Free Republic
Browse · Search		 News/Activism
Topics · Post Article

Skip to comments.

FREEPER CREDIT CARD SAFETY & MS IE6
Microsoft ^ | 13 November 2001 | Microsoft

Posted on 11/16/2001 1:21:36 PM PST by -No Way-

FREEPER CREDIT CARD SAFETY

READ THE FOLLOWING ARTICLE!!! (MS Internet Explorer 6.0)

This is the patch link:

http://www.microsoft.com/windows/ie/downloads/critical/q312461/

Microsoft Security Bulletin MS01-055

 Print Print

13 November 2001 Cumulative Patch for IE

Originally posted: November 08, 2001
Updated: November 13, 2001

Summary

Who should read this bulletin: Customers using Microsoft® Internet Explorer

Impact of vulnerability: Exposure and altering of data in cookies.

Maximum Severity Rating: Moderate

Recommendation: Customers running Internet Explorer 5.5 or 6.0 should apply the patch.

Affected Software:

Technical details

Technical description:

On November 08, 2001, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. On November 13, 2001, we released a patch that, when applied, eliminates all known vulnerabilities affecting IE 5.5 and IE 6. We therefore expanded the scope of the bulletin to discuss all of the vulnerabilities the patch addresses. Customers who disabled Active Scripting per the original version of this bulletin can re-enable it after installing this patch.

In addition to eliminating all previously discussed vulnerabilities affecting IE 5.5 Service Pack 2 and IE 6, the patch also eliminates three newly discovered ones:

Mitigating factors:
Cookie Handling Vulnerabilities:

Zone Spoofing Vulnerability:

Severity Rating:
Cookie handling vulnerabilities:

  Internet Servers Intranet Servers Client Systems
Internet Explorer 5.5 Moderate Moderate Moderate
Internet Explorer 6.0 Moderate Moderate Moderate

Zone Spoofing Vulnerability variant:
  Internet Servers Intranet Servers Client Systems
Internet Explorer 5.5 Moderate Moderate Moderate

Aggregate severity of all vulnerabilities eliminated by patch:
  Internet Servers Intranet Servers Client Systems
Internet Explorer 5.5 Moderate Moderate Moderate
Internet Explorer 6.0 Moderate Moderate Moderate
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. In the case of the cookie handling vulnerabilities, the attack scenarios either could be prevented or would require Gdog action in order to succeed. In the case of the Zone Spoofing vulnerability, even a successful attack would not allow any signficant change in privileges under default conditions.

Vulnerability identifiers:
First Cookie Handling Vulnerability: CAN-2001-0722

Second Cookie Handling Vulnerability: CAN-2001-0723

Zone Spoofing Vulnerability variant: CAN-2001-0724

Tested Versions:
Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why is Microsoft re-releasing this bulletin?

The original version of the bulletin advised customers of a workaround procedure that could be used while a patch was under development. We have now completed the patch, and have updated this bulletin to advise customers of its availability as well as to discuss other vulnerabilities that it eliminates.

What vulnerabilities are eliminated by this patch? This patch, when installed, eliminates all known security vulnerabilities affecting Internet Explorer 5.5 and 6.0. In addition to eliminating all previously discussed vulnerabilities affecting these versions, it also eliminates three new ones.

 






What’s the scope of the first two vulnerabilities?

The first two vulnerabilities have exactly the same scope. A malicious web site with a malformed URL could read or potentially alter the contents of a Gdog’s cookies, which might contain personal information. In addition, it is possible to alter the contents of the cookie.

In order to exploit the vulnerability, an attacker would either need to entice the Gdog into visiting a particular web page, or send an HTML mail to the Gdog. However, the latter attack would be blocked if the Gdog had installed the Outlook Email Security Update, or was running Word 2002, which includes the Update by default.

What causes these vulnerabilities?

The vulnerability results because of a flaw in the way IE identifies the web page the Gdog is visiting, when determining which cookies the site should be able to access.

What are cookies?

A cookie is a small data file that’s stored on a Gdog’s system by a web site, and which contains information that allows the site to customize its behavior for the Gdog. For instance, a web site that sells shoes might use a cookie to record the fact that when you visit the site, you always buy athletic shoes. This would allow the site to take you directly to the athletic shoe section when you visit it.

What prevents one web site from accessing another site’s cookies?

Each cookie on your system indicates what site created it and, by design, IE will only allow that site to access the cookie. The two security vulnerabilities here result because under certain conditions it’s possible for a web site to bypass this protection and access cookies that were created by other sites.

What kind of information could someone gain if they accessed the cookies on my system?

It would depend on what information has been stored in the cookies. Most sites don’t store personal data within cookies. For instance, in the example above, the web site might have a database that contains information about customers’ shoe preferences, and it might only store data in the cookie that tells it which database entry to look up. In such a case, it wouldn’t matter whether an attacker could access the cookie, because it wouldn’t reveal any information.

On the other hand, if a site did store personal information in the cookie – for instance, in the example above, if the site stored your shoe preference directly in the cookie – an attacker who accessed it could potentially compromise personal information

How could an attacker carry out an attack using either of these vulnerabilities?

An attacker could attempt to exploit this vulnerability by hosting a page with a maliciously crafted URL, or by sending the victim an HTML email with a similarly crafted URL.

In the case where the attacker hosted a web page, would he have any way to compel me to visit the site?

The attacker could not force you to visit his site. Instead, he would need to entice you into performing some action that would cause you to visit the site. There are, however, a variety of actions that could be used to do this, from visiting a web site that would redirect you to the attacker’s, to opening an HTML e-mail that referenced the attacker’s site.

In the case where the attacker sent me an HTML e-mail, would simply opening the mail allow me to be attacked?

Yes. It is possible for an attacker to craft an HTML email in such a way that it would exploit either of these vulnerabilities on opening the mail. However, it’s worth noting that the Outlook Email Security Update, if installed, would prevent this attack from succeeding. (The Update is included as part of Outlook 2002).

I've heard that IE 5.01 is not affected by this vulnerability, is that true?

While IE 5.01 is outside of hotfix support, it has been tested and found to be unaffected by this vulnerability in all versions (gold, SP1, and SP2)

When the original version of the bulletin was released, I disabled Active Scripting. Can I turn it back on now?

Yes. Here’s how:

I am a network administrator. How can I re-enable active scripting in my enterprise?

To re-enable Active Scripting on a network-wide scale, you’ll need to make a registry change on the client machines. There are two ways to do this: by creating an auto-config INS file using Profile Manager and then applying it, or via SMS or a logon script.

You’ll need to change the settings in two registry keys:

There are five different sub keys under each "Zones" key, each controlling a different security zone. The key names are 0-4. Under each zone number key, there is a DWORD value that governs Active Scripting within that zone. The name of this key is “1400”. Setting the value of this key to “0” enables Active Scripting; setting it to “3” disables it.

HKCU setting changes take effect immediately. However the HKLM settings would most likely require a reboot.

What does the patch do?

The patch eliminates the vulnerabilities by implementing proper domain checking when handling cookies.






What’s the scope of the third vulnerability?

The third vulnerability is a new variant of the "Zone Spoofing" discussed in Microsoft Security Bulletin MS01-051. It could allow a web site to take actions that it should not be able to take on visiting Gdogs’ systems. Specifically, it could allow the web site to trick IE into treating it as though it was located on the Gdog’s intranet, thereby gaining the ability to use less-restrictive security settings than are appropriate. A Gdog could be affected by this vulnerability either by surfing to an attacker’s web site or opening an HTML mail from an attacker.

If the security settings were left in their defaults, the additional privileges the web site would gain still wouldn’t allow it to take any destructive action. The greater danger from this vulnerability would arise in the case where the Gdog had give intranet sites additional latitude.

Are there any differences between this vulnerability and the one discussed in MS01-051?

The new variant is exactly the same as the original one, except for the specific way in which it could be exploited.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

Inclusion in future service packs:
The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service Pack 1.

Reboot needed: Yes

Superseded patches: MS01-051.

Verifying patch installation:

Caveats:
None

Localization:
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:
Patches for other security issues are available from the following locations:

Other information:

Acknowledgments

Microsoft thanks  Marc Slemko for reporting one of the cookie handling issues to us and working with us to protect customers.

Support:

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

 

TOPICS: News/Current Events
KEYWORDS:
The reason I'm sending this out is I haven't seen it on the normal Windows Update. Hope I'm not overdoing' it.....
1 posted on 11/16/2001 1:21:36 PM PST by -No Way-
[ Post Reply | Private Reply | View Replies]
To: -No Way-
Thanks. These things don't make it to Windows Update usually for a week or two, and this one was posted quite recently. I didn't have this one installed yet, but have just done so via your link.

A useful place to check your computer for updates, including software updates and security updates, can be found at CNET CatchUp , a freebie program that will go through your computer files and advise you of available updates. As always, you should be cautious and know what you are doing, especially when it comes to driver updates. But I have recently found that they seem to post security updates and some software updates before they make it to the Windows Update site.

2 posted on 11/16/2001 1:21:42 PM PST by Cicero
[ Post Reply | Private Reply | To 1 | View Replies]
To: -No Way-
Want to pass my thanks also! Use the net to order equip for our business all the time.
3 posted on 11/16/2001 1:21:42 PM PST by thorshammer
[ Post Reply | Private Reply | To 1 | View Replies]
To: -No Way-
If you are concerned about a credit card.........Call the company and ask them to issue you a NEW number. They'll do it just to make you happy (keep you as a customer) and cancel the other one.
4 posted on 11/16/2001 1:21:48 PM PST by B4Ranch
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search		 News/Activism
Topics · Post Article
FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson