__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Internet Explorer Cumulative Patch [Microsoft Security Bulletin MS02-005] February 12, 2002 18:00 GMT Number M-041 ______________________________________________________________________________ PROBLEM: Six vulnerabilities have been found in Internet Explorer, the most serious of which allows an intruder to remotely run code on another users system. PLATFORM: Windows Platforms with Internet Explorer 5.01 SP2, 5.5 SP1 and SP2, or 6.0. DAMAGE: Depending on the vulnerability, an intruder can read or execute files on a client system and possibly get remote access to the system. SOLUTION: Apply the 11 February 2002 Cumulative Patch for Internet Explorer available on the Microsoft windowsupdate website. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Remote users can run code on a clients system ASSESSMENT: and possibly get user access on that system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-041.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/bulletin/MS02-005.asp PATCHES: http://windowsupdate.microsoft.com ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS02-005 *****] Microsoft Security Bulletin MS02-005 11 February 2002 Cumulative Patch for Internet Explorer Originally posted: February 11, 2002 Summary Who should read this bulletin: Customers using Microsoft(r) Internet Explorer Impact of vulnerability: Six vulnerabilities, the most serious of which could allow an attacker to run code on another user's system. Maximum Severity Rating: Critical Recommendation: Customers using an affected version of IE should install the patch immediately. Affected Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Technical details Technical description: This is a cumulative patch that, when installed, eliminates all previously discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In addition, it eliminates the following six newly discovered vulnerabilities: A buffer overrun vulnerability associated with an HTML directive that's used to incorporate a document within a web page. By creating a web page that invokes the directive using specially selected attributes, an attacker could cause code to run on the user's system. A vulnerability associated with the GetObject scripting function. Before providing a handle to an operating system object, GetObject performs a series of security checks to ensure that the caller has sufficient privileges to it. However, by requesting a handle to a file using a specially malformed representation, it would be possible to bypass some of these checks, thereby allowing a web page to complete an operation that should be prevented, namely, reading files on the computer of a visiting user's system. A vulnerability related to the display of file names in the File Download dialogue box. When a file download from a web site is initiated, a dialogue provides the name of the file and lets the user choose what action to take. However, a flaw exists in the way HTML header fields (specifically, the Content-Disposition and Content-Type fields) are handled. This flaw could make it possible for an attacker to misrepresent the name of the file in the dialogue, in an attempt to trick a user into opening or saving an unsafe file. A vulnerability that could allow a web page to open a file on the web site, using any application installed on a user's system. By design, IE should only open a file on a web site using the application that's registered to that type of file, and even then only if it's on a list of safe applications. However, through a flaw in the handling of the Content-Type HTML header field, an attacker could circumvent this restriction, and specify the application that should be invoked to process a particular file. IE would comply, even if the application was listed as unsafe. A vulnerability that could enable a web page to run a script even if the user has disabled scripting. IE checks for the presence of scripts when initially rendering a page. However, the capability exists for objects on a page to respond to asynchronous events; by misusing this capability in a particular way, it could be possible for a web page to fire a script after the page has passed the initial security checks. A newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-058. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web site's domain and the other on the user's local file system, and to use the Document.open function to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user's local computer that could be opened in a browser window. In addition, this could be used to mis-represent the URL in the address bar in a window opened from their site. Mitigating factors: Buffer Overrun in HTML Directive: The vulnerability could not be exploited if the "Run ActiveX Controls and Plugins" security option were disabled in the Security Zone in which the page was rendered. This is the default condition in the Restricted Sites Zone, and can be disabled manually in any other Zone. Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks. The buffer overrun would allow code to run in the security context of the user rather than the system. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges accorded to the user. File Reading via GetObject function: This vulnerability could only be used to read files. It could not be used to create, change, delete, or execute them. The attacker would need to know the name and location of the file on the user's computer. Some files that would be of interest to an attacker - most notably, the SAM Database - are locked by the operating system and therefore could not be read even using this vulnerability. The email-borne attack scenario would be blocked if the user were using any of the following: Outlook 98 or 2000 with the Outlook Email Security Update installed; Outlook 2002; or Outlook Express 6. The web-based attack scenario could be blocked by judicious use of the IE Security Zones mechanism such as using the Restricted Sites zone. File Download Dialogue Spoofing via Content-Type and Content-Disposition fields: Exploiting this vulnerability would not give an attacker the ability to force code to run on a user's system. It would only enable the attacker to misrepresent the file name and type in the File Download dialogue. The download operation would not occur without the user's approval, and the user could cancel at any time. The vulnerability could not be exploited if File Downloads have been disabled in the Security Zone in which the e-mail is rendered. This is not a default setting in any zone, however. On versions of IE prior to 6.0, the default selection in the file download dialogue is to save, rather than open, the file. (In IE 6.0, the default is to open the file; however, this behavior is inappropriate, and the patch changes IE 6.0 to conform with the behavior of previous versions). Application invocation via Content-Type field: An attacker could only exploit this vulnerability if the application specified through the Content-Type field was actually installed on the user's system. The vulnerability does not provide any way for the attacker to inventory the applications installed on the user's system and select one, nor does it provide any way to force the user to install a particular application. The vulnerability would not provide any way to circumvent the security features of the application or to reconfigure it. Outlook 2002 users who have configured Outlook to render HTML mail as plaintext would be at no risk from attack through HTML mail. Script execution: This vulnerability extends only to allowing scripts to run - it does not allow any other security restrictions to be bypassed. So, for instance, although an attacker could use this vulnerability to run a script, the script would still be subject to all other expected security settings. Frame Domain Verification Variant via Document.Open function: The vulnerability could only be used to view files. It could not be used to create, delete, modify or execute them. The vulnerability would only allow an attacker to read files that can be opened in a browser window, such as image files, HTML files and text files. Other file types, such as binary files, executable files, Word documents, and so forth, could not be read. The attacker would need to specify the exact name and location of the file in order to read it. Severity Rating: Buffer Overrun in HTML Directive: Internet Servers Intranet Server Client Systems Internet Explorer 5.01 None None None Internet Explorer 5.5 Critical Critical Critical Internet Explorer 6.0 Critical Critical Critical File Reading via GetObject function: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Moderate Moderate Critical Internet Explorer 5.5 Moderate Moderate Critical Internet Explorer 6.0 Moderate Moderate Critical File Download Dialogue Spoofing via Content-Type and Content-ID fields: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Moderate Moderate Moderate Internet Explorer 5.5 Moderate Moderate Moderate Internet Explorer 6.0 Moderate Moderate Moderate Application Invocation via Content-Type field: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Moderate Moderate Moderate Internet Explorer 5.5 Moderate Moderate Moderate Internet Explorer 6.0 Moderate Moderate Moderate Script Execution: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 None None None Internet Explorer 5.5 Moderate Moderate Moderate Internet Explorer 6.0 Moderate Moderate Moderate Frame Domain Verification Variant via Document.open function: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 None None None Internet Explorer 5.5 Moderate Moderate Critical Internet Explorer 6.0 Moderate Moderate Critical Aggregate severity of all vulnerabilities eliminated by patch: Internet Servers Intranet Servers Client Systems Internet Explorer 5.01 Moderate Moderate Critical Internet Explorer 5.5 Critical Critical Critical Internet Explorer 6.0 Critical Critical Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: Buffer overrun: CAN-2002-0022 File reading via GetObject function: CAN-2002-0023 File download spoofing via Content-Type and Content-ID fields: CAN-2002- 0024 Application Invocation via Content-Type field: CAN-2002-0025 Script execution: CAN-2002-0026 Frame Domain Verification Variant via Document.open function: CAN-2002- 0027 Patch availability Download locations for this patch http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp Additional information about this patch Installation platforms: The IE 5.01 patch can be applied to Windows 2000 Systems with Service Pack 2 running IE 5.01. The IE 5.5 patch can be installed on systems running IE 5.5 Service Pack 1 or Service Pack 2. The IE 6.0 patch can be installed on system running IE 6.0 Gold. Inclusion in future service packs: The fixes for these issues will be included in IE 6.0 Service Pack 1. The fixes for the issues affecting IE 5.01 Service Pack 2 will be included in Windows 2000 Service Pack 3. Reboot needed: Yes Superseded patches: This patch supersedes the one provided in Microsoft Security Bulletin MS01-058, which is itself a cumulative patch. Verifying patch installation: To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q316059 is listed in the Update Versions field. To verify the individual files, use the patch manifest provided in Knowledge Base article Q316059. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability" Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Acknowledgments Microsoft thanks the following people for working with us to protect customers: The dH team and SECURITY.NNOV team for reporting the buffer overrun vulnerability. Sandro Gauci of GFI security labs (http://www.gfi.com) for reporting the application invocation vulnerability. Support: Microsoft Knowledge Base articles Q316059, Q317727, Q317726, Q317745, Q317729, and Q317742 discuss these issues and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (February 11, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-005 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Security Team for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-031: Buffer Overflow in System V Derived Login M-032: HP-UX Security Vulnerability with wu-ftpd 2.6 M-033: Snort IDS Denial of Service Vulnerability M-034: Window File Wiping Utilities Miss Alternate Data Streams M-035: Red Hat Linux "rsync" Vulnerability M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability M-039: Microsoft Telnet Server Buffer Overflow Vulnerability M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions