working with us to protect customers. Support: Microsoft Knowledge Base article 810847 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (February 5, 2003): Bulletin Created. V1.1 (February 6, 2003): Revised to provide additional clarification on installation platforms. [***** End Microsoft Security Bulletin MS03-004 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-028: Vulnerabilities in SSH2 Implementations from Multiple Vendors N-029: Microsoft Unchecked Buffer in Windows Shell Vulnerability N-030: HP: Sendmail Restricted Shell (smrsh) Vulnerability N-031: Buffer Overflows in ISC DHCPD Minires Library N-032: Double-Free Bug in Concurrent Versions System (CVS) Server N-033: Unchecked Buffer in Locator Service Vulnerability N-034: Cumulative Patch for Microsoft Content Management Server N-035: Microsoft V1 Exchange Server Security Certificates Vulnerability N-036: Updated kerberos packages fix vulnerability in ftp client N-037: Multiple Vulnerabilities in Old Releases of MIT Kerberos