Microsoft Security Bulletin MS03-020
Cumulative Patch for Internet Explorer (818529)
Originally posted: June 4, 2003
Summary
Who should read this bulletin:
Customers using Microsoft® Internet Explorer
Impact of vulnerability:
Allow an attacker to execute code on a user's system
Maximum Severity Rating:
Critical
Recommendation:
System administrators should install the patch immediately
End User Bulletin:
An end user version of this bulletin is available at:
http://www.microsoft.com/athome/security/update/bulletins/default.mspx.
Affected Software:
- Microsoft Internet Explorer 5.01
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0 for Windows Server 2003
General Information
Technical details
Technical description:
This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates two newly discovered vulnerabilities:
- A buffer overrun vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a web server. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's website, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML email that attempted to exploit this vulnerability.
- A flaw that results because Internet Explorer does not implement an appropriate block on a file download dialog box. It could be possible for an attacker to exploit this vulnerability to run arbitrary code on a user's system. If a user simply visited an attacker's website, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML email that attempted to exploit this vulnerability.
In order to exploit these flaws, the attacker would have to create a specially formed HTML email and send it to the user. Alternatively an attacker would have to host a malicious web site that contained a web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site.
As with the previous Internet Explorer cumulative patches released with bulletins MS03-004 and MS03-015, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch.
Mitigating factors: The following mitigating factors apply to both vulnerabilities discussed in this bulletin:
- By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks these attacks. If Internet Explorer Enhanced Security Configuration has been disabled, the protections put in place that prevent these vulnerabilities from being exploited would be removed.
- In the Web based attack scenario, the attacker would have to host a web site that contained a web page used to exploit these vulnerabilities. An attacker would have no way to force users to visit a malicious web site outside of the HTML email vector. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.
- Code that executed on the system would only run under the privileges of the logged in user.
Severity Rating:
| Internet Explorer 5.01 SP3 | Internet Explorer 5.5 SP2 | Internet Explorer 6.0 Gold | Internet Explorer 6.0 SP1 | Internet Explorer 6.0 for Windows Server 2003 | |
|---|---|---|---|---|---|
| Object Tag Vulnerability | Critical | Critical | Critical | Critical | Moderate |
| File Download Dialog Vulnerability | Critical | Critical | Critical | Critical | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The moderate severity rating on Windows Server 2003 is based on Internet Explorer Enhanced Security Configuration.
Vulnerability identifier:
- Object Tag Vulnerability: CAN-2003-0344
- File Download Dialog Vulnerability: CAN-2003-0309
Tested Versions:
Internet Explorer versions 5.01 Service Pack 3, Internet Explorer 5.5 SP2, Internet Explorer 6.0, Internet Explorer 6.0 SP1, and Internet Explorer 6.0 for Windows Server 2003 were tested for these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. More information is available from the Windows Operating System Components Lifecycles Web site
Frequently asked questions
What vulnerabilities are eliminated by this patch?
This is a cumulative patch that incorporates the functionality of all previously released patches for Internet Explorer. In addition, the patch eliminates two newly reported vulnerabilities that could allow an attacker to cause arbitrary code to run on the user's system.
CAN-2003-0344: Object Tag Vulnerability
What's the scope of the first vulnerability?
This is a buffer overrun vulnerability. If an attacker were to successfully exploit this vulnerability, then Internet Explorer could allow arbitrary code to execute in the context of the logged on user, should the user visit a site under the attacker's control.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer that can be encountered when Internet Explorer handles an Object tag in a web page.
What's wrong with the way Internet Explorer handles object tags?
There is a flaw in the way Internet Explorer determines an object type. Internet Explorer does not conduct a proper parameter check while determining an object's type, and it is therefore possible to cause a buffer overrun. The resulting buffer overrun could cause Internet Explorer to fail or could allow an attacker to run arbitrary code on a user's machine.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Internet Explorer to fail in such a way that it would execute code of the attacker's choice. This would allow an attacker to take any action on a user's system in the security context of the currently logged in user.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by hosting a specially constructed web page. If the user visited this web page, Internet Explorer could fail and could allow arbitrary code to execute in the context of the user. Alternatively, an attacker could also craft an HTML email that attempted to exploit this vulnerability.
What does the patch do?
The patch addresses the vulnerabilities by ensuring that Internet Explorer performs proper checks when determining object types in a web page.
CAN-2003-0309: File Download Dialog Vulnerability
What's the scope of the second vulnerability?
This is a flooding vulnerability. This vulnerability results from Internet Explorer being flooded with a large number of requests at once. If an attacker were to successfully exploit this vulnerability then Internet Explorer could execute arbitrary code under the context of the logged on user.
What causes the vulnerability?
The vulnerability results because of a flaw in the way Internet Explorer handles multiple file download dialogs.
What's wrong with the way Internet Explorer handles multiple file download dialogs?
When a user clicks on a link to a file in Internet Explorer, a file download confirmation dialog is presented to the user to allow the user to save the file locally, open the file, or cancel the request. There is a flaw in Internet Explorer that can cause it to open the file when a web page opens multiple file download dialogs. Opening a downloaded file could allow an attacker to cause arbitrary code to run on a user's machine.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Internet Explorer to fail in such a way that it would execute code of the attacker's choice. This would allow an attacker to take any action on a user's system in the security context of the currently logged in user.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by hosting a specially constructed web page. If the user visited this web page, Internet Explorer could fail and could allow arbitrary code to execute in the context of the user. An attacker could also craft an HTML email that attempted to exploit this vulnerability.
What does the patch do?
The patch addresses the vulnerability by ensuring that Internet Explorer properly handles multiple file download dialogs.
I am running Internet Explorer on Windows Server 2003. Does this mitigate these vulnerabilities?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode known as Enhanced Security Configuration. Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying numerous security-related settings, including Security and Advanced tab settings in Internet Options. Some of the key modifications include:
- Security level for the Internet zone is set to High. This setting disables scripts, ActiveX controls, Microsoft virtual machine (Microsoft VM), HTML content, and file downloads.
- Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
- Install on Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
- Multimedia content is disabled. This setting prevents music, animations, and video clips from running.
Disabling Internet Explorer Enhanced Security Configuration would remove the protections put in place that prevent these vulnerabilities from being exploited. For more information regarding Internet Explorer Enhanced security Configuration, please consult the Managing Internet Explorer Enhanced Security Configuration guide, which can be found at the following location:
Is there any configuration of Windows Server 2003 that is likely to have Internet Explorer Enhanced Security Configuration Disabled?
Yes. Systems Administrators who have deployed Windows Server 2003 as a Terminal Servers would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to utilize Internet Explorer in an unrestricted mode.
Why does this patch affect HTML Help Functionality?
Because this is a cumulative patch, it includes a fix from a previous patch for Internet Explorer that addressed a vulnerability by ensuring that the correct cross domain security checks take place whenever showHelp() functionality is used. This fix caused the HTML Help functionality to fail unless a subsequent update was applied as described in Knowledge Base article 811630. In order to restore HTML Help functionality, users who apply this patch are encouraged to download and install the update to HTML Help after applying this cumulative patch if they have not already done so.
I installed the update from Knowledge Base article 811630. After installing this patch will HTML Help function properly?
Yes - If you previously installed the HTML Help patch from Knowledge Base article 811630 when you applied the IE cumulative update from MS03-004 or MS03-015 (which supercedes MS03-004), you do not need to reinstall the HTML Help update.
What is HTML Help shortcut functionality?
When a user browses help files, it is possible for HTML Help to create a shortcut when a user clicks a specific word, phrase, or graphic in a help topic. While this functionality is not a vulnerability in itself, when combined with cross domain security vulnerabilities such as those addressed by Microsoft Security Bulletin MS03-004, this functionality could allow an attacker to run code of the attacker's choice on a user's system. HTML Help has been updated to reduce the risk from this attack vector and to provide defense in depth against this type of attack. To learn more about this functionality, please see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconshortcutov.asp.
If I only apply this patch, will I be protected from the HTML Help shortcut vulnerability?
Yes, you will be protected from the vulnerability affecting the use of showHelp in Internet Explorer. However, it's important to note this patch disables showHelp in order to block the attack vector that might allow a malicious web site operator to launch an executable file already on a user's local system. In order to restore the full functionality of showHelp, users must install the latest version of HTML Help that is discussed in Microsoft Knowledge Base article 811630.
Will HTML Help functionality change when I download the new version of HTML Help?
When the latest version of HTML Help is installed, the following limitations will be encountered when a help file is opened with the showHelp method:
- Only supported protocols can be used with showHelp to open a web page or help (chm) file.
- The shortcut function supported by HTML Help will be disabled when the help file is opened with showHelp This change will not affect the shortcut function if the user opens the same CHM file manually by double-clicking on it, or by invoking an application on the local system that uses the HTMLHELP( ) API.
Where is the updated HTML Help located?
Users can find the updated HTML Help on Windows Update or by following the link included in Microsoft Knowledge Base article 811630.
Does the patch for this vulnerability include the updated HTML Help?
No - Users should download and install the HTML Help update (811630) separately from one of the locations discussed above.
Patch availability
Download locations for this patch
- All version except Microsoft Internet Explorer 6.0 for Windows Server 2003
- Microsoft Internet Explorer 6.0 for Windows Server 2003
Additional information about this patch
Installation platforms:
- IE5.01 running on Windows 2000 systems with Service Pack 3 installed.
- The IE 5.5 patch can be installed on systems running Service Pack 2.
- The IE 6.0 patch can be installed on systems running IE 6.0 Gold or Service Pack 1.
Inclusion in future service packs:
The fix for these issues will be included in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1
Reboot needed: Yes
Patch can be uninstalled: Yes
Superseded patches: This patch supersedes the one provided in Microsoft Security Bulletin MS03-015, which is itself a cumulative patch.
Verifying patch installation:
- To verify that the patch has been installed on the machine, open Internet Explorer, select Help, then select About Internet Explorer and confirm that Q818529 is listed in the Update Versions field.
Note that you can not use this method on Windows Server 2003 or Windows XP 64-Bit Edition Version 2003, as the Update Versions field is not updated by the package for these operating systems.
- To verify the individual files, use the patch manifest provided in Knowledge Base article 818529.
Caveats:
If you have not installed the updated HTML Help control from Knowledge Base article 811630, you will not be able to use some HTML Help functionality after applying this update. In order to restore that functionality, users need to download the updated HTML Help control (811630). Users should also note that when the latest version of HTML Help is installed, the following limitations will occur when a help file is opened with the showHelp method:
- Only supported protocols can be used with showHelp to open a web page or help (chm) file.
- The shortcut function supported by HTML Help will be disabled when the help file is opened with showHelp This will not affect the shortcut functionality if the same CHM file is opened by the user manually by double-clicking on the help file, or by through an application on the local system using the HTMLHELP( ) API.
Localization:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks eEye Digital Security for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article 818529 discusses this issue. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Scanning for Updates:
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA).
MBSA version 1.1.1 adds support for Windows Server 2003 and will be available approximately 24 hours after the release of this bulletin at the following location:
http://www.microsoft.com/technet/security/tools/MBSAhome.mspx
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (June 4, 2003): Bulletin published.
- V1.1 (June 4, 2003): Refreshed download links.