M-041: Microsoft Internet Explorer Cumulative Patch

[***** Start Microsoft Security Bulletin MS02-005 *****]

Microsoft Security Bulletin MS02-005

11 February 2002 Cumulative Patch for Internet Explorer
Originally posted: February 11, 2002 

Summary

	Who should read this bulletin: Customers using Microsoft(r) Internet 
Explorer 

	Impact of vulnerability: Six vulnerabilities, the most serious of which 
	could allow an attacker to run code on another user's system. 

	Maximum Severity Rating: Critical 

	Recommendation: Customers using an affected version of IE should install 
	the patch immediately. 

	Affected Software: 
		Microsoft Internet Explorer 5.01 
		Microsoft Internet Explorer 5.5 
		Microsoft Internet Explorer 6.0 


Technical details

	Technical description: 

	This is a cumulative patch that, when installed, eliminates all previously 
	discussed security vulnerabilities affecting IE 5.01, 5.5 and IE 6. In 
	addition, it eliminates the following six newly discovered 
	vulnerabilities: 

	A buffer overrun vulnerability associated with an HTML directive that's 
	used to incorporate a document within a web page. By creating a web page 
	that invokes the directive using specially selected attributes, an 
	attacker could cause code to run on the user's system. 

	A vulnerability associated with the GetObject scripting function. Before 
	providing a handle to an operating system object, GetObject performs a 
	series of security checks to ensure that the caller has sufficient 
	privileges to it. However, by requesting a handle to a file using a 
	specially malformed representation, it would be possible to bypass some 
	of these checks, thereby allowing a web page to complete an operation 
	that should be prevented, namely, reading files on the computer of a 
	visiting user's system. 

	A vulnerability related to the display of file names in the File 
	Download dialogue box. When a file download from a web site is 
	initiated, a dialogue provides the name of the file and lets the user 
	choose what action to take. However, a flaw exists in the way HTML 
	header fields (specifically, the Content-Disposition and Content-Type 
	fields) are handled. This flaw could make it possible for an attacker to 
	misrepresent the name of the file in the dialogue, in an attempt to 
	trick a user into opening or saving an unsafe file. 

	A vulnerability that could allow a web page to open a file on the web 
	site, using any application installed on a user's system. By design, IE 
	should only open a file on a web site using the application that's 
	registered to that type of file, and even then only if it's on a list of 
	safe applications. However, through a flaw in the handling of the 
	Content-Type HTML header field, an attacker could circumvent this 
	restriction, and specify the application that should be invoked to 
	process a particular file. IE would comply, even if the application was 
	listed as unsafe. 

	A vulnerability that could enable a web page to run a script even if the 
	user has disabled scripting. IE checks for the presence of scripts when 
	initially rendering a page. However, the capability exists for objects 
	on a page to respond to asynchronous events; by misusing this capability 
	in a particular way, it could be possible for a web page to fire a 
	script after the page has passed the initial security checks. 

	A newly discovered variant of the "Frame Domain Verification" 
	vulnerability discussed in Microsoft Security Bulletin MS01-058. The 
	vulnerability could enable a malicious web site operator to open two 
	browser windows, one in the web site's domain and the other on the 
	user's local file system, and to use the Document.open function to pass 
	information from the latter to the former. This could enable the web 
	site operator to read, but not change, any file on the user's local 
	computer that could be opened in a browser window. In addition, this 
	could be used to mis-represent the URL in the address bar in a window 
	opened from their site. 

Mitigating factors: 

Buffer Overrun in HTML Directive: 

	The vulnerability could not be exploited if the "Run ActiveX Controls 
	and Plugins" security option were disabled in the Security Zone in which 
	the page was rendered. This is the default condition in the Restricted 
	Sites Zone, and can be disabled manually in any other Zone. 

	Outlook 98 and 2000 (after installing the Outlook Email Security 
	Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the 
	Restricted Sites Zone. As a result, customers using these products would 
	not be at risk from email-borne attacks. 

	The buffer overrun would allow code to run in the security context of 
	the user rather than the system. The specific privileges the attacker 
	could gain through this vulnerability would therefore depend on the 
	privileges accorded to the user. 

File Reading via GetObject function: 

	This vulnerability could only be used to read files. It could not be 
	used to create, change, delete, or execute them. 

	The attacker would need to know the name and location of the file on the 
	user's computer. 

	Some files that would be of interest to an attacker - most notably, the 
	SAM Database - are locked by the operating system and therefore could 
	not be read even using this vulnerability. 

	The email-borne attack scenario would be blocked if the user were using 
	any of the following: Outlook 98 or 2000 with the Outlook Email Security 
	Update installed; Outlook 2002; or Outlook Express 6. 

	The web-based attack scenario could be blocked by judicious use of the 
	IE Security Zones mechanism such as using the Restricted Sites zone. 
	
File Download Dialogue Spoofing via Content-Type and Content-Disposition fields: 

	Exploiting this vulnerability would not give an attacker the ability to 
	force code to run on a user's system. It would only enable the attacker 
	to misrepresent the file name and type in the File Download dialogue. 
	The download operation would not occur without the user's approval, and 
	the user could cancel at any time. 

	The vulnerability could not be exploited if File Downloads have been 
	disabled in the Security Zone in which the e-mail is rendered. This is 
	not a default setting in any zone, however. 

	On versions of IE prior to 6.0, the default selection in the file 
	download dialogue is to save, rather than open, the file. (In IE 6.0, 
	the default is to open the file; however, this behavior is 
	inappropriate, and the patch changes IE 6.0 to conform with the behavior 
	of previous versions). 

Application invocation via Content-Type field: 

	An attacker could only exploit this vulnerability if the application 
	specified through the Content-Type field was actually installed on the 
	user's system. 

	The vulnerability does not provide any way for the attacker to inventory 
	the applications installed on the user's system and select one, nor does 
	it provide any way to force the user to install a particular 
	application. 

	The vulnerability would not provide any way to circumvent the security 
	features of the application or to reconfigure it. 

	Outlook 2002 users who have configured Outlook to render HTML mail as 
	plaintext would be at no risk from attack through HTML mail. 

Script execution: 

	This vulnerability extends only to allowing scripts to run - it does not 
	allow any other security restrictions to be bypassed. So, for instance, 
	although an attacker could use this vulnerability to run a script, the 
	script would still be subject to all other expected security settings. 

Frame Domain Verification Variant via Document.Open function: 

	The vulnerability could only be used to view files. It could not be used 
	to create, delete, modify or execute them. 

	The vulnerability would only allow an attacker to read files that can be 
	opened in a browser window, such as image files, HTML files and text 
	files. Other file types, such as binary files, executable files, Word 
	documents, and so forth, could not be read. 

	The attacker would need to specify the exact name and location of the 
	file in order to read it. 


Severity Rating:
 

Buffer Overrun in HTML Directive: 

			      Internet Servers   Intranet Server   Client Systems
Internet Explorer 5.01	None		       None			 None
Internet Explorer 5.5	Critical	       Critical		 Critical
Internet Explorer 6.0	Critical	       Critical	  	 Critical
 

File Reading via GetObject function: 

			      Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01	Moderate	        Moderate		 Critical
Internet Explorer 5.5	Moderate	        Moderate		 Critical
Internet Explorer 6.0	Moderate	        Moderate	 	 Critical
 

File Download Dialogue Spoofing via Content-Type and Content-ID fields: 

			      Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01	Moderate	        Moderate		 Moderate
Internet Explorer 5.5	Moderate	        Moderate		 Moderate
Internet Explorer 6.0	Moderate	        Moderate		 Moderate
 

Application Invocation via Content-Type field: 

			      Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01	Moderate	        Moderate		 Moderate
Internet Explorer 5.5	Moderate	        Moderate	 	 Moderate
Internet Explorer 6.0	Moderate	        Moderate	 	 Moderate
 

Script Execution: 

			      Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01	None		        None	 	 None
Internet Explorer 5.5	Moderate	        Moderate		 Moderate
Internet Explorer 6.0	Moderate	        Moderate		 Moderate
 

Frame Domain Verification Variant via Document.open function: 

			      Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01	None		        None	 	 None
Internet Explorer 5.5	Moderate	        Moderate		 Critical
Internet Explorer 6.0	Moderate	        Moderate		 Critical
 

Aggregate severity of all vulnerabilities eliminated by patch: 

			      Internet Servers    Intranet Servers Client Systems
Internet Explorer 5.01	Moderate	        Moderate		 Critical
Internet Explorer 5.5	Critical	        Critical	 	 Critical
Internet Explorer 6.0	Critical	        Critical		 Critical

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 


Vulnerability identifier: 

	Buffer overrun: CAN-2002-0022 

	File reading via GetObject function: CAN-2002-0023 

	File download spoofing via Content-Type and Content-ID fields: CAN-2002-
	0024 

	Application Invocation via Content-Type field: CAN-2002-0025 

	Script execution: CAN-2002-0026 

	Frame Domain Verification Variant via Document.open function: CAN-2002-
	0027 



Patch availability

Download locations for this patch 
http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp

 Additional information about this patch

Installation platforms: 

	The IE 5.01 patch can be applied to Windows 2000 Systems with Service 
	Pack 2 running IE 5.01. 

	The IE 5.5 patch can be installed on systems running IE 5.5 Service Pack 
	1 or Service Pack 2. 

	The IE 6.0 patch can be installed on system running IE 6.0 Gold. 

Inclusion in future service packs: 

	The fixes for these issues will be included in IE 6.0 Service Pack 1. 

	The fixes for the issues affecting IE 5.01 Service Pack 2 will be 
	included in Windows 2000 Service Pack 3. 

Reboot needed: 
Yes 

Superseded patches:

	This patch supersedes the one provided in Microsoft Security Bulletin 
	MS01-058, which is itself a cumulative patch. 

Verifying patch installation: 

	To verify that the patch has been installed on the machine, open IE, 
	select Help, then select About Internet Explorer and confirm that 
	Q316059 is listed in the Update Versions field. 

	To verify the individual files, use the patch manifest provided in 
	Knowledge Base article Q316059. 

Caveats: 
None 

Localization: 
Localized versions of this patch are available at the locations discussed 
in "Patch Availability" 

Obtaining other security patches:  
Patches for other security issues are available from the following 
locations: 

	Security patches are available from the Microsoft Download Center, and 
	can be most easily found by doing a keyword search for "security_patch". 

	Patches for consumer platforms are available from the WindowsUpdate web 
	site 

	All patches available via WindowsUpdate also are available in a 
	redistributable form from the WindowsUpdate Corporate site. 


Other information: 

Acknowledgments 
Microsoft thanks  the following people for working with us to protect 
customers: 

	The dH team and SECURITY.NNOV team for reporting the buffer overrun 
	vulnerability. 

	Sandro Gauci of GFI security labs (http://www.gfi.com) for reporting the 
	application invocation vulnerability. 

Support: 

	Microsoft Knowledge Base articles Q316059, Q317727, Q317726, Q317745, 
	Q317729, and Q317742 discuss these issues and will be available 
	approximately 24 hours after the release of this bulletin. Knowledge 
	Base articles can be found on the Microsoft Online Support web site. 

	Technical support is available from Microsoft Product Support Services. 
	There is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides 
additional information about security in Microsoft products. 

Disclaimer:  
The information provided in the Microsoft Knowledge Base is provided "as 
is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions: 

	V1.0 (February 11, 2002): Bulletin Created. 

[***** End Microsoft Security Bulletin MS02-005 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/