__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Internet Explorer Cumulative Patch [Microsoft Security Bulletin MS04-004] February 2, 2004 21:00 GMT Number O-068 [REVISED 11 Feb 2004] ______________________________________________________________________________ PROBLEM: Microsoft has released a new cumulative patch for Internet Explorer (IE) that covers the following vulnerabilities: 1) cross-domain security: an attacker could execute a malicious script in the Local Machine zone. 2) drag-and-drop operations: an attacker could save a malicious file in a target location on a user's system. 3) incorrect parsing of URLs: an attacker could cause the misrepresentation of a URL in IE. This update replaces the one that is provided in Microsoft Security Bulletin MS03-048 (CIAC O-021). PLATFORM: Windows NT Workstation 4.0 Service Pack 6a Windows NT Server 4.0 Service Pack 6a Windows NT Server 4.0 Terminal Edition Service Pack 6 Windows 2000 Service Pack 2, 3 and 4 Windows XP Service Pack 1 Windows XP 64-bit Edition Service Pack 1 Windows XP 64-bit Edition Version 2003 Windows Server 2003 Windows Server 2003, 64-bit Edition SOFTWARE: Internet Explorer 5.01, 5.5 and 6 DAMAGE: A malicious Web site operator could access unauthorized information in another domain or on a user's system. An attacker could also run arbitrary code of their choice. SOLUTION: Apply Microsoft's cumulative patch. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. If an attacker successfully exploits these ASSESSMENT: vulnerabilities on a system where the logged-in user has root authority, the attacker could gain root access. In all three cases, the attacker would need to entice a user to click on a link to visit a maliciously hosted web site. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-068.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/bulletin/MS04-004.asp CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-1026, CAN-2003-1027, CAN-2003-1025 ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS04-004 *****] Microsoft Security Bulletin MS04-004 Cumulative Security Update for Internet Explorer (832894) Issued: February 2, 2004 Updated: February 9, 2004 Version Number: 1.4 Summary Who should read this document: Customers who are using Microsoft® Internet Explorer Impact of vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Systems administrators should apply the security update immediately. Security Update Replacement: This update replaces the one that is provided in Microsoft Security Bulletin MS03-048, which is itself a cumulative update. Caveats: Installing this Security Update will invalidate the usernames and passwords stored in Internet Explorer’s protected store. This will require users to re-enter their username and password when they first visit web sites that require authentication. Tested Software and Security Update Download Locations: Affected Software: Microsoft Windows NT® Workstation 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6 Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 Microsoft Windows XP, Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1 Microsoft Windows XP 64-Bit Edition Version 2003 Microsoft Windows Server® 2003 Microsoft Windows Server 2003, 64-Bit Edition Tested Microsoft Windows and Office Components: Affected Components: Internet Explorer 6 Service Pack 1: Download the update. Internet Explorer 6 Service Pack 1 (64-Bit Edition): Download the update. Internet Explorer 6 for Windows Server 2003: Download the update. Internet Explorer 6 for Windows Server 2003 (64-Bit Edition): Download the update. Internet Explorer 6: Download the update. Internet Explorer 5.5 Service Pack 2: Download the update. Internet Explorer 5.01 Service Pack 4: Download the update. Internet Explorer 5.01 Service Pack 3: Download the update. Internet Explorer 5.01 Service Pack 2: Download the update. The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. Review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Technical Details This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following three newly-discovered vulnerabilities: - A vulnerability that involves the cross-domain security model of Internet Explorer. The cross domain security model of Internet Explorer keeps windows of different domains from sharing information. This vulnerability could result in the execution of script in the Local Machine zone. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited this vulnerability could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user. - A vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice would not be executed, but could be saved on the user's computer in a targeted location. - A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.) As with the previous Internet Explorer cumulative updates that were released with bulletins MS03-004, MS03-015, MS03-020, MS03-032, MS03-040, and MS03-048, this cumulative update causes the window.showHelp( ) control to no longer work if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you will still be able to use HTML Help functionality after you apply this update. This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update: http(s)://username:password@server/resource.ext For more information about this change, please see Microsoft Knowledge Base article 834489. This update will also invalidate usernames and passwords that were previously cached in Internet Explorer’s protect store. After installing this update, users will be prompted to type their usernames and password in order to access authenticated sites. If the user selects the “Remember my password” check-box they will continue to be stored locally after the initial visit to these Web Sites. More information is available in the Frequently Asked Questions section of this document. Additionally, this update will disallow navigation to "username:password@host.com" URLs for XMLHTTP. Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP. More information can be found in Knowledge Base Article 832414. The update also refines a change made in Internet Explorer 6 Service Pack 1, which prevents web pages in the Internet Security zone from navigating to the local computer zone. This is discussed further in the "Frequently Asked Questions" section of this bulletin. Mitigating factors: There are three common mitigating factors for both the Cross Domain Vulnerability and Drag-and-Drop Operation Vulnerability: By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections that are put in place that prevent these vulnerabilities from being automatically exploited would be removed. In the Web-based attack scenario, the attacker would have to host a Web site that contains a Web page that is used to exploit these vulnerabilities. An attacker would have no way to force a user to visit a malicious Web site. Instead, the attacker would have to lure them there, typically by getting them to click a link that takes them to the attacker's site. By default, Outlook Express 6.0, Outlook 2002 and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met: - You have applied the update included with Microsoft Security bulletin MS03-040 or MS03-048 - You are using Internet Explorer 6 or later - You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or later in its default configuration. If an attacker exploited these vulnerabilities, they would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges. Severity Rating: ---------------------------------------------------------------------------- Internet Explorer 5.01 Internet Explorer 5.5 SP2, SP3, SP4 SP2 ---------------------------------------------------------------------------- Cross-Domain Vulnerability Critical Critical ---------------------------------------------------------------------------- Drag-and-Drop Operation Important Important Vulnerability ---------------------------------------------------------------------------- Improper URL Canonicalization Important Important ---------------------------------------------------------------------------- Aggregate Severity of All Issues Critical Critical Included in This Update ---------------------------------------------------------------------------- Severity Rating: ---------------------------------------------------------------------------- Internet Explorer 6 and Internet Explorer 6 SP1 (All versions earlier than Windows Server 2003) ---------------------------------------------------------------------------- Cross-Domain Vulnerability Critical ---------------------------------------------------------------------------- Drag-and-Drop Operation Important Vulnerability ---------------------------------------------------------------------------- Improper URL Canonicalization Important ---------------------------------------------------------------------------- Aggregate Severity of All Issues Critical Included in This Update ---------------------------------------------------------------------------- Severity Rating: ---------------------------------------------------------------------------- Internet Explorer 6 SP1 Internet Explorer 6 SP1 for Windows Server 2003 for Windows Server 2003 (64-Bit) ---------------------------------------------------------------------------- Cross-Domain Vulnerability Moderate Moderate ---------------------------------------------------------------------------- Drag-and-Drop Operation Moderate Moderate Vulnerability ---------------------------------------------------------------------------- Improper URL Canonicalization Important Important ---------------------------------------------------------------------------- Aggregate Severity of All Issues Important Important Included in This Update ---------------------------------------------------------------------------- The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: Travel Log Cross Domain Vulnerability CAN-2003-1026 Function Pointer Drag and Drop Vulnerability CAN-2003-1027 Improper URL Canonicalization Vulnerability CAN-2003-1025 Workarounds Microsoft has tested the following workarounds that apply across both the Travel Log Cross Domain Vulnerability CAN-2003-1026 and the Drag and Drop Operation Vulnerability CAN-2003-1027 the vulnerabilities. These workarounds do not mitigate the Improper URL Canonicalization Vulnerability CAN-2003-1025. These workarounds help block known attack vectors. However they will not correct the underlying vulnerabilities. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. Prompt before running ActiveX controls and active scripting in the Internet zone and in the Local Intranet zone You can help protect against these vulnerabilities by changing your settings for the Internet security zone to prompt before running ActiveX controls. To do this, follow these steps: 1. In Internet Explorer, click Internet Options on the Tools menu. 2. Click the Security tab. 3. Click Internet, and then click Custom Level. 4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt. 5. In the Scripting section, under Active Scripting, click Prompt, and then click OK. 6. Click Local intranet, and then click Custom Level. 7. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt. 8. In the Scripting section, under Active Scripting, click Prompt. 9. Click OK two times to return to Internet Explorer. Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround. Restrict Web sites to only your trusted Web sites After you set Internet Explorer to require a prompt before it runs ActiveX in the Internet zone and in the Local Intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. Microsoft recommends that you only add sites that you trust to the Trusted sites zone. To do this, follow these steps: 1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. 2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites. 3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. 4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add. 5. Repeat these steps for each site that you want to add to the zone. 6. Click OK two times to accept the changes and return to Internet Explorer. Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is "*.windowsupdate.microsoft.com" (without the quotes). This is the site that will host the update, and it requires the use of an ActiveX control to install the update. Impact of Workaround: For those sites that you have not configured to be in your Trusted sites zone, their functionality will be impaired if they require the use of ActiveX controls to function correctly. Adding sites to your Trusted sites zone will allow them to be able to download the ActiveX control that they require to function correctly. However you should only add Web sites you trust to the Trusted sites zone. Install Outlook Email Security Update if you are using Outlook 2000 SP1 or earlier By default, the Outlook E-mail Security Update causes Outlook 98 and 2000 to open HTML e-mail messages in the Restricted sites zone. By default, Outlook Express 6.0, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Customers who use any of these products are at reduced risk from an e-mail-borne attack that tries to exploit this vulnerability, unless the user clicks a malicious link in the e-mail message. If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed e-mail messages or non-encrypted e-mail messages in plain text only. Digitally-signed e-mail messages and encrypted e-mail messages are not affected by the setting and may be read in their original formats. Information about how to enable this setting in Outlook 2002 can be found in the following Knowledge Base article: http://support.microsoft.com/default.aspx?scid=kb;en-us;307594 Information about how to enable this setting in Outlook Express 6.0 can be found in the following Knowledge Base article: http://support.microsoft.com/?kbid=291387 Impact of Workaround: E-mail that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally: - The changes are applied to the preview pane and to open messages. - Pictures become attachments to avoid loss of message content. - Because the message is still in Rich Text Format or in HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store. Workarounds and other mitigations for the Improper URL Canonicalization Vulnerability CAN-2003-1025 can be found in Knowledge Base article 833786 - "Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks". Microsoft has also provided advice for consumers on how to avoid being tricked by spoof websites on the Microsoft Security Web site. Acknowledgments Microsoft thanks Andreas Sandblad for reporting the Travel Log Cross Domain Vulnerability CAN-2003-1026 and working with us to help protect customers. Obtaining other security updates: Updates for other security issues are available from the following locations: Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Updates for consumer platforms are available from the WindowsUpdate Web site. Support: Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Microsoft Software Update Services Microsoft Baseline Security Analyzer (MBSA) Windows Update Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. Office Update Software Update Services (SUS): Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional. For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer. Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 February 2, 2003: Bulletin published. V1.1 February 3, 2004: Added FAQ and Prerequisites for Internet Explorer 5.5 SP2. Updated Outlook mitigations in Technical Details. V1.2 February 4, 2004: Updated the Outlook mitigations in the Technical Details section. V1.3 February 5, 2004: Updated the MSXML information in the Technical Details section. V1.4 February 9, 2004: Updated the Caveats, Technical Details and Frequently Asked Question section with information regarding changes to Internet Explorer’s protect store. Switched file version and name columns for pngfilt.dll in Internet Explorer 5.01 SP2 section of Security Update Information. [***** End Microsoft Security Bulletin MS04-004 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-059: Debian Linux-Kernel-2.4.14-ia64 Vulnerabilities O-060: Debian Password Expiration Vulnerability O-061: Red Hat Updated tcpdump Packages Fix Various Vulnerabilities O-062: CERT Advisory Multiple H.323 Message Vulnerabilities O-063: Red Hat Elevated Privileges Vulnerability O-064: HP 'rwrite' Utility Vulnerability O-065: Security Vulnerabilities in ASN.1 O-066: Cisco - Voice Product Vulnerabilities on IBM Servers O-067: Sun Vulnerability with Loading Arbitrary Kernel Modules CIACTech04-001: Remote Detection of the MyDoom.A Worm