Microsoft Security Bulletin MS02-068
Cumulative Patch for Internet Explorer (324929)
Originally posted: December 04, 2002
Who should read this bulletin:
Customers using Microsoft® Internet Explorer
Impact of vulnerability:
Allow an attacker to execute commands on a user's system.
Maximum Severity Rating:
Customers should install the patch at the earliest opportunity.
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0
End User Bulletin:
An end user version of this bulletin is available at: http://www.microsoft.com/athome/security/update/bulletins/default.mspx
This is an updated bulletin describing a cumulative patch for Internet Explorer 5.5 and 6.0. The original patch is unchanged and, in addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, eliminates one additional flaw in Internet Explorer's cross-domain security model. This flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing an attacker to execute commands on a user's system.
Exploiting the vulnerability could enable an attacker to invoke an executable that was already present on the local system. It could also allow an attacker to load a malicious executable onto a user's system, or to pass parameters to an executable. However, a registry key setting discussed in Microsoft Knowledge Base Article 810687 disables shortcuts in HTML Help, which significantly reduces the scope of this vulnerability as it removes the ability to load a malicious executable on a user's system or to pass parameters to an executable.
An attacker could exploit the vulnerability by constructing a web page that uses a cached programming technique, and could then either host it on a web site or send it to a user via email. In the case of the web-based attack vector the page could be automatically opened when a user visited the site. In the case of the HTML mail-based attack vector, the page could be opened when the recipient opened the mail or viewed it using the Preview pane.
On December 4, 2002, Microsoft released the original version of this bulletin. Subsequent to that time, Microsoft received a report suggesting that the vulnerability addressed by this bulletin could be exploited to run arbitrary code on a user's machine. Microsoft investigated that report, and was able to develop a demonstration that exploits the vulnerability to run arbitrary code. We have released this updated bulletin to advise customers of our new assessment of the potential impact of the vulnerability, and of its updated severity rating.
The original patch released with this bulletin was and is effective in preventing exploitation of the vulnerability. It is also effective in eliminating all vulnerabilities addressed by prior bulletins that could allow a malicious party to run code on the machine of a user who visited a hostile web site or opened a malicious HTML email message. Microsoft strongly urges all customers to install the patch.
- Internet Explorer 5.01 is not affected by this vulnerability.
- The web-based attack scenario would provide no way for the attacker to force users to visit the site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.
- The HTML mail-based attack scenario would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update.
- If the steps described in Microsoft Knowledge Base Article 810687 have been taken to restrict shortcuts in HTML Help, then the following mitigating factors apply:
- The vulnerability would allow an attacker to read but not add, delete or modify files on the user's local system.
- The attacker would need to know the name and location of any file on the system to successfully invoke it. If invoked, there would be no way for an attacker to pass parameters to that executable.
- The vulnerability would not provide any way for an attacker to put a program of their choice onto another user's system.
|Internet Explorer 5.01||None|
|Internet Explorer 5.5||Critical|
|Internet Explorer 6.0||Critical|
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2002-1262
Internet Explorer versions 5.5, and 6.0 were tested for these vulnerabilities. Internet Explorer 5.01 is not affected by this vulnerability. More information on Windows Operating System Components Lifecycles is available from: http://www.microsoft.com/lifecycle/.
What's the scope of the vulnerability?
This vulnerability could allow a malicious web site operator to access information in another internet domain, or the user's local system. It could also allow an attacker to launch an executable that was already on the user's system or to load a malicious executable onto the system.
Microsoft Knowledge Base Article 810687 describes a method to restrict shortcuts in HTML Help. If the changes discussed in this article have been applied, the scope of the vulnerability is significantly reduced. In this case, the vulnerability would not provide a way for an attacker to deliver a program of his choice to the system - the program invoked must exist on the system for the attacker to invoke it, nor could the attacker pass any paramters to an executable program.
What causes this vulnerability?
The vulnerability results because it is possible to bypass Internet Explorer's cross-domain security model when using object caching in scripting.
What is meant by "object caching"?
An object is one of the building blocks in constructing a computer program. Object caching can allow software developers to store one of these discrete blocks of computer code in memory so that the object can be reused at a later stage.
What is meant by "Internet Explorer's cross-domain security model"?
One of the principal security functions of a browser is to ensure that browser windows under the control of different web sites cannot interfere with each other-- or access each other's data-- while allowing windows from the same site to interact with each other. To differentiate between cooperative and uncooperative browser windows, the concept of a "domain" has been created. A domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot. The "cross-domain security model" is the part of the security architecture that prevents windows from different domains from interfering with each other.
The simplest example of a domain is associated with web sites. If you visit www.microsoft.com, and it opens a window to www.microsoft.com/security, the two windows can interact with each because both belong to the same domain--www.microsoft.com. However, if you visited www.microsoft.com, and it opened a window to a different web site, the cross-domain security model would protect the two windows from each other. The concept goes even further. The file system on your local computer, for instance, is also a domain. So, for example, www.microsoft.com could open a window and show you a file on your hard drive. However, because your local file system is in a different domain from the web site, the cross-domain security model should prevent the web site from reading the file that is being displayed.
The Internet Explorer domain security model can be configured using the Internet Security Zones settings in Internet Explorer.
What are Internet Explorer security zones?
Internet Explorer Security Zones are a system that divides online content into categories, or zones based on its trustworthiness. Specific web domains can be assigned to a zone, depending on how much trust is placed in the content of each domain. The zone then restricts the capabilities of the web content, based on the zone's settings.
By default, most Internet domains are treated as part of the Internet zone, which has settings that prevent scripts and other active code from accessing resources on the local machine. Conversely, the Local Computer zone is a much less restricted zone which allows content to access and manipulate content on the local system. By default, files stored on the local computer are run in the Local Computer zone.
What's wrong with the way Internet Explorer calculates cross domain security?
Internet Explorer evaluates security when one web page requests access to resources in another security zone. However a flaw in how the security is calculated when object caching is used means that these security checks can be bypassed.
What could this vulnerability enable an attacker to do?
The vulnerability could enable an attacker to either view files on another user's system or execute programs on it. The vulnerability would also allow an attacker to load a malicious executable on the user's system.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a web page that used the object caching programming technique discussed above. The attacker would then need to cause user to open the page, through either of two methods:
- Hosting it on a web site. In this case, the page could be automatically opened when a user visited the site
- Sending it as an HTML mail. In this case, the page would be opened when the recipient opened the mail or viewed it using the Preview pane.
If the vulnerability lies in Internet Explorer, why would it be exploitable via an HTML mail?
An HTML mail is simply a web page that's sent as an email rather than obtained from a Web site. When Outlook or Outlook Express receive such a mail, they rely on Internet Explorer to process it, and display the outcome. As a result, even though the vulnerability here lies solely within Internet Explorer, it can affect HTML emails as well.
Is there a way to prevent a possible attack via email?
Yes. By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to exploit these vulnerabilities.
What could an attacker do if he were able to launch an executable on my machine?
The attacker could carry out any actions on the local system that the user was permitted to carry out. This could include launching executables that are already on the local system, or downloading malicious executables onto the local system. The attacker could also be able to pass parameters to executables.
Is there a way to remove the ability for an attacker to pass parameters to an executable?
Yes there is. There is an identified method of using the shortcuts function in HTML Help to pass parameters to an executable. Microsoft has published a Knowledge Base Article, 810687, which describes a registry key setting that restricts shortcuts in HTML Help. Setting this registry key would remove the ability of an attacker to load a malicious executable onto the user's system and would restrict the attacker to invoking an executable that's already present on the user's system - and an attacker would not be able to pass parameters to this executable.
However the best protection is for users to apply the patch, which will remove the vulnerability.
What is the significance of being able to remove the ability for an attacker to pass parameters to an executable?
Without the ability to pass parameters, the extent to which an attacker could carry out actions on the local system would be significantly reduced. For example, Microsoft is not aware of any executable that ships by default as part of Windows that could be dangerous when run without parameters.
Could an attacker use these vulnerabilities to load a program on my machine from their web site or server?
Yes, however as discussed above, Microsoft Knowledge Base Article, 810687 discusses a method of restricting shortcuts in HTML Help, which would remove the ability for an attacker to load an executable onto the user's system.
I'm running Internet Explorer 5.01. Do I need the patch?
No. Internet Explorer 5.01 is not affected by the vulnerability.
What does the patch do?
The patch addresses the vulnerabilities by ensuring that the correct cross domain security checks take place whenever the affected programming function is used.
Download locations for this patch
- The IE 5.5 patch can be installed on systems running Service Pack 2.
- The IE 6.0 patch can be installed on systems running IE 6.0 Gold or Service Pack 1.
Inclusion in future service packs:
The fix for this issue will be included in Internet Explorer 6.0 Service Pack 2.
Reboot needed: Yes
Patch can be uninstalled: No
Superseded patches: This patch supersedes the one provided in Microsoft Security Bulletin MS02-066, which is itself a cumulative patch.
Verifying patch installation:
- To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q324929 is listed in the Update Versions field.
- To verify the individual files, use the patch manifest provided in Knowledge Base article Q324929.
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article 324929 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (December 04, 2002): Bulletin Created.
- V2.0 (December 06, 2002): Revised severity rating and updated information on impact of vulnerability.