Posted on 11/16/2001 1:21:36 PM PST by -No Way-
FREEPER CREDIT CARD SAFETY
READ THE FOLLOWING ARTICLE!!! (MS Internet Explorer 6.0)
This is the patch link:
http://www.microsoft.com/windows/ie/downloads/critical/q312461/
Microsoft Security Bulletin MS01-055 |
Originally posted: November 08, 2001
Updated: November 13, 2001
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Exposure and altering of data in cookies.
Maximum Severity Rating: Moderate
Recommendation: Customers running Internet Explorer 5.5 or 6.0 should apply the patch.
Affected Software:
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 6.0
Technical details
Technical description:
On November 08, 2001, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. On November 13, 2001, we released a patch that, when applied, eliminates all known vulnerabilities affecting IE 5.5 and IE 6. We therefore expanded the scope of the bulletin to discuss all of the vulnerabilities the patch addresses. Customers who disabled Active Scripting per the original version of this bulletin can re-enable it after installing this patch.
In addition to eliminating all previously discussed vulnerabilities affecting IE 5.5 Service Pack 2 and IE 6, the patch also eliminates three newly discovered ones:
- The first two involve how IE handles cookies across domains. Although the underlying flaws are completely unrelated, the scope is exactly the same in each case, a malicious Gdog could potentially craft a URL that would allow them to gain unauthorized access to a Gdog's cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a Gdogs cookies, this could allow personal information to be compromised. Both vulnerabilities could be exploited either by hosting specially crafted URL's on a web page or by sending them to the victim in an HTML email.
- The third vulnerability is a new variant of a vulnerability discussed in Microsoft Security Bulletin MS01-051 affecting how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6.
Mitigating factors:
Cookie Handling Vulnerabilities:Zone Spoofing Vulnerability:
- To exploit either vulnerability, the attacker would need to entice the Gdog into visiting a particular web site or opening an HTML e-mail containing the malformed URL.
- The Outlook Email Security Update (which is included as part of Outlook 2002 in Office XP) would protect the Gdog against the mail-borne attack scenario.
- Gdogs who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the mail-borne attack scenario, because the "Restricted Sites" zone sets Active Scripting to disabled. Note that this is the default setting for Outlook Express 6.0. Gdogs of Outlook Express 6.0 should verify that Active Scripting is still disabled in the Restricted Sites Zone.
- The default settings in the Intranet Zone differ in only a few ways from those of the Internet Zone. The differences are enumerated in the FAQ in MS01-051, but none would allow destructive action to be taken.
Severity Rating:
Cookie handling vulnerabilities:
Internet Servers Intranet Servers Client Systems Internet Explorer 5.5 Moderate Moderate Moderate Internet Explorer 6.0 Moderate Moderate Moderate
Zone Spoofing Vulnerability variant:
Internet Servers Intranet Servers Client Systems Internet Explorer 5.5 Moderate Moderate Moderate
Aggregate severity of all vulnerabilities eliminated by patch:The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. In the case of the cookie handling vulnerabilities, the attack scenarios either could be prevented or would require Gdog action in order to succeed. In the case of the Zone Spoofing vulnerability, even a successful attack would not allow any signficant change in privileges under default conditions.
Internet Servers Intranet Servers Client Systems Internet Explorer 5.5 Moderate Moderate Moderate Internet Explorer 6.0 Moderate Moderate Moderate Vulnerability identifiers:
First Cookie Handling Vulnerability: CAN-2001-0722Second Cookie Handling Vulnerability: CAN-2001-0723
Zone Spoofing Vulnerability variant: CAN-2001-0724
Tested Versions:
Microsoft tested Internet Explorer 5.5 and 6.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
Why is Microsoft re-releasing this bulletin?
The original version of the bulletin advised customers of a workaround procedure that could be used while a patch was under development. We have now completed the patch, and have updated this bulletin to advise customers of its availability as well as to discuss other vulnerabilities that it eliminates.
What vulnerabilities are eliminated by this patch? This patch, when installed, eliminates all known security vulnerabilities affecting Internet Explorer 5.5 and 6.0. In addition to eliminating all previously discussed vulnerabilities affecting these versions, it also eliminates three new ones.
- Two vulnerabilities involving the handling of cookies.
- A newly discovered variant of a vulnerability discussed in Security Bulletins MS01-051 including a newly discovered variants of the Zone Spoofing vulnerability.
Whats the scope of the first two vulnerabilities?The first two vulnerabilities have exactly the same scope. A malicious web site with a malformed URL could read or potentially alter the contents of a Gdogs cookies, which might contain personal information. In addition, it is possible to alter the contents of the cookie.
In order to exploit the vulnerability, an attacker would either need to entice the Gdog into visiting a particular web page, or send an HTML mail to the Gdog. However, the latter attack would be blocked if the Gdog had installed the Outlook Email Security Update, or was running Word 2002, which includes the Update by default.
What causes these vulnerabilities?
The vulnerability results because of a flaw in the way IE identifies the web page the Gdog is visiting, when determining which cookies the site should be able to access.
What are cookies?
A cookie is a small data file thats stored on a Gdogs system by a web site, and which contains information that allows the site to customize its behavior for the Gdog. For instance, a web site that sells shoes might use a cookie to record the fact that when you visit the site, you always buy athletic shoes. This would allow the site to take you directly to the athletic shoe section when you visit it.
What prevents one web site from accessing another sites cookies?
Each cookie on your system indicates what site created it and, by design, IE will only allow that site to access the cookie. The two security vulnerabilities here result because under certain conditions its possible for a web site to bypass this protection and access cookies that were created by other sites.
What kind of information could someone gain if they accessed the cookies on my system?
It would depend on what information has been stored in the cookies. Most sites dont store personal data within cookies. For instance, in the example above, the web site might have a database that contains information about customers shoe preferences, and it might only store data in the cookie that tells it which database entry to look up. In such a case, it wouldnt matter whether an attacker could access the cookie, because it wouldnt reveal any information.
On the other hand, if a site did store personal information in the cookie for instance, in the example above, if the site stored your shoe preference directly in the cookie an attacker who accessed it could potentially compromise personal information
How could an attacker carry out an attack using either of these vulnerabilities?
An attacker could attempt to exploit this vulnerability by hosting a page with a maliciously crafted URL, or by sending the victim an HTML email with a similarly crafted URL.
In the case where the attacker hosted a web page, would he have any way to compel me to visit the site?
The attacker could not force you to visit his site. Instead, he would need to entice you into performing some action that would cause you to visit the site. There are, however, a variety of actions that could be used to do this, from visiting a web site that would redirect you to the attackers, to opening an HTML e-mail that referenced the attackers site.
In the case where the attacker sent me an HTML e-mail, would simply opening the mail allow me to be attacked?
Yes. It is possible for an attacker to craft an HTML email in such a way that it would exploit either of these vulnerabilities on opening the mail. However, its worth noting that the Outlook Email Security Update, if installed, would prevent this attack from succeeding. (The Update is included as part of Outlook 2002).
I've heard that IE 5.01 is not affected by this vulnerability, is that true?
While IE 5.01 is outside of hotfix support, it has been tested and found to be unaffected by this vulnerability in all versions (gold, SP1, and SP2)
When the original version of the bulletin was released, I disabled Active Scripting. Can I turn it back on now?
Yes. Heres how:
- On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
- In the Settings box, scroll down to the Scripting section, and click Enable under "Active scripting" and "Scripting of Java applets".
- Click OK, and then click OK again.
I am a network administrator. How can I re-enable active scripting in my enterprise?
To re-enable Active Scripting on a network-wide scale, youll need to make a registry change on the client machines. There are two ways to do this: by creating an auto-config INS file using Profile Manager and then applying it, or via SMS or a logon script.
Youll need to change the settings in two registry keys:
There are five different sub keys under each "Zones" key, each controlling a different security zone. The key names are 0-4.
- HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Under each zone number key, there is a DWORD value that governs Active Scripting within that zone. The name of this key is 1400. Setting the value of this key to 0 enables Active Scripting; setting it to 3 disables it.
- 0 = Your computer
- 1 = Local Intranet
- 2 = Trusted Sites
- 3 = Internet
- 4 = Restricted Sites
HKCU setting changes take effect immediately. However the HKLM settings would most likely require a reboot.
What does the patch do?
The patch eliminates the vulnerabilities by implementing proper domain checking when handling cookies.
Whats the scope of the third vulnerability?The third vulnerability is a new variant of the "Zone Spoofing" discussed in Microsoft Security Bulletin MS01-051. It could allow a web site to take actions that it should not be able to take on visiting Gdogs systems. Specifically, it could allow the web site to trick IE into treating it as though it was located on the Gdogs intranet, thereby gaining the ability to use less-restrictive security settings than are appropriate. A Gdog could be affected by this vulnerability either by surfing to an attackers web site or opening an HTML mail from an attacker.
If the security settings were left in their defaults, the additional privileges the web site would gain still wouldnt allow it to take any destructive action. The greater danger from this vulnerability would arise in the case where the Gdog had give intranet sites additional latitude.
Are there any differences between this vulnerability and the one discussed in MS01-051?
The new variant is exactly the same as the original one, except for the specific way in which it could be exploited.
Download locations for this patch
- Microsoft Internet Explorer 5.5 and 6.0:
http://www.microsoft.com/windows/ie/downloads/critical/q312461/default.asp
Additional information about this patch
Installation platforms:
- The IE 5.5 patch can be installed on IE 5.5 Service Pack 2.
- The IE 6 patch can be installed on IE 6 Gold.
Inclusion in future service packs:
The fix for these issue will be included in IE 5.5 Service Pack 3, and IE 6 Service Pack 1.Reboot needed: Yes
Superseded patches: MS01-051.
Verifying patch installation:
- To verify that the patch has been installed on the machine, open IE, select Help, then select About Internet Explorer and confirm that Q312461 is listed in the Update Versions field.
- To verify the individual files, use the patch manifest provided in Knowledge Base articles Q312461.
Caveats:
NoneLocalization:
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
- All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site.
AcknowledgmentsMicrosoft thanks Marc Slemko for reporting one of the cookie handling issues to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article Q312461 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.Revisions:
- V1.0 (November 08, 2001): Bulletin Created.
- V2.0 (November 13, 2001): Bulletin updated with patch information and to discuss the inclusion of fixes for additional cookie handling vulnerability and a variant of the zone spoofing issue.
A useful place to check your computer for updates, including software updates and security updates, can be found at CNET CatchUp , a freebie program that will go through your computer files and advise you of available updates. As always, you should be cautious and know what you are doing, especially when it comes to driver updates. But I have recently found that they seem to post security updates and some software updates before they make it to the Windows Update site.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.