Microsoft Security Bulletin MS03-004Cumulative Patch for Internet Explorer (810847)Originally posted: February 5, 2003 SummaryWho should read this bulletin: Impact of vulnerability: Maximum Severity Rating: Recommendation: Affected Software:
End User Bulletin: General Information
Technical description: Subsequent to the initial release of this bulletin, a non-security issue was discovered with the IE 6 version of this patch that could affect some users - primarily consumers - under certain conditions. Specifically, the issue could cause some IE 6 users to be unable to authenticate to certain Internet web sites such as subscription based sites, or MSN e-mail. This issue has been resolved, and a hot fix (813951) issued to correct it. It is important to note that this hot fix corrects a very specific non-security issue in IE 6 only, and that the security patch discussed in this Security Bulletin was, and still is, effective in removing the vulnerabilities discussed later in this bulletin. More information, including details of how to obtain the hot fix are available at: http://www.microsoft.com/windows/ie/downloads/critical/813951/default.asp and in the Frequently Asked Questions section of this bulletin. This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5, 6.0. In addition, it eliminates two newly discovered vulnerabilities involving Internet Explorer's cross-domain security model - which keeps windows of different domains from sharing information. These flaws results in Internet Explorer because incomplete security checking causes Internet Explorer to allow one website to potentially access information from another domain when using certain dialog boxes. In order to exploit this flaw, an attacker would have to host a malicious web site that contained a web page designed to exploit this particular vulnerability and then persuade a user to visit that site. Once the user has visited the malicious web site, it would be possible for the attacker to run malicious script by misusing a dialog box and cause that script to access information in a different domain. In the worst case, this could enable the web site operator to load malicious code onto a user's system. In addition, this flaw could also enable an attacker to invoke an executable that was already present on the local system. A related cross-domain vulnerability allows Internet Explorer's showHelp() functionality to execute without proper security checking. showHelp() is one of the help methods used to display an HTML page containing help content. showHelp() allows more types of pluggable protocols than necessary, and this could potentially allow an attacker to access user information, invoke executables already present on a user's local system or load malicious code onto a user's local system. The requirements to exploit this vulnerability are the same as for the issue described above: an attacker would have to host and lure a user to a malicious web site. In this scenario, the attacker could open a showHelp window to a known local file on the visiting user's local system and gain access to information from that file by sending a specially crafted URL to a second showHelp window. The attacker could also potentially access user information or run code of attacker's choice. This cumulative patch will cause window.showHelp( ) to cease to function. When the latest HTML Help update - which is being released via Windows Update with this patch - is installed, window.showHelp( ) will function again, but with some limitations (see the caveats section later in this bulletin). This has been necessary in order to block the attack vector that might allow a web site operator to invoke an executable that was already present on a user's local system. Mitigating factors:
Severity Rating:
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier:
Tested Versions: Microsoft tested Internet Explorer 6.0, 5.5 and 5.01 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.
Why has Microsoft issued an IE 6 hot fix (813951) that's related to this security patch? Is there a problem with the security patch? Do I need to install the hot fix? If I apply the IE 6 hot fix (813951), do I still need this security patch? What order should I apply the Security Patch (810847) and the IE 6 hotfix (813951) in? How do I get the IE 6 hot fix? What's the scope of the first vulnerability? CAN-2003-1326 What causes the vulnerability? What is meant by "Internet Explorer's cross-domain security model"? What are Internet Explorer security zones? You mentioned that dialog boxes are involved. What is a dialog box? What's wrong with the way Internet Explorer calculates cross domain security? What could this vulnerability enable an attacker to do? How could an attacker exploit this vulnerability? What is the scope of the second vulnerability? CAN-2003-1328 What causes the vulnerability? What is showHelp () functionality in Internet Explorer? What could this vulnerability enable an attacker to do? How could an attacker exploit this vulnerability? What's wrong with cross-domain security and Internet Explorer's showHelp ()functionality? Could an attacker use either of these vulnerabilities to load a program on my local system from their web site or server? What does the patch do? What is HTML Help shortcut functionality? If I only apply this patch, will I be protected from this vulnerability? Will HTML Help functionality change when I download the new version from Windows Update?
Where is the updated HTML Help located? Does the patch for this vulnerability include the updated HTML Help?
Download locations for this patch http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp
Installation platforms:
More information on Windows support lifecycles is available at http://support.microsoft.com/default.aspx?scid=fh;[ln];LifeWin Inclusion in future service packs: The fixes for the issues affecting Internet Explorer 6.0 will be included in Internet Explorer 6.0 Service Pack 2. Reboot needed: Yes Patch can be uninstalled: No Superseded patches: This patch supersedes the ones provided in Microsoft Security Bulletin MS02-068 and MS02-066, which are also cumulative patches. Verifying patch installation:
Caveats: Users who apply this patch will not be able to use some HTML Help functionality. In order to restore that functionality, users need to download the updated HTML Help control (811630). Users should also note that when the latest version of HTML Help is installed, the following limitations will occur when a help file is opened with the showHelp method:
Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations:
Other information:Acknowledgments: Microsoft thanks Andreas Sandblad, Sweden for reporting the cross domain vulnerability using showHelp and for working with us to protect customers. Support:
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions:
|