To: uniras@niscc.gov.uk Subject: UNIRAS Brief - 555/03 - Microsoft - Cumulative Patch for Internet Explorer -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------------------- UNIRAS (UK Govt CERT) Briefing Notice - 555/03 dated 05.10.03 Time: 16:35 UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre) - ---------------------------------------------------------------------------------- UNIRAS material is also available from its website at www.uniras.gov.uk Information about NISCC is available from www.niscc.gov.uk - ---------------------------------------------------------------------------------- UNIRAS comment ============= The following Microsoft security bulletin (MS03-040) is flagged by Microsoft as critical. It is known that the associated vulnerabilites are being actively exploited, and UNIRAS accordingly recommends that system administrators test and deploy the patch without delay. Title ===== Microsoft: Cumulative Patch for Internet Explorer Detail ====== Title: Cumulative Patch for Internet Explorer (828750) Date: October 3, 2003 Software: Internet Explorer 5.01 Internet Explorer 5.5 Internet Explorer 6.0 Internet Explorer 6.0 for Windows Server 2003 Impact: Run code of attacker's choice Max Risk: Critical Bulletin: MS03-040 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-040.asp http://www.microsoft.com/security/security_bulletins/MS03-040.asp - ---------------------------------------------------------------------- Issue: ====== This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following newly discovered vulnerabilities: A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a popup window. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML-based e-mail that would attempt to exploit this vulnerability. A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML-based e-mail that would attempt to exploit this vulnerability. A change has been made to the method by which Internet Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted Zone. It could be possible for an attacker exploiting a separate vulnerability (such as one of the two vulnerabilities discussed above) to cause Internet Explorer to run script code in the security context of the Internet Zone. In addition, an attacker could use Windows Media Player's (WMP) ability to open URL's to construct an attack. An attacker could also craft an HTML-based e-mail that could attempt to exploit this behavior. To exploit these flaws, the attacker would have to create a specially formed HTML-based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site. As with the previous Internet Explorer cumulative patches released with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch. In addition to applying this security patch it is recommended that users also install the Windows Media Player update referenced in Knowledge Base Article 828026. This update is available from Windows Update as well as the Microsoft Download Center for all supported versions of Windows Media Player. While not a security patch, this update contains a change to the behavior of Windows Media Player's ability to launch URL's to help protect against DHTML behavior based attacks. Specifically, it restricts Windows Media Player's ability to launch URL's in the local computer zone from other zones. Mitigating Factors: ==================== - - By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections put in place that prevent this vulnerability from being automatically exploited would be removed. - - In the Web-based attack scenario, the attacker would have to host a Web site that contained a Web page used to exploit this vulnerability. An attacker would have no way to force a user to visit a malicious Web Site. Instead, the attacker would need to lure them there, typically by getting them to click a link that would take them to the attacker's site. - - Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges. Risk Rating: ============ - - Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/MS03-040.asp http://www.microsoft.com/security/security_bulletins/MS03-040.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - ---------------------------------------------------------------------------------- Reproduced with permission of Microsoft Corporation - ---------------------------------------------------------------------------------- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: uniras@niscc.gov.uk Office Hours: Mon - Fri: 08:30 - 17:00 Hrs Tel: +44 (0) 20 7821 1330 Ext 4511 Fax: +44 (0) 20 7821 1686 Outside of Office Hours: On Call Duty Officer: Tel: +44 (0) 20 7821 1330 and follow the prompts - ---------------------------------------------------------------------------------- UNIRAS wishes to acknowledge the contribution of Microsoft for the information contained in this Briefing. - ---------------------------------------------------------------------------------- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ---------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQCVAwUBP4A6L4pao72zK539AQHR5wP+OXSig5LSoUsgCV7yMtG6yUxbiTS3QtaN 7Sn/AvNkrj/EeEphtGfWcej0JJQoKOmeN48noz5jyqI6zjZkVKddceSUVI84igUz BE6aKOXTBgvJgq+KwhKsSsVigS6OY9/1I16quWjTX+oNHcmwxAxOfj1vM8KIxsbc 5ZgQk9o4N8k= =X4xj -----END PGP SIGNATURE-----