Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Browser Security Zone Flaw Lets Remote Users Cause Cookie-based Scripts to Be Executed on Another User's Browser in the Incorrect Security Domain
|
|
SecurityTracker Alert ID: 1003915 |
|
CVE Reference: CAN-2002-0078
(Links to External Site)
|
Date: Mar 29 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 5.01, 5.5, 6.0
|
Description: Microsoft reported a vulnerability in the Internet Explorer (IE) web browser. A remote user could cause a malicious script embedded
within a cookie to be executed on another user's browser. The script would be (incorrectly) executed in the local security zone.
It is reported that IE incorrectly allows scripts embedded within cookies to be run in the Local Computer zone rather than the same
zone as the web site with which the cookie is associated.
A remote user could reportedly place a malicious script in a cookie
that would be saved to another user's hard disk (when the other user visits a malicious web site). When the cookie is opened by
the malicious site, the script would then be executed in the Local Computer zone. The Local Computer zone may have fewer restrictions
than other security zones.
Microsoft credits Andreas Sandblad, Sweden, for reporting this vulnerability.
|
Impact: A remote user could cause arbitrary script code to be executed on another user's browser when the other user visits the remote user's
malicious web site. The script would incorrectly run in the Local Computer context with the privileges of the target (victim) user.
|
Solution: The vendor has released a patch, available at:
http://www.microsoft.com/windows/ie/downloads/critical/Q319182/default.asp
According
to the bulletin, the IE 5.01 patch can be applied to Windows 2000 Systems with SP2 or Windows NT 4.0 systems with SP6a. The IE
5.5 patch can be installed on systems running IE 5.5 SP1 or SP2. The IE 6.0 patch can be installed on system running IE 6.0 Gold.
Microsoft reports that the fixes for these issues will be included in IE 6.0 SP1 and that the fixes for the issues affecting
IE 5.01 SP2 will be included in Windows 2000 SP3.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-015.asp (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Windows (Any)
|
Reported By: secnotif@microsoft.com
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 28 Mar 2002 16:03:49 -0800
From: secnotif@microsoft.com
Subject: Microsoft Security Bulletin MS02-015
|
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: 28 March 2002 Cumulative Patch for Internet Explorer
Date: 28 March 2002
Software: Internet Explorer
Impact: Two vulnerabilities, the most serious of which
would allow script to run in the Local Computer Zone.
Max Risk: Critical
Bulletin: MS02-015
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-015.asp.
- ----------------------------------------------------------------------
Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and IE 6. In addition,
it eliminates the following two newly discovered vulnerabilities:
- A vulnerability in the zone determination function that could
allow a script embedded in a cookie to be run in the Local
Computer zone. While HTML scripts can be stored in cookies,
they should be handled in the same zone as the hosting site
associated with them, in most cases the Internet zone. An
attacker could place script in a cookie that would be saved
to the user's hard disk. When the cookie was opened by the
site the script would then run in the Local Computer zone,
allowing it to run with fewer restrictions than it would
otherwise have.
- A vulnerability in the handling of object tags that could
allow an attacker to invoke an executable already present
on the user's machine. A malicious user could create HTML
web page that includes this object tag and cause a local
program to run on the victim's machine.
Mitigating Factors:
====================
Cookie-based Script Execution:
- The script would run with the same rights as the user.
The specific privileges the attacker could gain through
this vulnerability would therefore depend on the
privileges accorded to the user. Any limitations on a
user's account, such as those applied through Group
Policies, would also limit the actions of any script
executed by this vulnerability.
Local Executable Invocation via Object tag:
- The vulnerability would not enable the attacker to pass
any parameters to the program. Microsoft is not aware of
any programs installed by default in any version of
Windows that, when called with no parameters, could be
used to compromise the system.
- An attacker could only execute a file on the victim's
local machine. The vulnerability could not be used to
execute a program on a remote share or web site.
- The vulnerability would not provide any way for an
attacker to put a program of his choice onto another
user's system.
- An attacker would need to know the name and location
of any executable on the system to successfully invoke it.
- Outlook 98 and 2000 (after installing the Outlook Email
Security Update), Outlook 2002, and Outlook Express 6 all
open HTML mail in the Restricted Sites Zone. As a result,
customers using these products would not be at risk from
email-borne attacks.
Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-015.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Andreas Sandblad, Sweden for reporting the Cookie-based Script
Execution issue
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPKOqWI0ZSRQxA/UrAQE0Awf/a7Nb51yla2BTXrscH7gzRxwICkIHg5ol
f2JiUuIIWo36RlZ6sLP4vVPy4lVuGmWQPA21FpmLfdp9b8nIlje2YDVMUntU5SF3
6O6xXFVMMWC3wAFITnV3nFQRtb6nWoxza8JtEkVYDXWoAfXizo0XLJIn1N1UmXkn
pz3iUfs0ToykDUG69f81u/vSqErXW+Gb33E83/u8QAaQxFg2v6lZ7IffYEIGiPfO
e6m2Y+6A9rsDLaesn1P1Fo0U5l/E/aZdnLrsJksoDo+QWj2uf4oXtFfXrxhfyElR
Ykq54cJ4L16Qs/pcDrbty8rAEJB/lHXqHiNbqMw4snGzhPfeS/uqTw==
=FGxh
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Secu
rity Notification Service.
For more information on this service, please visit http://www.microsoft.com/technet/security/notify
.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft
.com/technet/security/notify.asp.
To cancel your subscription, click on the following link mailto:1_28221_*****************************
*******_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE
to create an unsubscribe e-mail.
To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_28221_*******
*****************************_US@Newsletters.Microsoft.com?subject=STOPMAIL
to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences fr
om http://www.microsoft.com/misc/unsubscribe.htm
For security-related information about Microsoft products, please visit the Microsoft Security Advis
or web site at http://www.microsoft.com/security.
|
|
Go to the Top of This SecurityTracker Archive Page
|
