Patch für IE 5.0/5.5. & 6

boo · 12.02.2002, 21:02

http://www.microsoft.com/technet/sec...n/MS02-005.asp

it eliminates the following six newly
discovered vulnerabilities:

- A buffer overrun vulnerability associated with an HTML directive
that's used to incorporate a document within a web page. By
creating a web page that invokes the directive using specially
selected attributes, an attacker could cause code to run on the
user's system.

- A vulnerability associated with the GetObject scripting function.
Before providing a handle to an operating system object,
GetObject performs a series of security checks to ensure that the
caller has sufficient privileges to it. However, by requesting a
handle to a file using a specially malformed representation, it
would be possible to bypass some of these checks, thereby
allowing a web page to complete an operation that should be
prevented, namely, reading files on the computer of a visiting
user's system.

- A vulnerability related to the display of file names in the File
Download dialogue box. When a file download from a web site is
initiated, a dialogue provides the name of the file and lets the
user choose what action to take. However, a flaw exists in the way
HTML header fields (specifically, the Content-Disposition and
Content-Type fields) are handled. This flaw could make it possible
for an attacker to misrepresent the name of the file in the
dialogue, in an attempt to trick a user into opening or saving
an unsafe file.

- A vulnerability that could allow a web page to open a file on the
web site, using any application installed on a user's system.
By design, IE should only open a file on a web site using the
application that's registered to that type of file, and even
then only if it's on a list of safe applications. However,
through a flaw in the handling of the Content-Type HTML
header field, an attacker could circumvent this restriction,
and specify the application that should be invoked to process
a particular file. IE would comply, even if the application was
listed as unsafe.

- A vulnerability that could enable a web page to run a script even
if the user has disabled scripting. IE checks for the presence of
scripts when initially rendering a page. However, the capability
exists for objects on a page to respond to asynchronous events;
by misusing this capability in a particular way, it could be
possible for a web page to fire a script after the page has
passed the initial security checks.

- A newly discovered variant of the "Frame Domain Verification"
vulnerability discussed in Microsoft Security Bulletin MS01-058.
The vulnerability could enable a malicious web site operator to
open two browser windows, one in the web site's domain and the
other on the user's local file system, and to use the
Document.open function to pass information from the latter to
the former. This could enable the web site operator to read, but
not change, any file on the user's local computer that could be
opened in a browser window. In addition, this could be used to
mis-represent the URL in the address bar in a window opened from
their site.

Mitigating Factors:
====================
Buffer Overrun in HTML Directive:

- The vulnerability could not be exploited if the "Run ActiveX
Controls and Plugins" security option were disabled in the
Security Zone in which the page was rendered. This is the default
condition in the Restricted Sites Zone, and can be disabled
manually in any other Zone.

- Outlook 98 and 2000 (after installing the Outlook Email Security
Update), Outlook 2002, and Outlook Express 6 all open HTML mail
in the Restricted Sites Zone. As a result, customers using these
products would not be at risk from email-borne attacks.

- The buffer overrun would allow code to run in the security context
of the user rather than the system. The specific privileges the
attacker could gain through this vulnerability would therefore
depend on the privileges accorded to the user.

File Reading via GetObject function:

- This vulnerability could only be used to read files. It could not
be used to create, change, delete, or execute them.

- The attacker would need to know the name and location of the file
on the user's computer.

- Some files that would be of interest to an attacker - most
notably,the SAM Database - are locked by the operating system
and therefore could not be read even using this vulnerability.

- The email-borne attack scenario would be blocked if the user were
using any of the following: Outlook 98 or 2000 with the Outlook
Email Security Update installed; Outlook 2002; or Outlook
Express 6.

- The web-based attack scenario could be blocked by judicious use of
the IE Security Zones mechanism such as using the Restricted Sites
zone.

12.02.2002, 21:02	#1
boo Master Registriert seit: 17.08.2001 Beiträge: 578	Patch für IE 5.0/5.5. & 6 http://www.microsoft.com/technet/sec...n/MS02-005.asp it eliminates the following six newly discovered vulnerabilities: - A buffer overrun vulnerability associated with an HTML directive that's used to incorporate a document within a web page. By creating a web page that invokes the directive using specially selected attributes, an attacker could cause code to run on the user's system. - A vulnerability associated with the GetObject scripting function. Before providing a handle to an operating system object, GetObject performs a series of security checks to ensure that the caller has sufficient privileges to it. However, by requesting a handle to a file using a specially malformed representation, it would be possible to bypass some of these checks, thereby allowing a web page to complete an operation that should be prevented, namely, reading files on the computer of a visiting user's system. - A vulnerability related to the display of file names in the File Download dialogue box. When a file download from a web site is initiated, a dialogue provides the name of the file and lets the user choose what action to take. However, a flaw exists in the way HTML header fields (specifically, the Content-Disposition and Content-Type fields) are handled. This flaw could make it possible for an attacker to misrepresent the name of the file in the dialogue, in an attempt to trick a user into opening or saving an unsafe file. - A vulnerability that could allow a web page to open a file on the web site, using any application installed on a user's system. By design, IE should only open a file on a web site using the application that's registered to that type of file, and even then only if it's on a list of safe applications. However, through a flaw in the handling of the Content-Type HTML header field, an attacker could circumvent this restriction, and specify the application that should be invoked to process a particular file. IE would comply, even if the application was listed as unsafe. - A vulnerability that could enable a web page to run a script even if the user has disabled scripting. IE checks for the presence of scripts when initially rendering a page. However, the capability exists for objects on a page to respond to asynchronous events; by misusing this capability in a particular way, it could be possible for a web page to fire a script after the page has passed the initial security checks. - A newly discovered variant of the "Frame Domain Verification" vulnerability discussed in Microsoft Security Bulletin MS01-058. The vulnerability could enable a malicious web site operator to open two browser windows, one in the web site's domain and the other on the user's local file system, and to use the Document.open function to pass information from the latter to the former. This could enable the web site operator to read, but not change, any file on the user's local computer that could be opened in a browser window. In addition, this could be used to mis-represent the URL in the address bar in a window opened from their site. Mitigating Factors: ==================== Buffer Overrun in HTML Directive: - The vulnerability could not be exploited if the "Run ActiveX Controls and Plugins" security option were disabled in the Security Zone in which the page was rendered. This is the default condition in the Restricted Sites Zone, and can be disabled manually in any other Zone. - Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks. - The buffer overrun would allow code to run in the security context of the user rather than the system. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges accorded to the user. File Reading via GetObject function: - This vulnerability could only be used to read files. It could not be used to create, change, delete, or execute them. - The attacker would need to know the name and location of the file on the user's computer. - Some files that would be of interest to an attacker - most notably,the SAM Database - are locked by the operating system and therefore could not be read even using this vulnerability. - The email-borne attack scenario would be blocked if the user were using any of the following: Outlook 98 or 2000 with the Outlook Email Security Update installed; Outlook 2002; or Outlook Express 6. - The web-based attack scenario could be blocked by judicious use of the IE Security Zones mechanism such as using the Restricted Sites zone. ____________________________________ lg, boo ~ GNU/Linux - there is no substitute! ~

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)