Microsoft Security Bulletin MS03-015

Technical description:

This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following four newly discovered vulnerabilities:

• A buffer overrun vulnerability in URLMON.DLL that occurs because Internet Explorer does not correctly check the parameters of information being received from a web server. It could be possible for an attacker to exploit this vulnerability to run arbitrary code on a user's system. A user simply visiting an attacker's website could allow the attacker to exploit the vulnerability without any other user action.
• A vulnerability in the Internet Explorer file upload control that allows input from a script to be passed to the upload control. This vulnerability could allow an attacker to supply a file name to the file upload control and automatically upload a file from the user's system to a web server.
• A flaw in the way Internet Explorer handles the rendering of third party files. The vulnerability results because the Internet Explorer method for rendering third party file types does not properly check parameters passed to it. An attacker could create a specially formed URL that would inject script during the rendering of a third party file format and cause the script to execute in the security context of the user.
• A flaw in the way modal dialogs are treated by Internet Explorer that occurs because an input parameter is not properly checked. This flaw could allow an attacker to use an injected script to provide access to files stored on a user's computer. Although a user who visited the attacker's website could allow the attacker to exploit the vulnerability without any other user action, an attacker would have no way to force the user to visit the website.

In addition to eliminating the above vulnerabilities, this patch also includes a fix for Internet Explorer 6.0 SP1 that corrects the method by which Internet Explorer displays help information in the local computer zone. While we are not aware of a method to exploit this vulnerability by itself, if it were possible to exploit it, it could allow an attacker to read local files on a visiting user's system.

This patch also sets the Kill Bit on the Plugin.ocx ActiveX control which has a security vulnerability. This killbit has been set in order to ensure that the vulnerable control cannot be reintroduced onto users' systems and to ensure that users who already have the vulnerable control on their system are protected. This issue is discussed further in Microsoft Knowledge Base Article 813489.

Like the previous Internet Explorer cumulative patch released with bulletin MS03-004, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch.

Mitigating factors:

There are common mitigating factors across several of the vulnerabilities:

• The attacker would have to host a web site that contained a web page used to exploit the particular vulnerability.
• By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update has been installed. With the exception of the URLMON.DLL buffer overrun vulnerability, customers who use any of these products would be at no risk from an e-mail borne attack that attempted to automatically exploit these vulnerabilities. The attacker would have no way to force users to visit a malicious web site. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.

In addition to the common factors, there are a number of individual mitigating factors:

URLMON.DLL Buffer Overrun:

• Code that executed on the system would only run under the privileges of the locally logged in user.

File Upload Control vulnerability:

• The attacker would have to know the explicit path and name of the file to be uploaded in advance.

Third Party plug-in rendering:

• The third party plugin would have to be present on the user's system in order for it to be exploited

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier:

• URLMON.DLL Buffer Overrun: CAN-2003-0113
• File Upload Control vulnerability: CAN-2003-0114
• Third Party plug-in rendering: CAN-2003-0115
• Model Dialog script execution: CAN-2003-0116

Tested Versions:

Internet Explorer versions 5.01 Service Pack 3, Internet Explorer 5.5 SP2, Internet Explorer 6.0 and Internet Explorer 6.0 SP1 were tested for these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

More information is available from the Windows Operating System Components Lifecycles Web site

What vulnerabilities are eliminated by this patch?
This is a cumulative patch that incorporates the functionality of all previously released patches for Internet Explorer. In addition, the patch eliminates four newly reported vulnerabilities:

• One vulnerability that could allow an attacker to cause arbitrary code to run on the user's system.
• One vulnerability that could allow an attacker to cause script code to run on the user's system.
• Two vulnerabilities that could allow an attacker to cause script code to run on the user's system and whose impact would be limited to disclosure of information stored on the local computer including, potentially, personal information.

Does the patch include any other security changes?
Yes. The patch ensures that an ActiveX control, Plugin.ocx, cannot be used. The Plugin.ocx control implemented support for third party web browser plugins, which are no longer supported by Internet Explorer. The control has been found to contain a security vulnerability, and in order to protect customers who have this control installed, the patch prevents the control from running or from being reintroduced onto users' systems by setting the Kill Bit for this control. More details on this change are available in Microsoft Knowledge Base Article 240797 
The patch also refines a change made in Internet Explorer 6 Service Pack 1, which prevents web pages in the Internet Security zone from navigating to the local computer zone. This change was introduced to mitigate the effects of potential new cross domain vulnerabilities. The change introduced in this patch is a further enhancement of the Internet Explorer 6 Service Pack 1 restrictions.

Is there a way to prevent a possible attack via email?
Yes. By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update has been installed. With the exception of the URLMON.DLL buffer overrun vulnerability, Customers who use any of these products would be at no risk from an e-mail borne attack that attempted to exploit these vulnerabilities.

Why does this patch affect HTML Help Functionality?
Because this is a cumulative patch, it includes a fix from a previous patch for Internet Explorer that addressed a vulnerability by ensuring that the correct cross domain security checks take place whenever showHelp functionality is used. This fix caused the HTML Help functionality to fail unless a subsequent update was applied as described in Knowledge Base article 811630. In order to restore HTML Help functionality, users who apply this patch are encouraged to download and install the update to HTML Help after applying this cumulative patch if they have not already done so.

I installed the update from Knowledge Base article 811630. After installing this patch will HTML Help function properly?
Yes - If you previously installed the HTML Help update from Knowledge Base article 811630 when you applied the IE cumulative update from MS03-004, you do not need to reinstall the HTML Help update.

What is HTML Help shortcut functionality?
When a user browses help files, it is possible for HTML Help to create a shortcut when a user clicks a specific word, phrase, or graphic in a help topic. While this functionality is not a vulnerability in itself, when combined with this or other cross domain security vulnerabilities, this functionality could allow an attacker to run code of the attacker's choice on a user's system. HTML Help has been updated to reduce the risk from this attack vector and to provide defense in depth against this type of attack. To learn more about this functionality, please see:
http://msdn2.microsoft.com/en-us/library/ms524349.aspx.

If I only apply this patch, will I be protected from the HTML Help shortcut vulnerability?
Yes, you will be protected from the vulnerability affecting the use of showHelp in Internet Explorer. However, it's important to note this patch disables showHelp in order to block the attack vector that might allow a malicious web site operator to launch an executable file already on a user's local system. In order to restore the full functionality of showHelp, users must install the latest version of HTML Help that is discussed in Microsoft Knowledge Base article 811630.

Will HTML Help functionality change when I download the new version of HTML Help?
When the latest version of HTML Help is installed, the following limitations will be encountered when a help file is opened with the showHelp method:

• Only supported protocols can be used with showHelp to open a web page or help (chm) file.
• The shortcut function supported by HTML Help will be disabled when the help file is opened with showHelp This change will not affect the shortcut function if the user opens the same CHM file manually by double-clicking on it, or by invoking an application on the local system that uses the HTMLHELP( ) API.

Where is the updated HTML Help located?
Users can find the updated HTML Help on Windows Update or by following the link included in Microsoft Knowledge Base article 811630.

Does the patch for this vulnerability include the updated HTML Help?
No - Users should download and install the HTML Help update (811630) separately from from one of the locations discussed above.

Buffer Overrun in URLMON.DLL (CAN-2003-0113):

What's the scope of the first vulnerability?
This is a buffer overrun vulnerability. A successful attack that exploited this vulnerability could cause Internet Explorer to execute arbitrary code if a user were to visit a site under an attacker's control.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in URLMON.DLL

What is URLMON.DLL?
URLMON.DLL is the component of Internet Explorer responsible for handling the processing of URLs and information returned from web site communication.

What's wrong with the way URLMON.DLL handles information returned from a web site?
There is a flaw in the way Internet Explorer checks parameters when handling information returned from a remote web server. Internet Explorer does not conduct these checks properly on certain parameters returned from a web site, and it is therefore possible to cause a buffer overrun. The resulting buffer overrun could cause Internet Explorer to fail or could allow an attacker to run arbitrary code on a user's machine.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Internet Explorer to fail in such a way that it would execute code of the attacker's choice. This would allow an attacker to take any action on a user's machine in the security context of the currently logged in user.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by hosting a specially constructed web page, or by sending a specially crafted HTML email to the user. If the user visited this web page, or previewed or viewed the HTML email, Internet Explorer could fail and could allow arbitrary code to execute.

What does the patch do?
The patch addresses the vulnerability by ensuring that the correct parameter checks are performed when information is returned from a web page.

File Upload Control vulnerability: (CAN-2003-0114):

What's the scope of this vulnerability?
This is an information disclosure vulnerability. A successful attack that exploited this vulnerabilty could allow an attacker access to files on a user's hard drive. An attacker who exploited this vulnerability could cause files from a user's hard drive to be uploaded to a remote computer.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by enticing a user to visit a web page and click on a specially crafted link that would launch the Internet Explorer file upload control. The control would then execute script that would populate the control's upload parameter with a file name. The control would then close and upload the file without any user interaction.
In order to successfully exploit this vulnerability, the attacker would have to know the exact location on the user's hard drive of the file as well as the file name. In addition only a file that was not currently in use could be uploaded - for example, e-mail files could not be uploaded if the user had his or her mail application open at the time of the attack.

What causes the vulnerability?
The vulnerability results because an unchecked parameter in the File Upload control for Internet Explorer allows input by the attacker to be passed to it without action by the user.

What is the Internet Explorer File Upload control?
The Internet Explorer File Upload control is the portion of Internet Explorer that provides the user interface to upload a file from a local computer to a website.

What's wrong with the way the File Upload control handles uploads?
There is a flaw in the way the File upload Control handles incoming requests to upload files. The Upload Control contains an unsafe function that allows automatic input to pre-populate the upload path information and automatically upload a file without any user intervention.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to upload a file from a user's hard drive to an attacker's website, provided the file was not in use by the user or the operating system, and provided the attacker knew the full path and file name. This could occur without providing any visible notice to the user.

How could an attacker exploit this vulnerability?
An attacker could create a webpage that would cause the file upload control to upload a specific file from the user's hard drive to a website when a user visited the page. The attacker would have to know the exact name of the file to be uploaded once the user had visited the site.

What does the patch do?
The patch addresses the vulnerability by ensuring that the File Upload Control does not allow input to be supplied by a website.

Third Party Plug-in Rendering: (CAN-2003-0115):

What's the scope of this vulnerability?
This vulnerability could allow a malicious web site to supply a visiting user with script that would run in the local computer zone on a user's computer. In order for this vulnerability to be exploited, the attacker would have to attempt to exploit a third party plugin that was installed on the visitng user's system. If the user had not installed third party plugins, or had removed all of them from the system, the vulnerability could not be exploited.

What causes the vulnerability?
The vulnerability results because Internet Explorer does not correctly parse a URL that invokes a third party plugin. When certain characters are included in a URL, the correct security checks can be evaded.

What are third party plug-ins?
Internet Explorer has the capability to render several different file types within the browser window. For instance, Internet Explorer has the ability to render Microsoft Word Document files within a browser windows without the user having to open the Word application itself. This capability is also available for third parties to provide plug-ins to Internet Explorer so that Internet Explorer will recognize file types and display them within a browser window.

Does Internet Explorer ship any third party plug-ins by default?
Yes, Internet Explorer installs support for Macromedia Flash files by default.

What's wrong with the way Internet Explorer handles third party plug-ins?
There is a flaw in the way Internet Explorer checks parameters when rendering third party file types in the browser window. Before the file type itself is actually rendered in the browser window, Internet Explorer performs a loading operation for the new window. This loading operation does not properly check the parameters of the URL used to reference the third party file type.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Internet Explorer to run script in the local computer zone.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by hosting a website, constructing a specially formed page, and enticing a user to visit the website If the user visited this web page and clicked on a specially formed link referencing a third party file type, Internet Explorer could allow script to run in the local computer zone.

Are any third party file types vulnerable?
No - the flaw actually occurs in the method by which Internet Explorer renders the file types, not in any specific plug-in. However this vulnerability only affects plugins that use the EnableFullPage feature. Microsoft recommends that all Internet Explorer users install the patch to ensure that they are protected if any third party plugins are present on their systems or are installed in the future.

What does the patch do?
The patch addresses the vulnerability by ensuring that the correct checks are performed when a third party file type is rendered in the browser.

Modal Dialog Script Execution: (CAN-2003-0116):

What's the scope of this vulnerability?
This is an information disclosure vulnerability. This vulnerability could allow an attacker to read files on a visiting user's hard drive.

What causes the vulnerability?
The vulnerability results because of an unchecked parameter in the Cascading Style Sheet input parameter for Modal dialogs.

What is a modal dialog?
A Modal Dialog is a dialog presented by the user interface that asks the user to make a decision before carrying out any other actions, such as invoking an application or opening a document.

What's wrong with the way Internet Explorer handles modal dialogs?
There is a flaw in the way that Internet Explorer renders modal dialogs. A specific parameter used in the creation of the dialog could contain code that Internet Explorer could execute. Execution of this code could allow the remote server to read information from the user's hard drive.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by hosting a website, constructing a specially formed page, and enticing a user to visit the website. If the user then visited the page, it could execute a specific command to create a dialog, which could then automatically execute script that would access files on the local computer.

In order to successfully exploit this vulnerability however, the attacker would have to know the exact location on the user's hard drive of the file as well as the file name.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to read files from the user's hard drive.

What does the patch do?
The patch addresses the vulnerability by ensuring that the modal dialog parameter only accepts the specific input it needs, and rejects script supplied by a web site.

Download locations for this patch

http://www.microsoft.com/windows/ie/ie6/downloads/critical/813489/default.mspx