INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | In addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, this patch also eliminates a newly discovered flaw in Internet Explorer's cross-domain security model. |
| PLATFORM: | Internet Explorer 5.5 and 6.0 |
| DAMAGE: | Exploiting the vulnerability could enable an attacker to read, but not change, any file on the user’s local computer. In addition, an attacker could invoke an executable that is already present on the local system |
| SOLUTION: | Apply available patches. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. The web-based attack scenario would provide no way for the attacker to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link. |
[***** Start Microsoft Security Bulletin MS02-068 *****] Microsoft Security Bulletin MS02-068 Cumulative Patch for Internet Explorer (324929) Originally posted: December 04, 2002 Summary Who should read this bulletin: Customers using Microsoft® Internet Explorer Impact of vulnerability: Information Disclosure Maximum Severity Rating: Moderate Recommendation: Customers should consider deploying the patch. Affected Software: Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms02-068.asp Technical details Technical description: This is a cumulative patch for Internet Explorer 5.5 and 6.0. In addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, it also eliminates a newly discovered flaw in Internet Explorer's cross-domain security model. This flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing a website in one domain to access information in another, including the user’s local system. Exploiting the vulnerability could enable an attacker to read, but not change, any file on the user’s local computer. In addition, the attacker could invoke an executable that was already present on the local system. The attacker would need to know the exact location of the executable, and would not be able to pass parameters to it. Microsoft is not aware of any executable that ships by default as part of Windows and, when run without parameters, could be dangerous. An attacker could exploit the vulnerability by constructing a web page that uses a cached programming technique, and could then either host it on a web site or send it to a user via email. In the case of the web-based attack vector the page could be automatically opened when a user visited the site In the case of the HTML mail-based attack vector, the page could be opened when the recipient opened the mail or viewed it using the Preview pane. Mitigating factors: Internet Explorer 5.01 is not affected by this vulnerability. The web-based attack scenario would provide no way for the attacker to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site. The HTML mail-based attack scenario would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. The vulnerability would allow an attacker to read but not add, delete or modify files on the user’s local system. The attacker would need to know the name and location of any file on the system to successfully invoke it. If invoked, there would be no way for an attacker to pass parameters to that executable. This vulnerability does not provide any way for an attacker to put a program of their choice onto another user’s system. Severity Rating: Internet Explorer 5.01 None Internet Explorer 5.5 Moderate Internet Explorer 6.0 Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2002-1262 Tested Versions: Internet Explorer versions 5.5, and 6.0 were tested for these vulnerabilities. Internet Explorer 5.01 is not affected by this vulnerability. More information on Windows Operating System Components Lifecycles is available from: http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx. Patch availability Download locations for this patch http://www.microsoft.com/windows/ie/downloads/critical/q324929/default.asp Additional information about this patch Installation platforms: The IE 5.5 patch can be installed on systems running Service Pack 2. The IE 6.0 patch can be installed on systems running IE 6.0 Gold or Service Pack 1. Inclusion in future service packs: The fix for this issue will be included in Internet Explorer 6.0 Service Pack 2. Reboot needed: Yes Patch can be uninstalled: No Superseded patches: This patch supersedes the one provided in Microsoft Security Bulletin MS02-066, which is itself a cumulative patch. Verifying patch installation: To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q324929 is listed in the Update Versions field. To verify the individual files, use the patch manifest provided in Knowledge Base article Q324929. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site Other information: Support: Microsoft Knowledge Base article 324929 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (December 04, 2002): Bulletin Created. [***** End Microsoft Security Bulletin MS02-068 *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/