• Article

Security Bulletin

Microsoft Security Bulletin MS01-055 - Critical

13 November 2001 Cumulative Patch for IE

Published: November 08, 2001 | Updated: June 13, 2003

Version: 2.3

Originally posted: November 08, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin:
Customers using Microsoft® Internet Explorer

Impact of vulnerability:
Exposure and altering of data in cookies.

Maximum Severity Rating:
Critical

Recommendation:
Customers running Internet Explorer 5.5 or 6.0 should apply the patch.

Affected Software:

  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 6.0

General Information

Technical details

Technical description:

On November 08, 2001, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. On November 13, 2001, we released a patch that, when applied, eliminates all known vulnerabilities affecting IE 5.5 and IE 6. We therefore expanded the scope of the bulletin to discuss all of the vulnerabilities the patch addresses. Customers who disabled Active Scripting per the original version of this bulletin can re-enable it after installing this patch.

In addition to eliminating all previously discussed vulnerabilities affecting IE 5.5 Service Pack 2 and IE 6, the patch also eliminates three newly discovered ones:

  • The first two involve how IE handles cookies across domains. Although the underlying flaws are completely unrelated, the scope is exactly the same - in each case, a malicious user could potentially craft a URL that would allow them to gain unauthorized access to a user's cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a user's cookies, this could allow personal information to be compromised. Both vulnerabilities could be exploited either by hosting specially crafted URL's on a web page or by sending them to the victim in an HTML email.
  • The third vulnerability is a new variant of a vulnerability discussed in Microsoft Security Bulletin MS01-051 affecting how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., https://031713501415 rather than https://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6.

Mitigating factors:

Cookie Handling Vulnerabilities:

  • To exploit either vulnerability, the attacker would need to entice the user into visiting a particular web site or opening an HTML e-mail containing the malformed URL.
  • The Outlook Email Security Update (which is included as part of Outlook 2002 in Office XP) would protect the user against the mail-borne attack scenario.
  • Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the mail-borne attack scenario, because the "Restricted Sites" zone sets Active Scripting to disabled. Note that this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active Scripting is still disabled in the Restricted Sites Zone.

Zone Spoofing Vulnerability:

  • The default settings in the Intranet Zone differ in only a few ways from those of the Internet Zone. The differences are enumerated in the FAQ in MS01-051, but none would allow destructive action to be taken.

Severity Rating:

Cookie handling vulnerabilities:

Internet Servers Intranet Servers Client Systems
Internet Explorer 5.5 Moderate Moderate Critical
Internet Explorer 6.0 Moderate Moderate Critical

Zone Spoofing Vulnerability variant:

Internet Servers Intranet Servers Client Systems
Internet Explorer 5.5 Moderate Moderate Moderate

Aggregate severity of all vulnerabilities eliminated by patch:

Internet Servers Intranet Servers Client Systems
Internet Explorer 5.5 Moderate Moderate Critical
Internet Explorer 6.0 Moderate Moderate Critical

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. In the case of the cookie handling vulnerabilities, the attack scenarios either could be prevented or would require user action in order to succeed; however, they are rated critical because of the potential disclosure of personal information. In the case of the Zone Spoofing vulnerability, even a successful attack would not allow any signficant change in privileges under default conditions.

Vulnerability identifiers:

First Cookie Handling Vulnerability: CAN-2001-0722

Second Cookie Handling Vulnerability: CAN-2001-0723

Zone Spoofing Vulnerability variant: CAN-2001-0724

Tested Versions:

The following table indicates which of the currently supported versions of Internet Explorer are affected by the vulnerabilities. Versions of IE prior to 5.01 Service Pack 2 are no longer eligible for hotfix support. IE 5.01 SP2 is supported only via Windows® 2000 Service Packs and Security Roll-up Packages.

IE 5.01 SP2 IE 5.5 SP1 IE 5.5 SP2 IE 6.0
First Cookie Handling Vulnerability: Yes Yes Yes Yes
Second Cookie Handling Vulnerability: No Yes Yes Yes
Zone Spoofing vulnerability: Yes Yes Yes No

Frequently asked questions

Why is Microsoft re-releasing this bulletin?
The original version of the bulletin advised customers of a workaround procedure that could be used while a patch was under development. We have now completed the patch, and have updated this bulletin to advise customers of its availability as well as to discuss other vulnerabilities that it eliminates.

What vulnerabilities are eliminated by this patch?
This patch, when installed, eliminates all known security vulnerabilities affecting Internet Explorer 5.5 and 6.0. In addition to eliminating all previously discussed vulnerabilities affecting these versions, it also eliminates three new ones.

  • Two vulnerabilities involving the handling of cookies.
  • A newly discovered variant of a vulnerability discussed in Security Bulletins MS01-051 including a newly discovered variants of the Zone Spoofing vulnerability.

What's the scope of the first two vulnerabilities?
The first two vulnerabilities have essentially the same scope, even though they are two seperate flaws. A malicious web site with a malformed URL could read or potentially alter the contents of a user's cookies, which might contain personal information. In addition, it is possible to alter the contents of the cookie. In order to exploit the vulnerability, an attacker would either need to entice the user into visiting a particular web page, or send an HTML mail to the user. However, the latter attack would be blocked if the user had installed the Outlook Email Security Update, or was running Outlook 2002, which includes the Update by default.

What causes these vulnerabilities?
The vulnerability results because of a flaw in the way IE identifies the web page the user is visiting, when determining which cookies the site should be able to access.

What are cookies?
A cookie is a small data file that's stored on a user's system by a web site, and which contains information that allows the site to customize its behavior for the user. For instance, a web site that sells shoes might use a cookie to record the fact that when you visit the site, you always buy athletic shoes. This would allow the site to take you directly to the athletic shoe section when you visit it.

What prevents one web site from accessing another site's cookies?
Each cookie on your system indicates what site created it and, by design, IE will only allow that site to access the cookie. The two security vulnerabilities here result because under certain conditions it's possible for a web site to bypass this protection and access cookies that were created by other sites.

What kind of information could someone gain if they accessed the cookies on my system?
It would depend on what information has been stored in the cookies. Most sites don't store personal data within cookies. For instance, in the example above, the web site might have a database that contains information about customers' shoe preferences, and it might only store data in the cookie that tells it which database entry to look up. In such a case, it wouldn't matter whether an attacker could access the cookie, because it wouldn't reveal any information. On the other hand, if a site did store personal information in the cookie - for instance, in the example above, if the site stored your shoe preference directly in the cookie - an attacker who accessed it could potentially compromise personal information

How could an attacker carry out an attack using either of these vulnerabilities?
An attacker could attempt to exploit this vulnerability by hosting a page with a maliciously crafted URL, or by sending the victim an HTML email with a similarly crafted URL.

In the case where the attacker hosted a web page, would he have any way to compel me to visit the site?
The attacker could not force you to visit his site. Instead, he would need to entice you into performing some action that would cause you to visit the site. There are, however, a variety of actions that could be used to do this, from visiting a web site that would redirect you to the attacker's, to opening an HTML e-mail that referenced the attacker's site.

In the case where the attacker sent me an HTML e-mail, would simply opening the mail allow me to be attacked?
Yes. It is possible for an attacker to craft an HTML email in such a way that it would exploit either of these vulnerabilities on opening the mail. However, it's worth noting that the Outlook Email Security Update, if installed, would prevent this attack from succeeding. (The Update is included as part of Outlook 2002).

I've heard that IE 5.01 is not affected by the original cookie handling vulnerability, is that true?
While IE 5.01 is outside of hotfix support, it has been tested and found to be unaffected by this vulnerability in all versions (gold, SP1, and SP2)

When the original version of the bulletin was released, I disabled Active Scripting. Can I turn it back on now?
Yes. Here's how:

  • On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
  • In the Settings box, scroll down to the Scripting section, and click Enable under "Active scripting" and "Scripting of Java applets".
  • Click OK, and then click OK again.

I am a network administrator. How can I re-enable active scripting in my enterprise?
To re-enable Active Scripting on a network-wide scale, you'll need to make a registry change on the client machines. There are two ways to do this: by creating an auto-config INS file using Profile Manager and then applying it, or via SMS or a logon script. You'll need to change the settings in two registry keys:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

There are five different sub keys under each "Zones" key, each controlling a different security zone. The key names are 0-4.

  • 0 = Your computer
  • 1 = Local Intranet
  • 2 = Trusted Sites
  • 3 = Internet
  • 4 = Restricted Sites

Under each zone number key, there is a DWORD value that governs Active Scripting within that zone. The name of this key is "1400". Setting the value of this key to "0" enables Active Scripting; setting it to "3" disables it. HKCU setting changes take effect immediately. However the HKLM settings would most likely require a reboot.

What does the patch do?
The patch eliminates the vulnerabilities by implementing proper domain checking when handling cookies.

What's the scope of the third vulnerability?
The third vulnerability is a new variant of the "Zone Spoofing" discussed in Microsoft Security Bulletin MS01-051. It could allow a web site to take actions that it should not be able to take on visiting users' systems. Specifically, it could allow the web site to trick IE into treating it as though it was located on the user's intranet, thereby gaining the ability to use less-restrictive security settings than are appropriate. A user could be affected by this vulnerability either by surfing to an attacker's web site or opening an HTML mail from an attacker. If the security settings were left in their defaults, the additional privileges the web site would gain still wouldn't allow it to take any destructive action. The greater danger from this vulnerability would arise in the case where the user had give intranet sites additional latitude.

Are there any differences between this vulnerability and the one discussed in MS01-051?
The new variant is exactly the same as the original one, except for the specific way in which it could be exploited.

Patch availability

Download locations for this patch

  • Microsoft Internet Explorer 5.5 and 6.0:
    https:

Additional information about this patch

Installation platforms:

  • The IE 5.5 patch can be installed on IE 5.5 Service Pack 2.
  • The IE 6 patch can be installed on IE 6 Gold.

Inclusion in future service packs:

The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service Pack 1.

Reboot needed: Yes

Superseded patches: MS01-051.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q312461 is listed in the Update Versions field.
  • To verify the individual files, use the patch manifest provided in Knowledge Base articles Q312461.

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Marc Slemko for reporting one of the cookie handling issues to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q312461 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (November 08, 2001): Bulletin Created.
  • V2.0 (November 13, 2001): Bulletin updated with patch information and to discuss the inclusion of fixes for additional cookie handling vulnerability and a variant of the zone spoofing issue.
  • V2.1 (November 21, 2001): Bulletin updated with revised severity rating to reflect potential disclosure of personal information by the cookie handling vulnerabilities.
  • V2.2 (February 08, 2002): Updated with table containing vulnerability information for IE 5.01 SP2 on Windows 2000, IE 5.5 SP1, IE 5.5SP2, and IE 6.0.
  • V2.3 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00</https:>