M-116: Microsoft Cumulative Patch for Internet Explorer

M-116: Microsoft Cumulative Patch for Internet Explorer Privacy and Legal Notice INFORMATION BULLETIN M-116: Microsoft Cumulative Patch for Internet Explorer [Microsoft Security Bulletin MS02-047] August 23, 2002 19:00 GMT


PROBLEM:	There are six new vulnerabilities in Internet Explorer. Buffer overrun in Gopher protocol handler Buffer overrun in ActiveX control XML file reading via Redirect File origin spoofing Cross domain verification in Object tag Cross-Site scripting variant in Local HTML Resource A description of each vulnerability, if exploitable, is provided within Microsoft's Security bulletin.
AFFECTED SOFTWARE:	Internet Explorer 5.01, 5.5, and 6.0.
DAMAGE:	The aggregate of severity is based on the types of systems affected by the vulnerability, their deployment patterns, and the effect that exploiting the vulnerability would have on them.
SOLUTION:	Apply appropriate patch for appropriate Internet Explorer version as prescribed by Microsoft.

VULNERABILITY ASSESSMENT:	The risk is MEDIUM. The most serious vulnerability could enable an attacker to execute commands on a user's system.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/m-116.shtml
ORIGINAL BULLETIN:	http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-047.asp
PATCHES:	http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

   
[***** Start Microsoft Security Bulletin MS02-047 *****]

Cumulative Patch for Internet Explorer (Q323759)

Originally posted: August 22, 2002

Summary

Who should read this bulletin: Customers using Microsoft® Internet Explorer 

Impact of vulnerability: Six new vulnerabilities, the most serious of 
which could enable an attacker to execute commands on a user’s system. 

Maximum Severity Rating: Critical 

Recommendation: Customers should install the patch immediately. 

Affected Software: 

Microsoft Internet Explorer 5.01 
Microsoft Internet Explorer 5.5 
Microsoft Internet Explorer 6.0

Technical details 

Technical description: 

This is a cumulative patch that includes the functionality of all 
previously released patches for IE 5.01, 5.5 and 6.0. In addition, 
it eliminates the following six newly discovered vulnerabilities: 

A buffer overrun vulnerability affecting the Gopher protocol handler. 
This vulnerability was originally discussed in Microsoft Security 
Bulletin MS02-027, which provided workaround instructions while the 
patch provided here was being completed.

A buffer overrun vulnerability affecting an ActiveX control used to 
display specially formatted text. The control contains a buffer 
overrun vulnerability that could enable an attacker to run code on a
user’s system in the context of the user. 

A vulnerability involving how Internet Explorer handles an HTML 
directive that displays XML data. By design, the directive should 
only allow XML data from the web site itself to be displayed. However, 
it does not correctly check for the case where a referenced XML data 
source is in fact redirected to a data source in a different domain. 
This flaw could enable an attacker’s web page to open an XML-based 
files residing a remote system within a browser window that the site 
could read, thereby enabling the attacker to read contents from 
websites that users had access to but the attacker was not able to 
navigate to. 

A vulnerability involving how Internet Explorer represents the origin 
of a file in the File Download Dialogue box. This flaw could enable 
an attacker to misrepresent the source of a file offered for download 
in an attempt to fool users into accepting a file download from an 
untrusted source believing it to be coming from a trusted source. 

A Cross Domain verification vulnerability that occurs because of 
improper domain checking in conjunction with the Object tag. As a 
result, the vulnerability could enable a malicious web site operator 
to access data across different domains, for example one in a web 
site’s domain and the other on the user’s local file system and then 
pass information from the latter to the former. This could enable the 
web site operator to read, but not change, any file on the user’s 
local computer that could be viewed n a browser window. In addition, 
this can also enable an attacker to invoke, but not pass parameters to, 
an executable on the local system, much like the "Local Executable
Invocation via Object tag" vulnerability discussed in MS02-015. 

A newly reported variant of the "Cross-Site Scripting in Local HTML 
Resource" vulnerability originally discussed in Microsoft Security 
Bulletin MS02-023. Like the original vulnerability, this variant could 
enable an attacker to create a web page that, when opened, would run 
in the Local Computer zone, allowing it to run with fewer restrictions 
than it would in the Internet Zone.

In addition, the patch sets the Kill Bit on the MSN Chat ActiveX 
control discussed in Microsoft Security Bulletin MS02-022 as well 
as the TSAC ActiveX control discussed in Microsoft Security 
Bulletin MS02-046. This has been done to ensure that vulnerable 
controls cannot be introduced onto users’ systems. Customers who 
use the MSN Chat control should ensure that they have applied the 
updated version of the control discussed in MS02-022 and customers 
who use the TSAC control should ensure that they have applied the 
updated version of the control discussed in MS02-046 . 


Mitigating factors: 

Buffer Overrun in Gopher Protocol Handler: 

The vulnerability would provide the attacker with user’s own 
privileges on the system. Customers who run with fewer than full 
privileges on the system would therefore be at lower risk.

Buffer Overrun in Legacy Text Formatting ActiveX Control: 

The vulnerable ActiveX control is not installed by default as 
part of a current version of IE. Upon learning of the vulnerability, 
Microsoft removed the download from its site to minimize the 
likelihood that users would have the control on their systems. 
The vulnerability would provide the attacker with the user’s own 
privileges on the system. Customers who run with fewer than full 
privileges on the system would therefore be at lower risk. 
Customers who use Outlook Express 6.0 or Outlook 2002 (or 
Outlook 98 or 2000 in conjunction with the Outlook Email Security 
Update) would by default by protected against email-borne attacks 
via this vulnerability unless they specifically clicked a link 
within the email message.

XML File Reading via Redirect: 

The vulnerability only provides a capability to read XML-based 
files that they know the complete path to. 
The vulnerability could not be used to add, change or delete 
files. 
Customers who use Outlook Express 6.0 or Outlook 2002 
(or Outlook 98 or 2000 in conjunction with the Outlook Email 
Security Update) would by default by protected against 
email-borne attacks via this vulnerability.

File Origin spoofing: 

The vulnerability does not give an attacker the means to place 
or run executables directly on the system: user interaction is 
required in a successful attack.

Cross Domain Verification in Object Tag: 

The vulnerability would not enable the attacker to pass any 
parameters to an executable program.
Microsoft is not aware of any programs installed by default 
in any version of Windows that, when called with no parameters, 
could be used to compromise the system. 
An attacker could only invoke a file on the victim’s local 
machine. The vulnerability could not be used to execute a program 
on a remote share or web site. 
The vulnerability would not provide any way for an attacker to 
put a program of his choice onto another user’s system. 
An attacker would need to know the name and location of any 
file on the system to successfully invoke it. 
The vulnerability could only be used to view or invoke files. 
It could not be used to create, delete, or modify them. 
The vulnerability would only allow an attacker to read files 
that can be rendered in a browser window, such as image files, 
HTML files and text files. Other file types, such as binary files,
executable files, Word documents, and so forth, could not be read. 
Outlook 98 and 2000 (after installing the Outlook Email Security 
Update), Outlook 2002, and Outlook Express 6 all open HTML mail 
in the Restricted Sites Zone. As a result, customers using
these products would not be at risk from email-borne attacks.

Variant of Cross-Site Scripting in Local HTML Resource: 

Outlook 98 and 2000 (after installing the Outlook Email Security 
Update), Outlook 2002, and Outlook Express 6 all open HTML mail in 
the Restricted Sites Zone. As a result, customers using these 
products would not be at risk from automated email-borne attacks. 
However, these customers can still be attacked if they choose to 
click on a hyperlink in a malicious HTML email. 
Customers using Outlook 2002 SP1 who have enabled the "Read as 
Plain Text" feature would be immune from the HTML email attack. 
This is because this feature disables all HTML elements, including 
scripting, from mail when it is displayed. 
Any limitations on the rights of the user's account would also 
limit the actions of the attacker's script. 
Customers who exercise caution in what web sites they visit or 
who place unknown or untrusted sites in the Restricted Sites zone 
can potentially protect themselves from attempts to exploit this
issue on the web.

Severity Rating: 

Buffer Overrun in Gopher Protocol Handler: 
                       Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01        Low            Low           Critical
Internet Explorer 5.5         Low            Low           Critical
Internet Explorer 6.0         Low            Low           Critical


Buffer Overrun in Legacy Text Formatting ActiveX Control: 
                       Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01        Low            Low           Critical
Internet Explorer 5.5         Low            Low           Critical
Internet Explorer 6.0         Low            Low           Critical


XML File Reading via Redirect: 
                       Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01        Low            Low           Moderate
Internet Explorer 5.5         Low            Low           Moderate
Internet Explorer 6.0         Low            Low           Moderate


File Origin Spoofing: 
                       Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01        Moderate     Moderate         Moderate
Internet Explorer 5.5         Moderate     Moderate         Moderate
Internet Explorer 6.0         Moderate     Moderate         Moderate


Cross Domain Verification in Object Tag: 
                       Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01        None         None             None
Internet Explorer 5.5         Moderate     Moderate         Critical
Internet Explorer 6.0         Moderate     Moderate         Critical


Variant of Cross-Site Scripting in Local HTML Resource: 
                       Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01        Low           Low             Moderate
Internet Explorer 5.5         Low           Low             Moderate
Internet Explorer 6.0         None          None            None 


Aggregate Severity of all issues included in this patch (including 
issues addressed in previously released patches): 
                       Internet Servers Intranet Servers Client Systems
Internet Explorer 5.01    Moderate         Moderate        Critical
Internet Explorer 5.5     Critical         Critical        Critical
Internet Explorer 6.0     Critical         Critical        Critical 



The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifiers: 

Buffer Overrun in Gopher Protocol Handler: CAN-2002-0646 
Buffer Overrun in Legacy Text Formatting ActiveX Control: CAN-2002-0647 
XML File Reading via Redirect: CAN-2002-0648 
File Origin Spoofing: CAN-2002-0722 
Cross Domain Verification in Object Tag: CAN-2002-0723 
Variant of Cross-Site Scripting in Local HTML Resource: CAN-2002-0691

Tested Versions:

The following table indicates which of the currently supported 
versions of Internet Explorer are affected by the vulnerabilities. 
Versions of IE prior to 5.01 Service Pack 2 are no longer eligible for 
hotfix support. IE 5.01 SP2 is supported only on Windows® 2000.
                                IE 5.01   IE 5.5    IE 5.5    IE 6.0
                                SP2       SP1       SP2       SP1
Buffer Overrun in Gopher        Yes       Yes       Yes       Yes
Protocol Handler
(CAN-2002-0646)

Buffer Overrun in Legacy Text   Yes       Yes       Yes       Yes
Formatting ActiveX Control 
(CAN-2002-0647)
                     
XML File Reading via Redirect   Yes       Yes       Yes       Yes
(CAN-2002-0648)
                                                  
File Origin Spoofing            Yes       Yes       Yes       Yes
(CAN-2002-0722):
                                                   
Cross Domain Verification       No        Yes       Yes       Yes
in Object Tag
(CAN-2002-0723)
                                                     
Variant of Cross-Site           Yes       Yes       Yes       No
Scripting in Local HTML
Resource (CAN-2002-0691)

Patch availability

Download locations for this patch 

http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Additional information about this patch 

Installation platforms: 

The IE 5.01 patch can be applied to Windows 2000 Systems with Service 
Pack 2 running IE 5.01 or with Service Pack 3 running IE 5.01. 
The IE 5.5 patch can be installed on systems running IE 5.5 Service 
Pack 1 or Service Pack 2. 
The IE 6.0 patch can be installed on system running IE 6.0 Gold.

Inclusion in future service packs:

The fixes for these issues will be included in IE 6.0 Service Pack 1. 
The fixes for the issues affecting IE 5.01 Service Pack 2 and Service Pack 3 
will be included in Windows 2000 Service Pack 4.

Reboot needed: Yes 

Patch can be uninstalled: No 

Superseded patches:
This patch supersedes the one provided in Microsoft Security Bulletin MS02-023, 
which is itself a cumulative patch, and the workaround discussed in Microsoft 
Security Bulletin MS02-027. 

Verifying patch installation: 

To verify that the patch has been installed on the machine, open IE, select 
Help, then select About Internet Explorer and confirm that Q323759 is listed 
in the Update Versions field. 
To verify the individual files, use the patch manifest provided in 
Knowledge Base article Q323759.

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in 
"Patch Availability". 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be 
most easily found by doing a keyword search for "security_patch". 
Patches for consumer platforms are available from the WindowsUpdate web site 
All patches available via WindowsUpdate also are available in a redistributable 
form from the WindowsUpdate Corporate site.

Other information: 

Acknowledgments

Microsoft thanks  the following people for working with us to protect customers: 

GreyMagic Software for reporting the XML File Reading via Redirect vulnerability. 
Mark Litchfield of Next Generation Security Software Ltd. for reporting the Buffer 
Overrun in Legacy Text Formatting ActiveX Control vulnerability. 
Jouko Pynnonen of Oy Online Solutions Ltd for reporting the File Origin Spoofing 
vulnerability.

Support: 

Microsoft Knowledge Base article Q323759 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. Knowledge 
Base articles can be found on the Microsoft Online Support web site. 
Technical support is available from Microsoft Product Support Services. 
There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either express 
or implied, including the warranties of merchantability and fitness for a 
particular purpose. In no event shall Microsoft Corporation or its suppliers be 
liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft 
Corporation or its suppliers have been advised of the possibility of such damages. 
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. 

Revisions: 

V1.0 (August 22, 2002): Bulletin Created.

[***** End Microsoft Security Bulletin MS02-047 *****]

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin.

DOE-CIRC can be contacted at:

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/