Do siedem i innych technicznych - IE security

16.05.02, 22:03
Microsoft releases monster IE patch
Robert Lemos, CNET News.com

Microsoft urged Windows users to download a fix for Internet Explorer on
Wednesday, following the company's announcement that six new flaws had been
found in its Web browser.

The software giant called three of the flaws critical, but only one of them--a
cross-site scripting error that affects only Internet Explorer 6.0--would allow
an attacker or a worm to run a program on the victim's computer.

"Two of them are critical because of the possibility of information
disclosure," said Christopher Budd, security program manager for the Microsoft
security response team. "But they have steep requirements."

The first flaw occurs when the browser sends information within a link to
another browser. Known as cross-site scripting, the technique can be abused by
an attacker to get the other site to run a program specified by a malicious
user. The flaw outlined by Microsoft on Wednesday would require that the
attacker either host a Web page with the malicious link or send an HTML command
via e-mail.

The two critical flaws that could compromise user information occur because of
the way IE handles popular site templates, known as cascading style sheets, and
the way it processes cookies. Both require the exact names of files on the
target system to work, reducing the risk somewhat.

The other flaws and the patch can be found in the advisory.

Microsoft Windows XP users will automatically be prompted to install the update
by the operating system, while users of other Windows variants will have to go
to the Windows Update site.

The 2MB download includes all the old repairs for Internet Explorer 5.01, 5.5
and 6.0, plus patches for the latest six holes as well.

In addition to the patches, the software update additionally adds a
new "feature," restricts the default settings of the "Restricted Sites" zone to
block all frames
--------------------------------

Jak ktos chce linki to moge podrzucic. Patch po polsku tez tam jest.
sc-k
    • liman Podrzuć linki Sceptyku. Dzięki. (notxt) 16.05.02, 22:20
    • Gość: TomekMX Re: Do siedem i innych technicznych - IE security IP: 148.230.73.* 16.05.02, 22:34
      Mam to gdzies... mam Netscape 6.2.2
    • sceptyk link + komentarz Microsoftu (czesciowy) 16.05.02, 22:56
      Download:

      http://www.microsoft.com/windows/ie/downloads/critical/Q321232

      ----------------------------------------------------------------


      Microsoft Security Bulletin MS02-023


      15 May 2002 Cumulative Patch for Internet Explorer (Q321232)
      Originally posted: May 15, 2002

      Summary
      Who should read this bulletin: Customers using Microsoft® Internet Explorer

      Impact of vulnerability: Six new vulnerabilities, the most serious of which
      could allow code of attacker's choice to run.

      Maximum Severity Rating: Critical

      Recommendation: Consumers using the affected versions of IE should install the
      patch immediately.

      Affected Software:

      Microsoft Internet Explorer 5.01
      Microsoft Internet Explorer 5.5
      Microsoft Internet Explorer 6.0

      Technical details
      Technical description:


      This is a cumulative patch that includes the functionality of all previously
      released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the
      following six newly discovered vulnerabilities:

      (...)

      Tested Versions:
      The following table indicates which of the currently supported versions of
      Internet Explorer are affected by the vulnerabilities. Versions of IE prior to
      5.01 Service Pack 2 are no longer eligible for hotfix support. IE 5.01 SP2 is
      supported only via Windows® 2000 Service Packs and Security Roll-up Packages
      and on Windows NT® 4.0.
      IE 5.01 SP2 IE 5.5 SP1 IE 5.5 SP2 IE 6.0
      Frequently asked questions

      What vulnerabilities are eliminated by this patch?

      This is a cumulative patch that, when applied, eliminates all previously
      addressed security vulnerabilities affecting Internet Explorer 5.01, 5.5 and
      6.0. In addition to eliminating all previously discussed vulnerabilities
      versions, it also eliminates eliminates six new ones:

      A vulnerability that could allow an attacker to cause script to be run in the
      Local Computer Zone.
      A vulnerability that could disclose information store on the local system to an
      attacker including, potentially, personal information.
      A vulnerability that could allow a web site to read the cookies of another web
      site by embedding script in cookies on the local system and invoking that
      script to read other cookies on the local system.
      A vulnerability that could allow an attacker to cause a web page's security
      zone settings to be incorrectly determined and allow a page to run with fewer
      security restrictions than is appropriate.
      Two newly discovered variants of the "Content-Disposition" vulnerability first
      discussed in MS01-051.
      Finally, it introduces a new enhancement to the Restricted Sites zone.
      Specifically, it disables frames in the Restricted Sites zone.

      (...)

      What causes the vulnerability?

      The vulnerability results because a local resource file that is included with
      IE contains an HTML web page that fails to properly validate inputs.

      What is a "local resource file" in IE?

      Some of the functionality that a user sees in IE is actually provided by HTML
      resources that are stored on the local file system. Examples of pages like this
      include error messages that are raised when a site is unreachable. The
      information that actually makes up the page is a standard HTML web page, but is
      stored on the local file system, rather than being sent from a remote server.

      What is Cross-Site Scripting

      Cross-Site Scripting is a vulnerability that can allow script to be injected
      into a user's session with a web site.

      By injecting code into the domain of another web site, an attacker can cause
      script of his choice to execute as if it were part of that web site's domain.
      Microsoft has made more detailed information on Cross-Site Scripting available
      here

      What could this vulnerability enable an attacker to do?

      This vulnerability could allow an attacker to invoke the local HTML resource
      and inject script into the page as it is called. As the page is rendered, the
      attacker's script would then be rendered as if it had been called by the page
      itself. Because this particular HMTL page is on the local system, this allows
      the attackers script to run in the Local Computer zone. This has the effect of
      allowing the attacker's script to run as if the user had chosen to run it
      herself. This means that it could take any action on the user's system that she
      herself were capable of.

      For example, if the user had permissions to change the security setting of IE,
      the attacker's script could make the same changes. Conversely however, this
      also means that any limitations on the user's privileges would also constrain
      the attacker's script. If a user were prohibited from changing their IE
      security settings, for instance, the script too would be unable to make those
      changes.

      How could an attacker exploit this vulnerability?

      An attacker could seek to exploit this vulnerability by creating a web page
      that invoked the vulnerable web page by means a specially crafted URL that
      contained the script he wanted to execute on the local system. When the user
      clicked on the URL, the script would execute in the Local Computer zone.

      An attacker could attempt to levy this attack in one of two ways: He could post
      the web page on a server, or send it to the intended user as an HTML email.

      What are the risks posed by the web-borne attack vector?

      From the attacker's point of view, the web-borne attack vector has the
      advantage that all Internet Web sites reside in the "Internet Zone", which
      enables scripting. This means that unless a user were making judicious use of
      the "Restricted Sites zone" and had placed the attacker's site in that zone,
      she would be vulnerable when she visited the attacker's site.

      However, the disadvantage of this attack vector for the attacker is that this
      scenario requires social engineering to make the user choose to visit his site.
      A user who exercised caution in her choice of web sites would successfully
      avoid attempts to exploit this vulnerability altogether. Also, as noted
      earlier, if a user visits an unknown or untrusted site and places that site in
      the Restricted Sites zone, she would successfully thwart the attack.

      What are the risks posed by the email-borne attack vector?

      The advantage of an email-borne attempt to exploit this vulnerability is that
      it requires no social engineering to lure the user to a web site: the attacker
      can send the malicious page directly to the user. Because of this, this also
      makes it easier for an attacker to attempt to attack a large number of users:
      he can send the same web page to as many users as he wanted.

      The disadvantage to this attack, though, is that the success of this attack
      would depend on the configuration of the mail client. If a user's mail client
      has been configured to read mail in the Restricted Sites zone, attempts to
      exploit this vulnerability through email would fail. This is because scripting
      is disabled by default in the Restricted Sites zone. Customers who are using
      Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email
      Security Update and Outlook 2002 would thus be protected in a default
      installation, because those products all read mail in the Restricted Sites
      zone. In addition, customers who are using the new "Read as Plain Text" feature
      would also be protected against this attack vector. This is because the "Read
      as Plain Text" feature strips all HTML features, including scripts, from HTML
      email.

      I'm using one of the email products and/or the new "Read as Plain Text" feature
      you mentioned above. Does that mean I don't need the patch?

      While these products and this feature can all protect you against the email-
      borne attack, you should still apply the patch to ensure that you're protected
      against the web-borne scenario. In addition, this patch eliminates other
      vulnerabilities, some of which are not thwarte
      • Gość: Agent Do wszystkich (nie)szczęśliwych posiadaczy windy IP: *.wroclaw.dialog.net.pl 16.05.02, 23:09
        sceptyk napisał(a):
        > Download:
        >
        > www.microsoft.com/windows/ie/downloads/critical/Q321232

        Zamiast sie bawic w linki, po prostu wlaczcie windows update smile
        Start / windows update lub
        Narzędzia / windows update (IE 6.0)

        Rozwiazanie to jest o tyle lepsze, ze bedziemy mogli sciagnac nie tylko update
        najnowszego, ale takze starsze przydatne zabezpieczenia niewymienione przez
        sceptyka smile
        Strona Windows Update automatycznie sprawdza czego nie mamy jeszcze
        zainstalowanego, czyli wyswietla tylko te pozycje, których napewno nie mamy
        zainstalowanych smile

        Zycze milego ssania łatek bila gejtsa

        W oczekiwaniu na nowe błędy,
        pozdrawiam serdeczniesmile
    • Gość: TomekMX Trustworthy Computing!!! IP: 148.230.73.* 16.05.02, 23:18
      No nie ma to jak "TrustWorthy Computing" pana Gates'a...

      www.trustworthycomputing.com
      • sceptyk Bo sie gonia jak glupi 16.05.02, 23:31
        Zeby go Netscape tak nie gonil z nowymi wersjami, to Bill moglby spokojnie
        porzadny program przygotowac. Dzis za to czytalem gdzies, ze najnowsza wersja
        AOL ma wlasnie Netscape, a Explorera dupneli. Ale to pewno o to chodzi, ze w
        Stanach sie kloca przed sadami teraz.
        • Gość: siedem :) /nt IP: *.tgory.pik-net.pl 17.05.02, 07:25
          7,00
          • Gość: Rys Linux :))) IP: 149.156.211.* 17.05.02, 08:16
            • Gość: # #lux bez latek jezdzi na kazdej Platformie! Ntxt IP: *.wroclaw.tpnet.pl 17.05.02, 09:01



              • Gość: siedem aj! wy niepoprawni anarchiści :) IP: *.tgory.pik-net.pl 17.05.02, 09:05
                to było do Mr #


                a do sceptyka:
                nie znasz dnia ni godziny
                ludzi którzy się 'obawiają'
                zawsze pytam "jakich masz
                wrogów?" potem należy sie
                zastanowić co z tym zrobic

                7,00
Inne wątki na temat:
Pełna wersja