O-021: Microsoft Cumulative Security Update for Internet Explorer

[***** Start MS03-048 *****]

Microsoft Security Bulletin MS03-048   

Cumulative Security Update for Internet Explorer (824145)
Issued: November 11, 2003
Version: 1.0 

Summary

Who Should Read This Document: Customers who have Microsoft® Internet Explorer® 
installed

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical 

Recommendation: Customers should install this security update immediately. 

Security Update Replacement: This update replaces the one that is provided in 
Microsoft Security Bulletin MS03-040, which is itself a cumulative update.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software 

Microsoft Windows 98 
Microsoft Windows 98 Second Edition 
Microsoft Windows Millennium Edition 
Microsoft Windows NT® Workstation 4.0 Service Pack 6a 
Microsoft Windows NT Server 4.0 Service Pack 6a 
Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6 
Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 
Microsoft Windows XP, Microsoft Windows XP Service Pack 1 
Microsoft Windows XP 64-Bit Edition 
Microsoft Windows XP 64-Bit Edition Version 2003 
Microsoft Windows Server® 2003 
Microsoft Windows Server 2003, 64-Bit Edition 

Tested Microsoft Windows Components:
Affected Components: 

Internet Explorer 6 Service Pack 1: Download the update. 
Internet Explorer 6 Service Pack 1 (64-Bit Edition): Download the update. 
Internet Explorer 6 Service Pack 1 for Windows Server 2003: Download the update. 
Internet Explorer 6 Service Pack 1 for Windows Server 2003 (64-Bit Edition): 
  Download the update. 
Internet Explorer 6: Download the update. 
Internet Explorer 5.5 Service Pack 2: Download the update. 
Internet Explorer 5.01 Service Pack 4: Download the update. 
Internet Explorer 5.01 Service Pack 3: Download the update.
Internet Explorer 5.01 Service Pack 2: Download the update. 

The software listed above has been tested to determine if the versions are affected. 
Other versions are no longer supported and may or may not be affected.

Technical Details

Technical description:

This is a cumulative update that includes the functionality of all the previously-released 
updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. 
Additionally, it eliminates the following five newly-discovered vulnerabilities: 

Three vulnerabilities that involve the cross-domain security model of Internet Explorer, 
which keeps windows of different domains from sharing information. These vulnerabilities 
could result in the execution of script in the My Computer zone. To exploit one of these 
vulnerabilities, an attacker would have to host a malicious Web site that contains a Web 
page that is designed to exploit the particular vulnerability and then persuade a user to 
view the Web page. The attacker could also create an HTML e-mail message that designed to  
exploit one of these vulnerabilities and persuade the user to view the HTML e-mail message. 
After the user has visited the malicious Web site or viewed the malicious HTML e-mail 
message an attacker who exploited one of these vulnerabilities could access information from 
other Web sites, access files on a user's system, and run arbitrary code on a user's system. 
This code would run in the security context of the currently logged on user. 
A vulnerability that involves the way that zone information is passed to an XML object 
within Internet Explorer. This vulnerability could allow an attacker to read local files on 
a user's system. To exploit this vulnerability, an attacker would have to host a malicious 
Web site that contains a Web page that is designed to exploit the particular vulnerability 
and then persuade a user to view the Web page. The attacker could also create an HTML e-mail 
message that is designed to exploit this vulnerability and persuade the user to view the HTML 
e-mail message. After the user visits the malicious Web site or views the malicious HTML e-mail 
message, the user would then be prompted to download an HTML file. If the user accepts the 
download of this HTML file, an attacker could read local files that are in a known location on 
the user's system. 
A vulnerability that involves performing a drag-and-drop operation during dynamic HTML (DHTML) 
events in Internet Explorer. This vulnerability could allow a file to be saved in a target 
location on the user's system if the user clicks a link. No dialog box would request that the 
user approve this download. To exploit one of these vulnerabilities, an attacker would have to 
host a malicious Web site that contains a Web page that has a specially-crafted link. The 
attacker would then have to persuade a user to click that link. The attacker could also create 
an HTML e-mail message that has a specially-crafted link, and then persuade the user to view the 
HTML e-mail message and then click the malicious link. If the user clicked this link, code of 
the attacker's choice could be saved on the user's computer in a targeted location. 

As with the previous Internet Explorer cumulative updates that were released with bulletins MS03-004, 
MS03-015, MS03-020, MS03-032, and MS03-040, this cumulative update causes the 
window.showHelp( ) control to no longer work if you have not applied the HTML Help update. If you 
have installed the updated HTML Help control from Knowledge Base article 811630, you will still be 
able to use HTML Help functionality after you apply this update.

Mitigating factors: 

There are three common mitigating factors across all the vulnerabilities: 

By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. 
This default configuration of Internet Explorer blocks automatic exploitation of this attack. 
If Internet Explorer Enhanced Security Configuration has been disabled, the protections that 
are put in place that prevent these vulnerabilities from being automatically exploited would be 
removed. 
In the Web-based attack scenario, the attacker would have to host a Web site that contains a 
Web page that is used to exploit these vulnerabilities. An attacker would have no way to force 
a user to visit a malicious Web site. Instead, the attacker would have to lure them there, 
typically by getting them to click a link that takes them to the attacker's site. 
By default, Outlook Express 6.0, Outlook 2002 and Outlook 2003 open HTML e-mail messages in 
the Restricted sites zone. Additionally, Outlook 98 and 2000 open HTML e-mail messages in the 
Restricted sites zone if the Outlook E-mail Security Update has been installed. The risk of 
attack from the HTML email vector can be significantly reduced if the following conditions 
are met: 
  * You have applied the patch included with Microsoft Security bulletin MS03-040 
  * You are using Internet Explorer 6 or later 
  * You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 
    and higher, or Microsoft Outlook 2000 or higher in their default configuration. 
If an attacker exploited these vulnerabilities, they would gain only the same privileges as 
the user. Users whose accounts are configured to have few privileges on the system would be 
at less risk than ones who operate with administrative privileges. 

In addition, there are two individual mitigating factors for the XML Object Vulnerability: 

A Web page that tried to exploit this vulnerability would present the user with a prompt to 
download an HTML file. An attacker could only access files on the user's system if the user 
accepted this prompt. 
An attacker can only access files that are in a known location on the user's system. 


Severity Rating: 
*******************************************************************************************
                 Internet    Internet   Internet Explorer   Internet     Internet
                 Explorer    Explorer   6 and Internet      Explorer     Explorer 6 SP1
                 5.01 SP2,   5.5 SP2    Explorer 6 SP1      6 SP1 for    for Windows
	        SP3, SP4               (All versions       Windows      Server 2003
                                         earlier than       Server        (64-Bit)
                                         Windows Server      2003
                                             2003)               
*******************************************************************************************										         
Cross-Domain     Critical    Critical       Critical       Moderate       Moderate 
Vulnerabilities 
*******************************************************************************************
XML Object       Not         Moderate       Moderate         Low            Low 
Vulnerability    affected
*******************************************************************************************
Drag-and-Drop    Important   Important      Important      Moderate       Moderate 
Operation 
Vulnerability 
*******************************************************************************************
Aggregate        Critical     Critical      Critical       Moderate       Moderate 
Severity of All 
Issues Included 
in This Update 
*******************************************************************************************

The above http://www.microsoft.com/technet/security/topics/rating.asp assessment is based 
on the types of systems that are affected by the vulnerability, their typical deployment 
patterns, and the effect that exploiting the vulnerability would have on them. 

Vulnerability identifier: 

ExecCommand Cross Domain Vulnerability: CAN-2003-0814 
Function Pointer Override Cross Domain Vulnerability: CAN-2003-0815 
Script URLs Cross Domain Vulnerability: CAN-2003-0816 
XML Object Vulnerability: CAN-2003-0817 
Drag-and-Drop Operation Vulnerability: CAN-2003-0823 

Tested Versions:
Microsoft tested Internet Explorer 5.01 Service Pack 2, Internet Explorer Service Pack 3, 
Internet Explorer Service Pack 4, Internet Explorer 5.5 Service Pack 2, Internet Explorer 
6.0, and Internet Explorer 6.0 Service Pack 1 to assess whether they are affected by these 
vulnerabilities. Previous versions are no longer supported, and may or may not be affected 
by these vulnerabilities.


Workarounds

Microsoft has tested the following workarounds that apply across all the vulnerabilities. 
These workarounds help block known attack vectors, however they will not correct the 
underlying vulnerabilities. Workarounds may reduce functionality in some cases; in such cases, 
the reduction in functionality is identified below.

Prompt before running ActiveX controls and active scripting in the Internet zone and in the 
Intranet zone

You can help protect against these vulnerabilities by changing your settings for the Internet 
security zone to prompt before running ActiveX controls. To do this, follow these steps: 

1.  In Internet Explorer, click Internet Options on the Tools menu. 
2.  Click the Security tab. 
3.  Click Internet, and then click Custom Level. 
4.  Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls 
    and plug-ins, click Prompt. 
5.  In the Scripting section, under Active Scripting, click Prompt, and then click OK. 
6.  Click Local intranet, and then click Custom Level. 
7.  Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls 
    and plug-ins, click Prompt 
8.  In the Scripting section, under Active Scripting, click Prompt. 
9.  Click OK two times to return to Internet Explorer. 

Impact of Workaround:

There are side effects to prompting before running ActiveX controls. Many Web sites that are on 
the Internet or on an intranet use ActiveX to provide additional functionality. For example, an 
online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, 
or even account statements. Prompting before running ActiveX controls is a global setting that 
affects all Internet and Intranet sites. You will be prompted frequently when you enable this 
workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to 
run ActiveX controls. If you do not want to be prompted for all these sites, use the "Restrict 
Web sites to only your trusted Web sites" workaround. 

Restrict Web sites to only your trusted Web sites 

After you set Internet Explorer to require a prompt before it runs ActiveX in the Internet zone 
and in the Intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites 
zone. This will allow you to continue to use trusted Web sites exactly as you do today, while 
helping to protect you from this attack on untrusted sites. Microsoft recommends that you only 
add sites that you trust to the Trusted sites zone. 

To do this, follow these steps: 

1.  In Internet Explorer, click Tools, click Internet Options, and then click the Security tab. 
2.  In the Select a Web content zone to specify its current security settings box, click Trusted 
    Sites, and then click Sites. 
3.  If you want to add sites that do not require an encrypted channel, click to clear the Require 
    server verification (https:) for all sites in this zone check box. 
4.  In the Add this Web site to the zone box, type the URL of a site that you trust, and then 
    click Add. 
5.  Repeat these steps for each site that you want to add to the zone. 
6.  Click OK two times to accept the changes and return to Internet Explorer. Add any sites that 
    you trust not to take malicious action on your computer. One in particular that you may want 
    to add is "*.windowsupdate.microsoft.com" (without the quotes). This is the site that will 
    host the update, and it requires the use of an ActiveX control to install the update. 

Impact of Workaround:

For those sites that you have not configured to be in your Trusted sites zone, their functionality
will be impaired if they require the use of ActiveX controls to function correctly. Adding sites to 
your Trusted sites zone will allow them to be able to download the ActiveX control that they require 
to function correctly. However you should only add Web sites you trust to the Trusted sites zone. 

Install Outlook E-mail Security Update if you are using Outlook 2000 SP1 or earlier

By default, the Outlook Email Security Update causes Outlook 98 and 2000 to open HTML e-mail messages 
in the Restricted sites zone. By default, Outlook Express 6.0, Outlook 2002, and Outlook 2003 open 
HTML e-mail messages in the Restricted sites zone. Customers who use any of these products are at 
reduced risk from an e-mail-borne attack that tries to exploit this vulnerability, unless the user 
clicks a malicious link in the e-mail message.

If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read e-mail messages in plain 
text format to help protect yourself from the HTML e-mail attack vector

Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users 
who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-
digitally-signed e-mail messages or non-encrypted e-mail messages in plain text only. 

Digitally-signed e-mail messages and encrypted e-mail messages are not affected by the setting and 
may be read in their original formats. Information about how to enable this setting in Outlook 2002 
can be found in the following Knowledge Base article: 

http://support.microsoft.com/default.aspx?scid=kb;en-us;307594

Information about how to enable this setting in Outlook Express 6.0 can be found in the following 
Knowledge Base article: 

http://support.microsoft.com/?kbid=291387 

Impact of Workaround:

E-mail that is viewed in plain text format cannot contain pictures, specialized fonts, animations, 
or other rich content. Additionally: 

The changes are applied to the preview pane and to open messages. 
Pictures become attachments to avoid loss of message content. 
Because the message is still in Rich Text Format or in HTML format in the store, the object model 
(custom code solutions) may behave unexpectedly because the message is still in Rich Text Format 
or in HTML format in the mail store. 


Security Update Information

Internet Explorer 6 SP1 for Windows XP, Windows XP SP1, Windows 2000 SP2, Windows 2000 SP3, 
Windows 2000 SP4, Windows NT 4.0 SP6a, Windows Millennium Edition, Windows 98, and Windows 
98 Second Edition
Internet Explorer 6 SP1 (64-Bit) for Windows XP 64-Bit Edition
Internet Explorer 6 SP1 on Windows Server 2003
Internet Explorer 6 SP1 (64-Bit) on Windows 2003 64-Bit Versions and on Windows XP 64-Bit 
Edition, Version 2003
Internet Explorer 6 for Windows XP
Internet Explorer 5.5 SP2 for Windows 2000 SP2, Windows 2000 SP3, Windows 2000 SP4, Windows 
NT 4.0 SP6a, Windows Millennium Edition, Windows 98, and Windows 98 Second Edition
Internet Explorer 5.01 for Windows 2000 SP2
Internet Explorer 5.01 for Windows 2000 SP3
Internet Explorer 5.01 for Windows 2000 SP4

Acknowledgments

Microsoft thanks the following for working with us to help protect customers: 

jelmer (jkuperus@planet.nl) for reporting the XML Object (CAN-2003-0817) issue to us. 

Obtaining other security updates:

Updates for other security issues are available from the following locations: 

Security updates are available from the Microsoft Download Center and can be most easily 
found by doing a keyword search for "security_patch." 

Updates for consumer platforms are available from the Windows Update Web site. 

Support: 

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. 
There is no charge for support calls associated with security patches.
International customers can get support from their local Microsoft subsidiaries. There is no 
charge for support associated with security updates. Information on how to contact Microsoft 
support is available at http://support.microsoft.com/common/international.aspx 

Security Resources:

The Microsoft TechNet Security Web site provides additional information about security in 
Microsoft products. 
Microsoft Software Update Services: http://www.microsoft.com/sus/ 
Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please 
see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security 
updates that have detection limitations with MBSA tool. 
Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 
Windows Update: http://windowsupdate.microsoft.com 
Office Update: http://office.microsoft.com/officeupdate/ 
Software Update Services (SUS):

Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy 
the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based 
servers, as well as to desktop computers running Windows 2000 Professional or Windows XP 
Professional.

For information about how to deploy this security patch with Software Update Services, visit the 
following Microsoft Web site:

http://www.microsoft.com/sus/

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security update. For information 
about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools 
to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update 
Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update 
Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office 
Detection Tool to provide broad support for security bulletin remediation. Some software updates 
may require administrative rights following a restart of the computer.

Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used 
for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated 
Rights Deployment Tool can be used for installation. This provides optimal deployment for updates 
that require explicit targeting using Systems Management Server and administrative rights after the 
computer has been restarted.

Disclaimer: 

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of 
any kind. Microsoft disclaims all warranties, either express or implied, including the warranties 
of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft Corporation or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. 

Revisions: 

V1.0 (November 11, 2003): Bulletin published  


[***** End MS03-048 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/