VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Chris McMillan <[log in to unmask]>
Reply To:
Chris McMillan <[log in to unmask]>
Date:
Sun, 25 Aug 2002 20:47:55 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (280 lines)
----Original Message-----
From: Microsoft
[mailto:[log in to unmask]
t.com]
Sent: Thursday, August 22, 2002 7:57 PM
Subject: Microsoft Security Bulletin MS02-047: Cumulative Patch for Internet
Explorer (Q323759)

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cumulative Patch for Internet Explorer (Q323759)
Date:       22 August 2002
Software:   Internet Explorer
Impact:     Six new vulnerabilities, the most serious of which
            could enable an attacker to execute commands on a
            user's system.
Max Risk:   Critical
Bulletin:   MS02-047

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-047.asp.
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and 6.0. In addition,
it eliminates the following six newly discovered vulnerabilities:

 - A buffer overrun vulnerability affecting the Gopher protocol
   handler. This vulnerability was originally discussed in
   Microsoft Security Bulletin MS02-027, which provided workaround
   instructions while the patch provided here was being completed.

 - A buffer overrun vulnerability affecting an ActiveX control used
   to display specially formatted text. The control contains a buffer
   overrun vulnerability that could enable an attacker to run code
   on a user?s system in the context of the user.

 - A vulnerability involving how Internet Explorer handles an HTML
   directive that displays XML data. By design, the directive
   should only allow XML data from the web site itself to be
   displayed. However, it does not correctly check for the case
   where a referenced XML data source is in fact redirected to a
   data source in a different domain. This flaw could enable an
   attacker?s web page to open an XML-based files residing a
   remote system within a browser window that the site could
   read, thereby enabling the attacker to read contents from
   websites that users had access to but the attacker was not
   able to navigate to.

 - A vulnerability involving how Internet Explorer represents the
   origin of a file in the File Download Dialogue box. This flaw
   could enable an attacker to misrepresent the source of a file
   offered for download in an attempt to fool users into
   accepting a file download from an untrusted source believing
   it to be coming from a trusted source.

 - A Cross Domain verification vulnerability that occurs because
   of improper domain checking in conjunction with the Object tag.
   As a result, the vulnerability could enable a malicious web
   site operator to access data across different domains, for
   example one in a web site?s domain and the other on the
   user?s local file system and then pass information from the
   latter to the former. This could enable the web site operator
   to read, but not change, any file on the user?s local computer
   that could be viewed n a browser window. In addition, this can
   also enable an attacker to invoke, but not pass parameters to,
   an executable on the local system, much like the
   "Local Executable Invocation via Object tag" vulnerability
   discussed in MS02-015.

 - A newly reported variant of the "Cross-Site Scripting in Local
   HTML Resource" vulnerability originally discussed in
   Microsoft Security Bulletin MS02-023. Like the original
   vulnerability, this variant could enable an attacker to create
   a web page that, when opened, would run in the Local Computer
   zone, allowing it to run with fewer restrictions than it would
   in the Internet Zone.

In addition, the patch sets the Kill Bit on the MSN Chat ActiveX
control discussed in Microsoft Security Bulletin MS02-022 as well
as the TSAC ActiveX control discussed in Microsoft Security
Bulletin MS02-046. This has been done to ensure that vulnerable
controls cannot be introduced onto users? systems. Customers
who use the MSN Chat control should ensure that they have applied
the updated version of the control discussed in MS02-022 and
customers who use the TSAC control should ensure that they
have applied the updated version of the control discussed
in MS02-046 .


Mitigating Factors:
====================
Buffer Overrun in Gopher Protocol Handler:

 - The vulnerability would provide the attacker with user?s own
   privileges on the system. Customers who run with fewer than
   full privileges on the system would therefore be at lower risk.

Buffer Overrun in Legacy Text Formatting ActiveX Control:

 - The vulnerable ActiveX control is not installed by default as
   part of a current version of IE. Upon learning of the
   vulnerability, Microsoft removed the download from its site
   to minimize the likelihood that users would have the control
   on their systems.

 - The vulnerability would provide the attacker with the user?s
   own privileges on the system. Customers who run with fewer
   than full privileges on the system would therefore be at
   lower risk.

 - Customers who use Outlook Express 6.0 or Outlook 2002
   (or Outlook 98 or 2000 in conjunction with the Outlook Email
   Security Update) would by default by protected against
   email-borne attacks via this vulnerability unless they
   specifically clicked a link within the email message.

XML File Reading via Redirect:

 - The vulnerability only provides a capability to read
   XML-based files that they know the complete path to.

 - The vulnerability could not be used to add, change or delete
   files.

 - Customers who use Outlook Express 6.0 or Outlook 2002
   (or Outlook 98 or 2000 in conjunction with the Outlook Email
   Security Update) would by default by protected against
   email-borne attacks via this vulnerability.

File Origin spoofing:

 - The vulnerability does not give an attacker the means to
   place or run executables directly on the system: user
   interaction is required in a successful attack.

Cross Domain Verification in Object Tag:

 - The vulnerability would not enable the attacker to pass any
   parameters to an executable program. Microsoft is not aware
   of any programs installed by default in any version of
   Windows that, when called with no parameters, could be used
   to compromise the system.

 - An attacker could only invoke a file on the victim?s local
   machine. The vulnerability could not be used to execute a
   program on a remote share or web site.

 - The vulnerability would not provide any way for an attacker
   to put a program of his choice onto another user?s system.

 - An attacker would need to know the name and location of any
   file on the system to successfully invoke it.

 - The vulnerability could only be used to view or invoke files.
   It could not be used to create, delete, or modify them.

 - The vulnerability would only allow an attacker to read files
   that can be rendered in a browser window, such as image files,
   HTML files and ext files. Other file types, such as binary
   files, executable files, Word documents, and so forth, could
   not be read.

 - Outlook 98 and 2000 (after installing the Outlook Email Security
   Update), Outlook 2002, and Outlook Express 6 all open HTML mail
   in the Restricted Sites Zone. As a result, customers using
   these products would not be at risk from email-borne attacks.

Variant of Cross-Site Scripting in Local HTML Resource:

 - Outlook 98 and 2000 (after installing the Outlook Email
   Security Update), Outlook 2002, and Outlook Express 6 all
   open HTML mail in the Restricted Sites Zone. As a result,
   customers using these products would not be at risk from
   automated email-borne attacks. However, these customers can
   still be attacked if they choose to click on a hyperlink in a
   malicious HTML email.

 - Customers using Outlook 2002 SP1 who have enabled the "Read as
   Plain Text" feature would be immune from the HTML email
   attack. This is because this feature disables all HTML
   elements, including scripting, from mail when it is displayed.

 - Any limitations on the rights of the user's account would
   also limit the actions of the attacker's script.

 - Customers who exercise caution in what web sites they visit
   or who place unknown or untrusted sites in the Restricted
   Sites zone can potentially protect themselves from attempts
   to exploit this issue on the web.

Aggregate Severity of all issues included in this patch
(including issues addressed in previously released patches):
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-047.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - GreyMagic Software (http://sec.greymagic.com/news/) for
   reporting the XML File Reading via Redirect vulnerability.

 - Mark Litchfield of Next Generation Security Software Ltd.
   (http://www.nextgenss.com/) for reporting the Buffer Overrun
   in Legacy Text Formatting ActiveX Control vulnerability.

 - Jouko Pynnonen of Oy Online Solutions Ltd for reporting
   the File Origin Spoofing vulnerability.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPWVeQI0ZSRQxA/UrAQHcxQgAqMsOM44v9lMf0znB4JryPY0ofSe7/TrC
zLnutdNHuog3DKH4Ie05PU9oBmOzgzxjWhIGYeW6igSB2eUintlPtHRnQYaPcH2U
zrOuQHqCTHzmzd++lXnugxwL/qTLf0pp8HyBKsLnxcVXoQn4s4QwDItK8L3V2lFk
LVJfMGHytvKkSAKAOMI52Kv/AmM6kGi20CernLrUNfJPOSAaSJJO+mW5/qvm93Pm
29zM4AIF/yVNO+b8PJ7GzRtsz40MucuL4pUo62V/db1TQ7AJaqyaVCr+fDKJQCCI
FNbbD0NoILJ8tempoHyQdTBlc97SgSB3YmFvsFWG4n8p0GTzXisPPA==
=c7fr
-----END PGP SIGNATURE-----



*******************************************************************

You have received this e-mail bulletin because of your subscription to the
Microsoft Product Security Notification Service.  For more information on
this service, please visit
http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please
visit the Microsoft Profile Center at
http://register.microsoft.com/regsys/pic.asp

For security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html


ATOM RSS1 RSS2