Das Security Bulletin wurde eben ver�ffentlicht. Es ist als kritisch eingestuft und erscheint daher ausserhalb des monatlichen Zyklus. Der Patch ist auf http://Windowsupdate.microsoft.com verf�gbar. Gr��e 2,8 MB. Neustart nach Installation erfoderlich
-- Viele Gr��e Hubert Daubmeier AFFECTED SOFTWARE: - Microsoft Windows NT� Workstation 4.0 Service Pack 6a - Microsoft Windows NT Server 4.0 Service Pack 6a - Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6 - Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Microsoft Windows XP, Microsoft Windows XP Service Pack 1 - Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1 - Microsoft Windows XP 64-Bit Edition Version 2003 - Microsoft Windows Server� 2003 - Microsoft Windows Server 2003, 64-Bit Edition AFFECTED COMPONENTS: - Internet Explorer 6 Service Pack 1 - internet Explorer 6 Service Pack 1 (64-Bit Edition) - Internet Explorer 6 for Windows Server 2003 - Internet Explorer 6 for Windows Server 2003 (64-Bit Edition) - Internet Explorer 6 - Internet Explorer 5.5 Service Pack 2 - Internet Explorer 5.01 Service Pack 4 - Internet Explorer 5.01 Service Pack 3 - Internet Explorer 5.01 Service Pack 2 MAXIMUM SEVERITY RATING: Critical WHAT IS IT? The Microsoft Security Response Center has released Microsoft Security Bulletin MS04-004 which concerns vulnerabilities in Internet Explorer. Customers are advised to review the information in the bulletin, test and deploy the update immediately in their environments, if applicable. IMPACT OF VULNERABILITY: Remote Code Execution TECHNICAL DETAILS: This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following three newly-discovered vulnerabilities: - A vulnerability that involves the cross-domain security model of Internet Explorer. The cross domain security model of Internet Explorer keeps windows of different domains from sharing information. This vulnerability could result in the execution of script in the Local Machine zone. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited this vulnerability could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user. - A vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice would not be executed, but could be saved on the user's computer in a targeted location. - A vulnerability that involves the incorrect canonicalization of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has �username:[EMAIL PROTECTED] at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker�s choice in the address bar, but with content from a Web Site of the attacker�s choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.) As with the previous Internet Explorer cumulative updates that were released with bulletins MS03-004, MS03-015, MS03-020, MS03-032, MS03-040, and MS03-048, this cumulative update causes the window.showHelp( ) control to no longer work if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you will still be able to use HTML Help functionality after you apply this update. This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update: - http(s)://username:[EMAIL PROTECTED]/resource.ext For more information about this change, please see Microsoft Knowledge Base article 834489. Additionally, this update will disallow navigation to �username:[EMAIL PROTECTED] URLs for XMLHTTP. Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP. Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP and will provide more information in the security bulletin when the update becomes available. The update also refines a change made in Internet Explorer 6 Service Pack 1, which prevents web pages in the Internet Security zone from navigating to the local computer zone. This is discussed further in the �Frequently Asked Questions� section of this bulletin. MITIGATING FACTORS: There are three common mitigating factors for both the Cross Domain Vulnerability and Drag-and-Drop Operation Vulnerability: - By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections that are put in place that prevent these vulnerabilities from being automatically exploited would be removed. - In the Web-based attack scenario, the attacker would have to host a Web site that contains a Web page that is used to exploit these vulnerabilities. An attacker would have no way to force a user to visit a malicious Web site. Instead, the attacker would have to lure them there, typically by getting them to click a link that takes them to the attacker's site. - By default, Outlook Express 6.0, Outlook 2002 and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met: - You have applied the update included with Microsoft Security bulletin MS03-040 or MS03-048 - You are using Internet Explorer 6 or later - You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or later in its default configuration. - If an attacker exploited these vulnerabilities, they would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges. Restart required: Yes Update can be uninstalled: Yes RELATED KB ARTICLES: 832894 SECURITY BULLETIN LINK: http://www.microsoft.com/technet/security/bulletin/ms04-004.asp THE URL IS AUTHORITATIVE FOR THIS BULLETIN PLEASE VISIT http://www.microsoft.com/technet/security FOR THE MOST CURRENT INFORMATION ON THIS ALERT. If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary. Thank you. PSS Security _______________________________________________ Coffeehouse mailing list [EMAIL PROTECTED] http://www.glengamoi.com/mailman/listinfo/coffeehouse
