INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | Multiple security vulnerabilities in Internet Explorer exist, the worst of which could lead to an attacker gaining complete control of an affected system. |
| PLATFORM: | Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 Internet Explorer 6 for Microsoft Windows XP Service Pack 2 Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition |
| DAMAGE: | If a user is logged on with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. |
| SOLUTION: | Apply current patches. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. An attacker who successfully exploited this vulnerability could take complete control of an affected system. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/q-277.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx |
| ADDITIONAL LINK: | Microsoft Security Advisory (923762) |
| http://www.microsoft.com/technet/security/advisory/923762.mspx | |
| CVE: | CVE-2006-3280 CVE-2006-3450 CVE-2006-3451 CVE-2006-3637 CVE-2006-3638 CVE-2006-3639 CVE-2006-3640 CVE-2004-1166 |
REVISION HISTORY:
08/23/2006 - revised to reflect the changes Microsoft has made in MS06-042 where
they updated the caveats section with additional information
regarding the release status of revised Internet Explorer & Service
Pack 1 updates, as well as the release of Security Advisory 923762.
08/24/2006 - revised to add a link to Microsoft Security Advisory (923762).
08/25/2006 - revised to reflect changes Microsoft has made in MS06-042 where
they reissued and updated additional information and vulnerability
details affecting Internet Explorer 6 Service Pack 1 Customers.
11/09/2006 - revised to reflect changes Microsoft has made in MS06-042 where
they revised the Microsoft Knowledge Base Article 926046.
03/29/2007 - revised Q-277 to reflect changes Microsoft has made in MS06-042
due to a new issue discovered with the security update Microsoft
Knowledge Base Article 926840.
[***** Start Microsoft Security Bulletin MS06-042 (918899) *****]
Version: 3.2
Who should read this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.
Security Update Replacement: This bulletin replaces several prior security updates. See the frequently asked questions (FAQ) section of this bulletin for the complete list.
Caveats: On September 12, 2006, this Security Bulletin and Internet Explorer 6 Service Pack 1, Internet Explorer 5.01 Service Pack 4, and Internet Explorer 6 for Microsoft Windows Server 2003 security updates were updated to address a vulnerability documented in the Vulnerability Details section as Long URL Buffer Overflow – CVE-2006-3873. Customers using these versions of Internet Explorer should apply the new update immediately.
On August 24, 2006 this Security Bulletin and the Internet Explorer 6 Service Pack 1 security updates were updated to address an issue documented in Microsoft Knowledge Base Article 923762. This issue may lead to an additional buffer overrun condition only affecting Internet Explorer 6 Service Pack 1 customers that have applied the original version of that update released August 8th, 2006. The security issue is documented in the Vulnerability Details section as Long URL Buffer Overflow – CVE-2006-3869. Internet Explorer 6 Service Pack 1 Customers should apply the new update immediately.
Microsoft Knowledge Base Article 918899 documents this and any other currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 918899.
Tested Software and Security Update Download Locations:
Affected Software:
| • | Microsoft Windows 2000 Service Pack 4 |
| • | Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 |
| • | Microsoft Windows XP Professional x64 Edition |
| • | Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 |
| • | Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems |
| • | Microsoft Windows Server 2003 x64 Edition |
Tested Microsoft Windows Components:
Affected Components:
| • | Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 — Download the update |
| • | Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 — Download the update |
| • | Internet Explorer 6 for Microsoft Windows XP Service Pack 2 — Download the update |
| • | Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 — Download the update |
| • | Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems — Download the update |
| • | Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition — Download the update |
| • | Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition — Download the update |
The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.
Note The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.
* Redirect Cross-Domain Information Disclosure Vulnerability - CVE-2006-3280: An information disclosure vulnerability exists in Internet Explorer in the way that a redirect is handled. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could read file data from a Web page in another Internet Explorer domain. This other Web page must use gzip encoding or some other compression type supported by Internet Explorer for any information disclosure to occur. This other Web page must also be cached on the client side for a successful exploit.
* HTML Layout and Positioning Memory Corruption Vulnerability - CVE-2006-3450:A remote code execution vulnerability exists in the way Internet Explorer interprets HTML with certain layout positioning combinations. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* CSS Memory Corruption Vulnerability - CVE-2006-3451:A remote code execution vulnerability exists in the way Internet Explorer handles chained Cascading Style Sheets (CSS). An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* HTML Rendering Memory Corruption Vulnerability - CVE-2006-3637: A remote code execution vulnerability exists in the way Internet Explorer interprets HTML with certain layout combinations. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* COM Object Instantiation Memory Corruption Vulnerability - CVE-2006-3638: A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* Source Element Cross-Domain Vulnerability - CVE-2006-3639: A remote code execution and information disclosure vulnerability exists in Internet Explorer in the way that a redirect is handled. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could read file data from a Web page in another Internet Explorer domain.
On Windows 2000 Service Pack 4 and Windows XP Service Pack 1 an attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* Window Location Information Disclosure Vulnerability - CVE-2006-3640: An information disclosure vulnerability exists in Internet Explorer where script can be persisted across navigations and used to gain access to the location of a Window in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow for information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could gain access to the Window location of a Web page in another domain or Internet Explorer zone.
* FTP Server Command Injection Vulnerability - CVE-2004-1166: An elevation of privilege vulnerability exists in the way Internet Explorer handles specially crafted FTP links that contain line feeds. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow the attacker to issue FTP server commands if a user clicked on an FTP link. An attacker who successfully exploited this vulnerability could issue server commands as the user to servers.
* Long URL Buffer Overflow Vulnerability - CVE-2006-3869: A remote code execution vulnerability exists in the way Internet Explorer handles long URLs in when visiting websites using HTTP 1.1 protocol and compression. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
* Long URL Buffer Overflow Vulnerability - CVE-2006-3873: A remote code execution vulnerability exists in the way Internet Explorer handles long URLs in when visiting websites using HTTP 1.1 protocol and compression. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Affected Software:
For information about the specific security update for your affected software, click the appropriate link:
* Windows Server 2003 (all versions)
* Windows XP Service Pack 2 (all versions) and Windows XP Professional x64 Edition
* Internet Explorer 5.01 Service Pack 4 on Windows 2000 (all versions)
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
| • | Sam Thomas, working with TippingPoint and the Zero Day Initiative, for reporting the HTML Layout and Positioning Memory Corruption Vulnerability (CVE-2006-3450). |
| • | Sam Thomas, working with TippingPoint and the Zero Day Initiative, for reporting the CSS Memory Corruption Vulnerability (CVE-2006-3451). |
| • | Cody Pierce of the TippingPoint Security Research Team for reporting one class identifier documented in the COM Object Instantiation Memory Corruption Vulnerability (CVE-2006-3638). |
| • | Will Dormann of CERT/CC for reporting two class identifiers documented in the COM Object Instantiation Memory Corruption Vulnerability (CVE-2006-3638). |
| • | NSFocus Security Team for reporting the Long URL Buffer Overflow Vulnerability (CVE-2006-3869). |
| • | Dejan Kovacevic, working with CERT/CC for reporting the Long URL Buffer Overflow Vulnerability (CVE-2006-3869). |
| • | eEye Digital Security for reporting the Long URL Buffer Overflow Vulnerability (CVE-2006-3873). |
Obtaining Other Security Updates:
Updates for other security issues are available at the following locations:
| • | Security updates are available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch." |
| • | Updates for consumer platforms are available at the Microsoft Update Web site. |
Support:
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
Security Resources:
| • | The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | |
| • | Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166. |
| • |
Software Update Services:
By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.
For more information about how to deploy security updates by using Software Update Services, visit the Software Update Services Web site.
Windows Server Update Services:
By using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 onto Windows 2000 and later operating systems.
For more information about how to deploy security updates using Windows Server Update Services, visit the Windows Server Update Services Web site.
Systems Management Server:
Microsoft Systems Management Server (SMS) delivers a highly configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.
Note SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scan Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
| • | V1.0 (August 8, 2006): Bulletin published. |
| • | V1.1 (August 15, 2006): Bulletin caveats updated with additional information affecting some Internet Explorer 6 Service Pack 1 customers. See Knowledge Base Article 923762 for more information. |
| • | V1.2 (August 22, 2006): Bulletin caveats updated with additional information regarding the release status of revised Internet Explorer 6 Service Pack 1 updates, as well as the release of Security Advisory 923762. |
| • | V2.0 (August 24, 2006): Bulletin reissued and updated with additional information and vulnerability details affecting Internet Explorer 6 Service Pack 1 customers. |
| • | V2.1 (September 6, 2006): Updated file version, size and time-stamp information for the Internet Explorer 6 Service Pack 1 security updates. |
| • | V3.0 (September 12, 2006): This Security Bulletin and Internet Explorer 6 Service Pack 1, Internet Explorer 5.01 Service Pack 4, and Internet Explorer 6 for Microsoft Windows Server 2003 security updates have been re-released to address a vulnerability documented in the Vulnerability Details section as Long URL Buffer Overflow – CVE-2006-3873. Customers using these versions of Internet Explorer should apply the new update immediately. |
| • | V3.1 (November 8, 2006): Bulletin revised due to a new issue discovered with the security update: Microsoft Knowledge Base Article 926046: Error message when you run a script on a Web page after you apply security update MS06-042 on a Windows XP-based computer or on a Windows Server 2003-based computer: "Permission denied" (926046). |
| • | V3.2 (March 28, 2007): Bulletin revised due to a new issue discovered with the security update: Microsoft Knowledge Base Article 926840: When you use Microsoft Internet Explorer 6 on a Microsoft Windows XP-based computer that has Service Pack 2 (SP2) installed, an access violation may occur in Mshtml.dll file and Internet Explorer may close unexpectedly. This problem typically occurs when you close a popup window (926840). |
[***** End Microsoft Security Bulletin MS06-042 (918899) *****]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org