-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      28 March 2002 Cumulative Patch for Internet Explorer
Date:       28 March 2002
Software:   Internet Explorer
Impact:     Two vulnerabilities, the most serious of which 
            would allow script to run in the Local Computer Zone.
Max Risk:   Critical
Bulletin:   MS02-015

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-015.asp.
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and IE 6. In addition,
it eliminates the following two newly discovered vulnerabilities: 

 - A vulnerability in the zone determination function that could
   allow a script embedded in a cookie to be run in the Local
   Computer zone. While HTML scripts can be stored in cookies,
   they should be handled in the same zone as the hosting site
   associated with them, in most cases the Internet zone. An
   attacker could place script in a cookie that would be saved
   to the user's hard disk. When the cookie was opened by the
   site the script would then run in the Local Computer zone,
   allowing it to run with fewer restrictions than it would
   otherwise have. 

 - A vulnerability in the handling of object tags that could
   allow an attacker to invoke an executable already present
   on the user's machine. A malicious user could create HTML
   web page that includes this object tag and cause a local
   program to run on the victim's machine.

Mitigating Factors:
====================
Cookie-based Script Execution: 

 - The script would run with the same rights as the user.
   The specific privileges the attacker could gain through
   this vulnerability would therefore depend on the
   privileges accorded to the user. Any limitations on a
   user's account, such as those applied through Group
   Policies, would also limit the actions of any script
   executed by this vulnerability. 

Local Executable Invocation via Object tag: 

 - The vulnerability would not enable the attacker to pass
   any parameters to the program. Microsoft is not aware of
   any programs installed by default in any version of
   Windows that, when called with no parameters, could be
   used to compromise the system. 

 - An attacker could only execute a file on the victim's
   local machine. The vulnerability could not be used to
   execute a program on a remote share or web site. 

 - The vulnerability would not provide any way for an
   attacker to put a program of his choice onto another
   user's system. 

 - An attacker would need to know the name and location
   of any executable on the system to successfully invoke it.

 - Outlook 98 and 2000 (after installing the Outlook Email
   Security Update), Outlook 2002, and Outlook Express 6 all
   open HTML mail in the Restricted Sites Zone. As a result,
   customers using these products would not be at risk from
   email-borne attacks.

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-015.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Andreas Sandblad, Sweden for reporting the Cookie-based Script
   Execution issue

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPKOqWI0ZSRQxA/UrAQE0Awf/a7Nb51yla2BTXrscH7gzRxwICkIHg5ol
f2JiUuIIWo36RlZ6sLP4vVPy4lVuGmWQPA21FpmLfdp9b8nIlje2YDVMUntU5SF3
6O6xXFVMMWC3wAFITnV3nFQRtb6nWoxza8JtEkVYDXWoAfXizo0XLJIn1N1UmXkn
pz3iUfs0ToykDUG69f81u/vSqErXW+Gb33E83/u8QAaQxFg2v6lZ7IffYEIGiPfO
e6m2Y+6A9rsDLaesn1P1Fo0U5l/E/aZdnLrsJksoDo+QWj2uf4oXtFfXrxhfyElR
Ykq54cJ4L16Qs/pcDrbty8rAEJB/lHXqHiNbqMw4snGzhPfeS/uqTw==
=FGxh
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification   Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To cancel your subscription, click on the following link mailto:1_28221_597AAC3D-B8D9-4A9A-A29A-9EBCF4758F48_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.

To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_28221_597AAC3D-B8D9-4A9A-A29A-9EBCF4758F48_US@Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail.  You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm

For security-related information about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.