Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Multiple Microsoft Internet Explorer bugs

  Notes on MS02-068, extensive downplaying of severity

  Microsoft Security Bulletin MS02-068: Cumulative Patch for Internet Explorer (324929)

From:MICROSOFT <secure_(at)_microsoft.com>
Date:21.11.2002
Subject:Microsoft Security Bulletin MS02-066: Cumulative Patch for Internet Explorer (Q328970)

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (Q328970)
Date:       20 November 2002
Software:   Internet Explorer
Impact:     Execute commands on a user's system
Max Risk:   Important
Bulletin:   MS02-066

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/security/security_bulletins/ms02-066.asp
http://www.microsoft.com/technet/security/bulletin/MS02-066.asp.


- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and 6.0. In addition,
it eliminates the following six newly discovered vulnerabilities:


- - A buffer overrun vulnerability that occurs because Internet
 Explorer does not correctly check the parameters of a PNG graphics
 file when it is opened. To the best of Microsoft's knowledge, this
 vulnerability could only be used to cause Internet Explorer to
 fail. The effect of exploiting the vulnerability against Internet
 Explorer would be relatively minor - the user would only need to
 restart the browser to restore normal operation. However, a number
 of other Microsoft products - notably, most Microsoft Office
 products and Microsoft Index Server - rely on Internet Explorer to
 render PNG files, and exploiting the vulnerability against such an
 application would cause them to fail as well. Because of this,
 Microsoft recommends that customers install this patch regardless
 of whether they are using Internet Explorer as their primary web
 browser.

- - An information disclosure vulnerability related to the way that
 Internet Explorer handles encoded characters in a URL. This
 vulnerability could allow an attacker to craft a URL containing
 some encoded characters that would redirect a user to a second web
 site. If a user followed the URL, the attacker would be able to
 piggy-back the user's access to the second website. This could
 allow the attacker to access any information the user shared with
 the second web site.

- - A vulnerability that occurs because under certain circumstances
 Internet Explorer does not correctly check the component that the
 OBJECT tag calls. This could allow an attacker to obtain the name
 of the Temporary Internet Files folder on the user's local machine.
 The vulnerability would not allow an attacker to read or modify
 any files on the user's local system, since the Temporary Internet
 Files folder resides in the Internet security zone. Knowledge of
 the name of the Temporary Internet Files folder could allow an
 attacker to identify the username of the logged-on user and read
 other information in the Temporary Internet Files folder such as
 cookies.

- - Three vulnerabilities that although having differing root causes,
 have the same net effects. All three vulnerabilities result
 because of incomplete security checks being carried out when using
 particular programming techniques in web pages, and would have the
 effect of allowing one website to access information in another
 domain, including the user's local system. This could enable the
 web site operator to read, but not change, any file on the user's
 local computer that could be viewed in a browser window. In
 addition, this could also enable an attacker to invoke an
 executable that was already present on the local system.

In addition, the patch sets the Kill Bit on a legacy DirectX
ActiveX control which has been retired but which has a security
vulnerability. This has been done to ensure that the vulnerable
control cannot be reintroduced onto users' systems and ensures
that users who already have the control on their system are
protected. This is discussed further in Microsoft Knowledge Base
Article 810202.

The patch also makes a further refinement to cross domain
verification check that was first introduced in Internet Explorer
Service Pack 1.

Mitigating Factors:
====================

With the exception of the Malformed PNG Image File Failure, there
are common mitigating factors across all of the vulnerabilities:

- - The attacker would have to host a web site that contained a web
 page used to exploit the particular vulnerability.
- - The attacker would have no way to force users to visit the site.
 Instead, the attacker would need to lure them there, typically by
 getting them to click on a link that would take them to the
 attacker's site.
- - By default, Outlook Express 6.0 and Outlook 2002 open HTML mails
 in the Restricted Sites Zone. In addition, Outlook 98 and 2000
 open HTML mails in the Restricted Sites Zone if the Outlook Email
 Security Update has been installed. Customers who use any of these
 products would be at no risk from an e-mail borne attack that
 attempted to exploit these vulnerabilities.

In addition to there are a number of individual mitigating factors:

Malformed PNG Image File Failure

- - Internet Explorer and other affected applications such as
 Microsoft Office and Microsoft Index Server could be successfully
 restarted after the failure.
- - Microsoft has not identified a method by which this buffer
 overrun can be used to execute code of the attacker's choice on
 the user's system.
- - This vulnerability is not present in Internet Explorer 6 Service
 Pack 1.

Encoded Characters Information Disclosure

- - The vulnerability would not enable an attacker to read, modify
 or execute any files on the local system.

Temporary Internet Files folder Name Reading

- - An attacker could not use this vulnerability to read, delete or
 modify any files on the user's local system other than information
 contained in the Temporary Internet Files folder.
- - An attacker could only exploit this vulnerability by having a
 user visit a malicious web site and then follow a malformed link
 on this malicious web site to a second web site that the user
 trusted.
- - This vulnerability is not present in Internet Explorer 6 Service
 Pack 1.

Frames Cross Site Scripting, Cross Domain Verification via Cached
Methods & Improper Cross Domain Security Validation with Frames

- - The vulnerabilities would only allow an attacker to read files
 on the user's local system that can be rendered in a browser
 window, such as image files, HTML files and text files.
- - The vulnerabilities would not provide any way for an attacker to
 put a program of their choice onto another user's system.
- - An attacker would need to know the name and location of any file
 on the system to successfully invoke it.
- - The vulnerabilities could only be used to view or invoke local
 executables. It could not be used to create, delete, or modify
 arbitrary or malicious files.

Risk Rating:
============
- - Important

Patch Availability:
===================
- - A patch is available to fix this vulnerability. Please read the
  Security Bulletin at
  http://www.microsoft.com/technet/security/bulletin/ms02-066.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- - Microsoft thanks  eEye Digital Security for reporting the
malformed PNG issue to us and working with us to protect customers.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPdwp2I0ZSRQxA/UrAQHA4wf/VaLjSusi1GzBeLWUr4A/KGA9g6E0CtGF
5B8TZQzjzA7OqKUS64KcnpF91cZlblTWjbhc3IvqFAIMfCFSH/iW2JY/TZTeIv+w
wpCmy0zoxpLD6bcC9dgtgpNHJ7TSEl09GeM3eLevvCtgbNV5kLuBDl3ncJ1Cbq7W
aRKgXjZQUGkDm6vL335QeXS77PYYjakbdvM5MPZpy4xvTFLWh6D7NfU1g0mUjtq7
UImmCW5/GCGMvSo6g5wPQs4r4lOb601G3rWhI/Z+jAeBTx6ZGfrPggSpjk7SuMQy
ApMSupL0ISDQwnBWN59Tf2l7ohlLWlCFIfV3yMd8KCXnjRiSvTgPpw==
=U4K5
-----END PGP SIGNATURE-----



*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft
Product Security Notification Service.  For more information on this service, please visit
http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at
http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft
Profile Center at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft
Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft
Security Advisor web site at http://www.microsoft.com/security.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod