-----Original Message----- From: UNIRAS (UK Govt CERT) [mailto:[EMAIL PROTECTED]] Sent: 05 December 2002 10:08 To: [EMAIL PROTECTED] Subject: UNIRAS Brief - 433/02 - Microsoft - Cumulative Patch for Internet Explorer
-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ ---------- UNIRAS (UK Govt CERT) Briefing Notice - 433/02 dated 05.12.02 Time: 10:10 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------ ---------- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------ ---------- Title ===== Microsoft Security Bulletin - MS02-068: Cumulative Patch for Internet Explorer Detail ====== - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Cumulative Patch for Internet Explorer (Q324929) Date: 04 December 2002 Software: Microsoft(r) Internet Explorer Impact: Information Disclosure Max Risk: Moderate Bulletin: MS02-068 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/security/security_bulletins/MS02-068.asp http://www.microsoft.com/technet/security/bulletin/MS02-068.asp. - - ---------------------------------------------------------------------- Issue: ====== This is a cumulative patch for Internet Explorer 5.5 and 6.0. In addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, it also eliminates a newly discovered flaw in Internet Explorer's cross-domain security model. This flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing a website in one domain to access information in another, including the user's local system. Exploiting the vulnerability could enable an attacker to read, but not change, any file on the user's local computer. In addition, the attacker could invoke an executable that was already present on the local system. The attacker would need to know the exact location of the executable, and would not be able to pass parameters to it. Microsoft is not aware of any executable that ships by default as part of Windows and, when run without parameters, could be dangerous. An attacker could exploit the vulnerability by constructing a web page that uses a cached programming technique, and could then either host it on a web site or send it to a user via email. In the case of the web-based attack vector the page could be automatically opened when a user visited the site In the case of the HTML mail- based attack vector, the page could be opened when the recipient opened the mail or viewed it using the Preview pane. Mitigating Factors: ==================== - - -Internet Explorer 5.01 is not affected by this vulnerability. - - -The web-based attack scenario would provide no way for the attacker to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site. - - -The HTML mail-based attack scenario would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. - - -The vulnerability would allow an attacker to read but not add, delete or modify files on the user's local system. - - -The attacker would need to know the name and location of any file on the system to successfully invoke it. If invoked, there would be no way for an attacker to pass parameters to that executable. - - -This vulnerability does not provide any way for an attacker to put a program of their choice onto another user's system. Risk Rating: ============ Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-068.asp for information on obtaining this patch. - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPe5c0o0ZSRQxA/UrAQH9+QgAqG29LelobUVrkeLCN3vE9Jj0P61nj9eX MYxYheB2OUjFYNF8263tDxASQBLmk7I/RKw3zDTp+d1q1c2ngjEoibvLiDvExik5 n9F8RgvTH8XEo2lnxAes5VS4ASvdBRImT6jTD3hZ6DmhEwN9UAWsnynXsCu+GBOa tD7JhIlTQWOwASI8f1c3ElMRVjFFs0IK8JX3zrhzPIUPrtO9HrjdSGss7c8jW4rk c1yPFSO/eKA6bs47Mg5oApHrjPecYMw5OuFRuOtmbiAv9zFG4njCEPtoNkzN/wq3 XyEzR0kAt/VksBewljU7vh1xyyezIr1uuhlC2UQQwukpO2SbQ/SkHQ== =wAs+ - -----END PGP SIGNATURE----- Reprinted with permission of Microsoft Corporation. - ------------------------------------------------------------------------ ---------- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------ ---------- UNIRAS wishes to acknowledge the contributions of Microsoft for the information contained in this Briefing. - ------------------------------------------------------------------------ ---------- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------ ---------- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQCVAwUBPe8k14pao72zK539AQGKeAQArOlNOcSZGen26zvxGas8/jk1Jnd44Ujj SVqUz8y3YmMaUo6ViSlQxgmlRNCa4hUeAViy7e8c2OmvOML4DI5+GErQw58ClRbq TToXbyYD81zT+7DSa20j4hDMNnFOzDz5C0/TVP2mkevbW8bBWvR+CIvtA9Oz10H4 2cBp1c0saIU= =ZKXf -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk