Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft Internet Explorer showHelp crossite scripting

  IE: CHM Attacks are still alive (CHM attack without showHelp())

  showHelp("fi
le:") disables security in IE - Sandblad advisory #11

From:MICROSOFT <secure_(at)_microsoft.com>
Date:07.02.2003
Subject:Microsoft Security Bulletin MS03-004: Cumulative Patch for Internet Explorer (810847)

-----BEGIN PGP SIGNED MESSAGE-----

- -------------------------------------------------------------------

Title:      Cumulative Patch for Internet Explorer (810847)
Date:       05 February 2003
Software:   Microsoft Internet Explorer
Impact:     Allow an attacker to execute commands on a user's
system.
Max Risk:   Critical
Bulletin:   MS03-004

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/ms03-004.asp
http://www.microsoft.com/security/security_bulletins/ms03-004.asp
- -------------------------------------------------------------------


Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5, 6.0. In addition, it
eliminates two newly discovered vulnerabilities involving Internet
Explorer's cross-domain security model - which keeps windows of
different domains from sharing information. These flaws results in
Internet Explorer because incomplete security checking causes
Internet Explorer to allow one website to potentially access
information from another domain when using certain dialog boxes.

In order to exploit this flaw, an attacker would have to host a
malicious web site that contained a web page designed to exploit this
particular vulnerability and then persuade a user to visit that site.
Once the user has visited the malicious web site, it would be
possible for the attacker to run malicious script by misusing a
dialog box and cause that script to access information in a different
domain. In the worst case, this could enable the web site operator to
load malicious code onto a user's system. In addition, this flaw
could also enable an attacker to invoke an executable that was
already present on the local system.

A related cross-domain vulnerability allows Internet Explorer's
showHelp() functionality to execute without proper security
checking. showHelp() is one of the help methods used to display an
HTML page containing help content. showHelp() allows more types of
pluggable protocols than necessary, and this could potentially allow
an attacker to access user information, invoke executables already
present on a user's local system or load malicious code onto a user's
local system.

The requirements to exploit this vulnerability are the same as for
the issue described above: an attacker would have to host and lure a
user to a malicious web site. In this scenario, the attacker could
open a showHelp window to a known local file on the visiting user's
local system and gain access to information from that file by sending
a specially crafted URL to a second showHelp window. The attacker
could also potentially access user information or run code of
attacker's choice.

This cumulative patch will cause window.showHelp( ) to cease to
function. When the latest HTML Help update - which is being released
via Windows Update with this patch - is installed, window.showHelp( )
will function again, but with some limitations (see the caveats
section later in this bulletin). This has been necessary in order to
block the attack vector that might allow a web site operator to
invoke an executable that was already present on a user's local
system.

Mitigating Factors:
====================
- The attacker would have to host a web site that contained a web
page used to exploit either of these cross-domain vulnerabilities.
- The attacker would have no way to force users to visit the site.
Instead, the attacker would need to lure them there, typically by
getting them to click on a link that would take them to the
attacker's site.
- By default, Outlook Express 6.0 and Outlook 2002 open HTML mail
in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open
HTML mail in the Restricted Sites Zone if the Outlook Email Security
Update has been installed. Customers who use any of these products
would be at no risk from an e-mail borne attack that attempted to
exploit this vulnerability unless the user clicked a malicious link
in the email.
- Internet Explorer 5.01 users are not affected by the first
vulnerability.

Risk Rating:
============
- Internet Explorer 5.01: Critical
- Internet Explorer 5.5: Critical
- Internet Explorer 6.0: Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletins at

  http://www.microsoft.com/technet/security/bulletin/ms03-004.asp
  http://www.microsoft.com/security/security_bulletins/ms03-004.asp

  for information on obtaining this patch.

Acknowledgment:
===============
- Andreas Sandblad, Sweden for reporting the cross domain
vulnerability using showhelp.

Home User Security Notification Service
=======================================
Microsoft is now offering the Microsoft Security Update, a security
bulletin notification service for home users.  To learn more about
this service, please go to:

http://www.microsoft.com/security/security_bulletins/decision.asp

- -------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPkFrFI0ZSRQxA/UrAQHlSwf7B/TI09fbp5QgCyJ9tKNovkIZKdkYpWq/
V3R6r7Kc59LF2wNgn+f2SGR8Os0WQofRFiEY2hI1UaT4D8gDyloMmHVIF03HrQ8s
z9KTq41JD3WRX6mnGvReUM9mOI47/XV4IW1A4qfTqhla1S5A1OO74y0zGH7TjNnk
kx3vN+6ihvBq+kJz6/hKXSwPJFAg4lMtiRWCZoxBphaVcYWxBGSX2JxevOHN8XD+
Ufc9tHMOC3K0NesA+KCIolRokO2SYjSi1IWfeL0fZc7BDdUns2/KZ9G75SCtZJEZ
ImLXOwlIH+Ah8qGON5WWE+ha3D7AC6ZO91eX2vWJUXLEu8ZISCyo+A==
=m/kr
-----END PGP SIGNATURE-----



*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security
Notification Service.  For more information on this service, please visit
http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at
http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center
at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification
Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft Security Advisor web
site at http://www.microsoft.com/security.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod