-----BEGIN PGP SIGNED MESSAGE-----

- -
- ----------------------------------------------------------------------
Title:      11 February 2002 Cumulative Patch for Internet Explorer
Date:       11 February 2002
Software:   Internet Explorer
Impact:     Run Code of Attacker's Choice
Max Risk:   Critical
Bulletin:   MS02-005

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp.
- -
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that, when installed, eliminates all
previously discussed security vulnerabilities affecting IE 5.01, 5.5
and IE 6. In addition, it eliminates the following six newly
discovered vulnerabilities: 

 - A buffer overrun vulnerability associated with an HTML directive
   that's used to incorporate a document within a web page. By
   creating a web page that invokes the directive using specially
   selected attributes, an attacker could cause code to run on the
   user's system. 

 - A vulnerability associated with the GetObject scripting function.
   Before providing a handle to an operating system object,
   GetObject performs a series of security checks to ensure that the
   caller has sufficient privileges to it. However, by requesting a
   handle to a file using a specially malformed representation, it
   would be possible to bypass some of these checks, thereby 
   allowing a web page to complete an operation that should be
   prevented, namely, reading files on the computer of a visiting
   user's system. 

 - A vulnerability related to the display of file names in the File
   Download dialogue box. When a file download from a web site is
   initiated, a dialogue provides the name of the file and lets the
   user choose what action to take. However, a flaw exists in the way
   HTML header fields (specifically, the Content-Disposition and
   Content-Type fields) are handled. This flaw could make it possible
   for an attacker to misrepresent the name of the file in the
   dialogue, in an attempt to trick a user into opening or saving
   an unsafe file. 

 - A vulnerability that could allow a web page to open a file on the
   web site, using any application installed on a user's system.
   By design, IE should only open a file on a web site using the
   application that's registered to that type of file, and even
   then only if it's on a list of safe applications. However,
   through a flaw in the handling of the Content-Type HTML
   header field, an attacker could circumvent this restriction,
   and specify the application that should be invoked to process
   a particular file. IE would comply, even if the application was
   listed as unsafe. 

 - A vulnerability that could enable a web page to run a script even
   if the user has disabled scripting. IE checks for the presence of
   scripts when initially rendering a page. However, the capability
   exists for objects on a page to respond to asynchronous events;
   by misusing this capability in a particular way, it could be
   possible for a web page to fire a script after the page has 
   passed the initial security checks. 

 - A newly discovered variant of the "Frame Domain Verification"
   vulnerability discussed in Microsoft Security Bulletin MS01-058.
   The vulnerability could enable a malicious web site operator to
   open two browser windows, one in the web site's domain and the
   other on the user's local file system, and to use the
   Document.open function to pass information from the latter to
   the former. This could enable the web site operator to read, but
   not change, any file on the user's local computer that could be
   opened in a browser window. In addition, this could be used to
   mis-represent the URL in the address bar in a window opened from
   their site. 

Mitigating Factors:
====================
Buffer Overrun in HTML Directive: 

 - The vulnerability could not be exploited if the "Run ActiveX
   Controls and Plugins" security option were disabled in the
   Security Zone in which the page was rendered. This is the default
   condition in the Restricted Sites Zone, and can be disabled
   manually in any other Zone. 

 - Outlook 98 and 2000 (after installing the Outlook Email Security
   Update), Outlook 2002, and Outlook Express 6 all open HTML mail
   in the Restricted Sites Zone. As a result, customers using these
   products would not be at risk from email-borne attacks. 

 - The buffer overrun would allow code to run in the security context
   of the user rather than the system. The specific privileges the
   attacker could gain through this vulnerability would therefore
   depend on the privileges accorded to the user. 

File Reading via GetObject function: 

 - This vulnerability could only be used to read files. It could not
   be used to create, change, delete, or execute them. 

 - The attacker would need to know the name and location of the file
   on the user's computer. 

 - Some files that would be of interest to an attacker - most
   notably,the SAM Database - are locked by the operating system
   and therefore could not be read even using this vulnerability. 

 - The email-borne attack scenario would be blocked if the user were
   using any of the following: Outlook 98 or 2000 with the Outlook
   Email Security Update installed; Outlook 2002; or Outlook
   Express 6. 

 - The web-based attack scenario could be blocked by judicious use of
   the IE Security Zones mechanism such as using the Restricted Sites
   zone. 

File Download Dialogue Spoofing via Content-Type and 
Content-Disposition fields: 

 - Exploiting this vulnerability would not give an attacker the
   ability to force code to run on a user's system. It would only
   enable the attacker to misrepresent the file name and type in the
   File Download dialogue. The download operation would not occur
   without the user's approval, and the user could cancel at any
   time.

 - The vulnerability could not be exploited if File Downloads have 
   been disabled in the Security Zone in which the e-mail is 
   rendered. This is not a default setting in any zone, however. 

 - On versions of IE prior to 6.0, the default selection in the file
   download dialogue is to save, rather than open, the file. (In 
   IE 6.0, the default is to open the file; however, this behavior
   is inappropriate, and the patch changes IE 6.0 to conform with the
   behavior of previous versions). 

Application invocation via Content-Type field: 

 - An attacker could only exploit this vulnerability if the
   application specified through the Content-Type field was actually
   installed on the user's system. 

 - The vulnerability does not provide any way for the attacker to
   inventory the applications installed on the user's system and 
   select one, nor does it provide any way to force the user to
   install a particular application. 

 - The vulnerability would not provide any way to circumvent the
   security features of the application or to reconfigure it. 

 - Outlook 2002 users who have configured Outlook to render HTML mail
   as plaintext would be at no risk from attack through HTML mail. 

Script execution: 

 - This vulnerability extends only to allowing scripts to run - it
   does not allow any other security restrictions to be bypassed.
   So, for instance, although an attacker could use this
   vulnerability to run a script, the script would still be subject
   to all other expected security settings. 

Frame Domain Verification Variant via Document.Open function: 

 - The vulnerability could only be used to view files. It could
   not be used to create, delete, modify or execute them. 

 - The vulnerability would only allow an attacker to read files that
   can be opened in a browser window, such as image files, HTML files
   and text files. Other file types, such as binary files, executable
   files, Word documents, and so forth, could not be read. 

 - The attacker would need to specify the exact name and location of
   the file in order to read it. 

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-005.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - The dH team and SECURITY.NNOV (http://www.security.nnov.ru/) team 
   for reporting the buffer overrun vulnerability. 

 - Sandro Gauci of GFI security labs (http://www.gfi.com) for
   reporting the application invocation vulnerability. 

- -
- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPGhVAY0ZSRQxA/UrAQHZqQgAnxfxdxKB3/QdWdJlMPse6n0lqDFUavkI
Ak64iU08ndTO3qBEdttNS3lAwqYTL5gtyw5k4zxcrvM9mMu5x3ZgJXfFmp9kMOKy
AhN+AkGqjRgDNAmrCaN2C7I3rOsTGnf6tsg2Qg7ElmnCmPcerI2qWrw/C4/6aIqg
iuI5UGoAMCJoxst3pK0Y0ZWNj1NDsxTjPeBiOHYqnr2YUNKffLW3bsldqpBPkNLL
AqOQMJhHYAZb+DcEjKzhPqFmJTf9Ng/lb81NNPbuR18zcgrIS6KNlbW5YyFlIEu/
+tSAKgeScNroeAw6bE4QRymv7tR/rrfEux1rmyZxFS0aIpPlNeCO+g==
=FiIM
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification   Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To cancel your subscription, click on the following link mailto:1_25598_597AAC3D-B8D9-4A9A-A29A-9EBCF4758F48_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.

To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_25598_597AAC3D-B8D9-4A9A-A29A-9EBCF4758F48_US@Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail.  You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm

For security-related information about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.