Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Bugs (URLMON.DLL Buffer Overflow, File Upload Control Bypass, Plug-in URL Input Validation Flaw, CSS Modal Dialog Input Validation Flaw) Let Remote Users Execute Arbitrary Code or Access Local Files
|
|
SecurityTracker Alert ID: 1006634
|
|
CVE Reference: CAN-2003-0113
, CAN-2003-0114
, CAN-2003-0115
, CAN-2003-0116
(Links to External Site)
|
Updated: Dec 7 2003
|
Original Entry Date: Apr 23 2003
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5.01, 5.5, 6.0
|
Description: Several vulnerabilities were reported in Microsoft Internet Explorer (IE). A remote user can cause arbitrary code to be executed
by the target user's browser. A remote user can also cause a file on the target user's system to be uploaded to a remote web server.
A remote user can also cause scripting code to be executed by the target user.
A buffer overflow vulnerability was reported in URLMON.DLL. A remote user (acting as a web server) can return specially crafted
parameters to a target user when the target user views the web site, causing arbitrary code to run on the target user's system.
The code will run with the privileges of the target user. According to the report, the DLL does not properly validate certain
parameters.
An input validation vulnerability was reported in the file upload control. A remote user can create HTML that would,
when loaded by the target user, upload a specified file from the target user's host to a remote web server. The malicious HTML
can cause the IE file upload control to launch, pass scripting code to populate the control's upload parameter with a user-supplied
file name, and then close and upload the file. No interaction by the target user is required.
An input validation vulnerability
was reported in the processing of URLs for third party plug-in files. A remote user can create a specially crafted URL that, when
loaded by the target user, will inject scripting code when the third party file format is rendered by IE. The scripting code will
run on the target user's browser with the privileges of the target user. According to the report, certain characters in the URL
can cause the IE security checks to be bypassed when IE is performing a loading operation to open a new window for the plug-in.
An
input validation vulnerability was reported in the processing of input parameters to modal dialogs. A remote user can cause scripting
code to be executed on the target user's computer that will be able to access files on the target user's computer. The flaw is
due to a Cascading Style Sheet input parameter for modal dialogs that is not checked by IE. This parameter can contain scripting
code that IE will execute.
Microsoft also reported that, in IE 6.0 SP1, there is an error in the way that IE displays help information
in the local computer zone. A remote user can read local files on a target user's system. Microsoft does not believe this particular
flaw to be exploitable.
Microsoft credits Mark Litchfield of Next Generation Security Software Ltd. for reporting the PLUGIN.OCX
vulnerability, Andreas Sandblad, Sweden for reporting the showhelp vulnerability, and Jouko Pynnonen of Oy Online Solutions Ltd,
Finland for reporting the URLMON.DLL buffer overflow vulnerability.
|
Impact: A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
A remote
user can cause a specified file on the target user's system to be uploaded to a remote web server.
A remote user can cause scripting
code to be executed by the target user in the Local Computer security context.
|
Solution: The vendor has released a cumulative patch, available via Windows Update (http://windowsupdate.microsoft.com/) and also at:
http://www.microsoft.com/windows/ie/download
s/critical/813489/default.asp
The IE5.01 patch can be installed on Windows 2000 SP3. The IE 5.5 patch can be installed on IE
5.5 SP2. The IE 6.0 patch can be installed on IE 6.0 Gold or IE 6.0 SP1.
Microsoft plans to include this fix in IE 6.0 SP2.
A
reboot is required after installing the patch.
This patch supercedes MS03-004.
See the Vendor URL for important caveats regarding
the patch and the HTML Help Control.
Microsoft has issued Knowledge Base article 813489 regarding these vulnerabilities, available
at:
http://support.microsoft.com/?id=813489
Microsoft reports that this patch sets the Kill Bit on the vulnerable Plugin.ocx
ActiveX control. See the Microsoft Knowledge Base article 813489 for more information.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS03-015.asp (Links to External Site)
|
Cause: Boundary error, Input validation error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 23 Apr 2003 14:23:56 -0400
Subject: MS03-015
|
http://www.microsoft.com/technet/security/bulletin/MS03-015.asp
Microsoft Security Bulletin MS03-015
Cumulative Patch for Internet Explorer (813489)
Versions: Microsoft Internet Explorer 5.01, 5.5, 6.0
Maximum Severity Rating: Critical
CVE: CAN-2003-0113, CAN-2003-0114, CAN-2003-0115, CAN-2003-0116
Microsoft Internet Explorer Bugs (URLMON.DLL Buffer Overflow, File Upload Control Bypass,
Plug-in URL Input Validation Flaw, CSS Modal Dialog Input Validation Flaw) Let Remote
Users Execute Arbitrary Code or Access Local Files
Several vulnerabilities were reported in Microsoft Internet Explorer (IE). A remote user
can cause arbitrary code to be executed by the target user's browser. A remote user can
also cause a file on the target user's system to be uploaded to a remote web server. A
remote user can also cause scripting code to be executed by the target user.
A buffer overflow vulnerability was reported in URLMON.DLL. A remote user (acting as a
web server) could return specially crafted parameters to a target user when the target
user views the web site, causing arbitrary code to run on the target user's system. The
code would run with the privileges of the target user. According to the report, the DLL
does not properly validate certain parameters.
An input validation vulnerability was reported in the file upload control. A remote user
could create HTML that would, when loaded by the target user, upload a specified file from
the target user's host to a remote web server. The malicious HTML can cause the IE file
upload control to launch, pass scripting code to populate the control’s upload parameter
with a user-supplied file name, and then close and upload the file. No interaction by the
target user is required.
An input validation vulnerability was reported in the processing of URLs for third party
plug-in files. A remote user could create a specially crafted URL that, when loaded by
the target user, would inject scripting code when the third party file format is rendered
by IE. The scripting code would run on the target user's browser with the privileges of
the target user. According to the report, certain characters in the URL can cause the IE
security checks to be bypassed when IE is performing a loading operation to open a new
window for the plug-in.
An input validation vulnerability was reported in the processing of input parameters to
modal dialogs. A remote user could cause scripting code to be executed on the target
user's computer that would be able to access files on the target user's computer. The
flaw is due to a Cascading Style Sheet input parameter for modal dialogs that is not
checked by IE. This parameter could contain scripting code that IE will execute.
Microsoft also reported that, in IE 6.0 SP1, there is an error in the way that IE displays
help information in the local computer zone. A remote user could read local files on a
target user's system. Microsoft does not believe this flaw to be exploitable.
Microsoft credits Mark Litchfield of Next Generation Security Software Ltd. for reporting
the PLUGIN.OCX vulnerability, Andreas Sandblad, Sweden for reporting the showhelp
vulnerability, and Jouko Pynnönen of Oy Online Solutions Ltd, Finland for reporting the
URLMON.DLL buffer overflow vulnerability.
The vendor has released patches, available at:
http://www.microsoft.com/windows/ie/downloads/critical/813489/default.asp
The IE5.01 patche can be installed on Windows 2000 SP3. The IE 5.5 patch can be installed
on IE 5.5 SP2. The IE 6.0 patch can be installed on IE 6.0 Gold or IE 6.0 SP1.
Microsoft plans to include this fix in IE 6.0 SP2.
A reboot is required after installing the patch.
This patch supercedes MS03-004.
See the Vendor URL for important caveats regarding the patch and the HTML Help Control.
Microsoft has issued Knowledge Base article 813489 regarding these vulnerabilities,
available at:
http://support.microsoft.com/?id=813489
Microsoft reports that this patch sets the Kill Bit on the vulnerable Plugin.ocx ActiveX
control. See the Microsoft Knowledge Base article 813489 for more information.
|
|
Go to the Top of This SecurityTracker Archive Page
|
