Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: n-021.txt

Microsoft Cumulative Patch IE (CIAC N-021)




             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                     Cumulative Patch for Internet Explorer
                     [Microsoft Security Bulletin MS02-068]

December 5, 2002 21:00 GMT                                        Number N-021
______________________________________________________________________________
PROBLEM:       In addition to including the functionality of all previously 
               released patches for Internet Explorer 5.5 and 6.0, this patch 
               also eliminates a newly discovered flaw in Internet Explorer's 
               cross-domain security model. 
PLATFORM:      Internet Explorer 5.5 and 6.0 
DAMAGE:        Exploiting the vulnerability could enable an attacker to read, 
               but not change, any file on the userís local computer. In 
               addition, an attacker could invoke an executable that is 
               already present on the local system.
SOLUTION:      Apply available patches. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM.  The web-based attack scenario would 
ASSESSMENT:    provide no way for the attacker to force users to visit the 
               site. Instead, the attacker would need to lure them there, 
               typically by getting them to click on a link.
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-021.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?
                     url=/technet/security/bulletin/MS02-068.asp 
 PATCHES:                                                                     
                     http://www.microsoft.com/windows/ie/downloads/critical
                     /q324929/default.asp 
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS02-068 *****]

Microsoft Security Bulletin MS02-068


Cumulative Patch for Internet Explorer (324929)
Originally posted: December 04, 2002



Summary
Who should read this bulletin: Customers using Microsoftģ Internet Explorer 

Impact of vulnerability: Information Disclosure 

Maximum Severity Rating: Moderate 

Recommendation: Customers should consider deploying the patch. 

Affected Software: 

  Microsoft Internet Explorer 5.5 
  Microsoft Internet Explorer 6.0 

End User Bulletin: An end user version of this bulletin is available at: 
http://www.microsoft.com/security/security_bulletins/ms02-068.asp 



Technical details

Technical description: 


This is a cumulative patch for Internet Explorer 5.5 and 6.0. In addition to including 
the functionality of all previously released patches for Internet Explorer 5.5 and 
6.0, it also eliminates a newly discovered flaw in Internet Explorer's cross-domain 
security model. This flaw occurs because the security checks that Internet Explorer 
carries out when particular object caching techniques are used in web pages are 
incomplete. This could have the effect of allowing a website in one domain to access 
information in another, including the userís local system. 

Exploiting the vulnerability could enable an attacker to read, but not change, any 
file on the userís local computer. In addition, the attacker could invoke an 
executable that was already present on the local system. The attacker would need to 
know the exact location of the executable, and would not be able to pass parameters to 
it. Microsoft is not aware of any executable that ships by default as part of Windows 
and, when run without parameters, could be dangerous. 

An attacker could exploit the vulnerability by constructing a web page that uses a 
cached programming technique, and could then either host it on a web site or send it 
to a user via email. In the case of the web-based attack vector the page could be 
automatically opened when a user visited the site In the case of the HTML mail-based 
attack vector, the page could be opened when the recipient opened the mail or viewed 
it using the Preview pane. 

Mitigating factors: 

Internet Explorer 5.01 is not affected by this vulnerability. 

The web-based attack scenario would provide no way for the attacker to force users to 
visit the site. Instead, the attacker would need to lure them there, typically by 
getting them to click on a link that would take them to the attacker's site. 

The HTML mail-based attack scenario would be blocked by Outlook Express 6.0 and 
Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in 
conjunction with the Outlook Email Security Update. 

The vulnerability would allow an attacker to read but not add, delete or modify files 
on the userís local system. 

The attacker would need to know the name and location of any file on the system to 
successfully invoke it. If invoked, there would be no way for an attacker to pass 
parameters to that executable. 

This vulnerability does not provide any way for an attacker to put a program of their 
choice onto another userís system. 


Severity Rating: 
  Internet Explorer 5.01       None 
  Internet Explorer 5.5        Moderate 
  Internet Explorer 6.0        Moderate 
The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. 

Vulnerability identifier: CAN-2002-1262 

Tested Versions:
Internet Explorer versions 5.5, and 6.0 were tested for these vulnerabilities. 
Internet Explorer 5.01 is not affected by this vulnerability. More information on 
Windows Operating System Components Lifecycles is available from: 
http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx. 



Patch availability

Download locations for this patch 
http://www.microsoft.com/windows/ie/downloads/critical/q324929/default.asp 



Additional information about this patch

Installation platforms: 

  The IE 5.5 patch can be installed on systems running Service Pack 2. 

  The IE 6.0 patch can be installed on systems running IE 6.0 Gold or Service Pack 1. 

Inclusion in future service packs:
The fix for this issue will be included in Internet Explorer 6.0 Service Pack 2. 

Reboot needed: Yes 

Patch can be uninstalled: No 

Superseded patches: This patch supersedes the one provided in Microsoft Security 
Bulletin MS02-066, which is itself a cumulative patch. 


Verifying patch installation: 

To verify that the patch has been installed on the machine, open IE, select Help, then 
select About Internet Explorer and confirm that Q324929 is listed in the Update 
Versions field. 

To verify the individual files, use the patch manifest provided in Knowledge Base 
article Q324929. 


Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in "Patch 
Availability". 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 
easily found by doing a keyword search for "security_patch". 
Patches for consumer platforms are available from the WindowsUpdate web site 


Other information: 
Support: 

Microsoft Knowledge Base article 324929 discusses this issue and will be available 
approximately 24 hours after the release of this bulletin. Knowledge Base articles can 
be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There is no 
charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 


Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In 
no event shall Microsoft Corporation or its suppliers be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. 

Revisions: 


V1.0 (December 04, 2002): Bulletin Created. 


[***** End Microsoft Security Bulletin MS02-068 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-012: Windows 2000 Default Permissions Could Allow Trojan Horse Program
N-013: ISC Remote Vulnerabilities in BIND4 and BIND8
N-014: Trojan Horse tcpdump and libpcap Distributions
N-015: SGI IRIX lpd Daemon Vulnerabilities via sendmail and dns
N-016: Buffer Overrun in Microsoft Data Access Components (MDAC)
N-017: Cisco PIX Multiple Vulnerabilities
N-018: Microsoft Cumulative Patch for Internet Explorer
N-019: Samba Encrypted Password Buffer Overrun Vulnerability
N-020: Red Hat Multiple Vulnerabilities in KDE





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH