-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      15 May 2002 Cumulative Patch for Internet Explorer
            (Q321232)
Date:       15 May 2002
Software:   Internet Explorer
Impact:     Six new vulnerabilities, the most serious of which could
            allow code of attacker's choice to run.
Max Risk:   Critical
Bulletin:   MS02-023

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-023.asp.
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and 6.0. In addition,
it eliminates the following six newly discovered vulnerabilities:


 - A cross-site scripting vulnerability in a Local HTML Resource.
   IE ships with several files that contain HTML on the local file
   system to provide functionality. One of these files contains a
   cross-site scripting vulnerability that could allow a script to
   execute as if it were run by the user herself, causing it to run
   in the local computer zone. An attacker could craft a web page 
   with a URL that exploits this vulnerability and then either host
   that page on a web server or send it as HTML email. When the web
   page was viewed and the user clicked on the URL link, the
   attacker's script injected into the local resource, the
   attacker's script would run in the Local Computer zone, allowing
   it to run with fewer restrictions than it would otherwise have. 

 - An information disclosure vulnerability related to the use of am
   HTML object provides that support for Cascading Style Sheets that
   could allow an attacker to read, but not add, delete or change,
   data on the local system. An attacker could craft a web page
   that exploits this vulnerability and then either host that page
   on a web server or send it as HTML email. When the page was 
   viewed, the element would be invoked. Successfully exploiting this
   vulnerability, however, requires exact knowledge of the location
   of the intended file to be read on the user's system. Further,
   it requires that the intended file contain a single, particular
   ASCII character. 

 - An information disclosure vulnerability related to the handling
   of script within cookies that could allow one site to read the
   cookies of another. An attacker could build a special cookie
   containing script and then construct a web page with a hyperlink
   that would deliver that cookie to the user's system and invoke
   it. He could then send that web page as mail or post it on a
   server. When the user clicked the hyperlink and the page invoked
   the script in the cookie, it could potentially read or alter the
   cookies of another site. Successfully exploiting this, however,
   would require that the attacker know the exact name of the
   cookie as stored on the file system to be read successfully. 

 - A zone spoofing vulnerability that could allow a web page to be
   incorrectly reckoned to be in the Intranet zone or, in some very
   rare cases, in the Trusted Sites zone. An attacker could construct
   a web page that exploits this vulnerability and attempt to entice
   the user to visit the web page. If the attack were successful,
   the page would be run with fewer security restrictions than
   is appropriate. 

 - Two variants of the "Content Disposition" vulnerability
   discussed in Microsoft Security Bulletin MS01-058 affecting how
   IE handles downloads when a downloadable file's
   Content-Disposition and Content-Type headers are
   intentionally malformed. In such a case, it is possible for
   IE to believe that a file is a type safe for automatic
   handling, when in fact it is executable content. An attacker
   could seek to exploit this vulnerability by constructing a
   specially malformed web page and posting a malformed executable
   file. He could then post the web page or mail it to the intended
   target. These two new variants differ from the original
   vulnerability in that they for a system to be vulnerable, it
   must have present an application present that, when it is
   erroneously passed the malformed content, chooses to hand it
   back to the operating system rather than immediately raise
   an error. A successful attack, therefore, would require that
   the attacker know that the intended victim has one of these
   applications present on their system. 

Finally, it introduces a behavior change to the Restricted Sites
zone. Specifically, it disables frames in the Restricted Sites
zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 200
with the Outlook Email Security Update and Outlook 2002 all read
email in the Restricted Sites zone by default, this enhancement
means that those products now effectively disable frames in HTML
email by default. This new behavior makes it impossible for an
HTML email to automatically open a new window or to launch the
download of an executable. 

Mitigating Factors:
====================
Cross-Site Scripting in Local HTML Resource:

 - A successful attack requires that a user first click on a
   hyperlink. There is no way to automate an attack using
   this vulnerability. 

 - Outlook 98 and 2000 (after installing the Outlook Email
   Security Update), Outlook 2002, and Outlook Express 6 all
   open HTML mail in the Restricted Sites Zone. As a result,
   customers using these products would not be at risk from
   email-borne attacks. 

 - Customers using Outlook 2002 SP1 who have enabled the
   "Read as Plain Text" feature would be immune from the HTML
   email attack. This is because this feature disables all
   HTML elements, including scripting, from mail when it
   is displayed. 

 - Any limitations on the rights of the user's account
   would also limit the actions of the attacker's script. 

 - Customers who exercise caution in what web sites they
   visit or who place unknown or untrusted sites in the
   Restricted Sites zone can potentially protect themselves
   from attempts to exploit this issue on the web. 

Local Information Disclosure through HTML Object:

 - It can only be used to read information. It cannot add,
   change or delete any information. 

 - The attacker would need to know the exact name and
   location on the system of any file they attempted to read. 

 - Only files that contained a particular, individual ASCII
   character could be read. If this single character is not
   present, the attempt to read the file would fail. 

 - Outlook 98 and 2000 (after installing the Outlook Email
   Security Update), Outlook 2002, and Outlook Express 6 all
   open HTML mail in the Restricted Sites Zone. As a result,
   customers using these products would not be at risk from
   email-borne attacks. 

 - Customers using Outlook 2002 SP1 who have enabled the
   "Read as Plain Text" feature would be immune from the
   HTML email attack. This is because this feature disables
   all HTML elements, including scripting, from mail when it
   is displayed. 

Script within Cookies Reading Cookies: 

 - The specific information an attacker could access would
   depend on what information a site has chosen to store in
   its cookies. Best practices strongly recommend against
   storing sensitive information in cookies. 

 - An attacker would have to entice a user to first click on
   a hyperlink to initiate an attempt to exploit this
   vulnerability. There is no way to automate an attack that
   exploits this vulnerability. 

 - Mounting a successful attack requires that the attacker
   know the exact name of the target cookie. This
   vulnerability provides no means for an attacker to
   acquire that information. 

 - Outlook 98 and 2000 (after installing the Outlook Email
   Security Update), Outlook 2002, and Outlook Express 6
   all open HTML mail in the Restricted Sites Zone. As a
   result, customers using these products would not be at
   risk from email-borne attacks. 

 - Customers using Outlook 2002 SP1 who have enabled the
   "Read as Plain Text" feature would be immune from the 
   HTML email attack. This is because this feature disables
   all HTML elements, including scripting, from mail when it
   is displayed. 

Zone Spoofing through Malformed Web Page: 

 - A successful attack would require NetBIOS connectivity
   between the user and the attacker's site. Any filtering
   of NetBIOS, such as that found by ISP's or at the firewall
   perimeter, would thwart attempts to exploit this
   vulnerability. 

 - Any attempt to render a web site in the Trusted Sites zone
   would require very specific knowledge of custom configuration
   made by the user. This aspect of the vulnerability is not
   exploitable by default, nor does the vulnerability give the
   means to acquire the necessary information for that attack. 

New Variants of the "Content Disposition" Vulnerability: 

 - Any successful attempt to exploit this vulnerability requires
   that the attacker know that the intended target have specific
   versions of specific applications on their system. The
   vulnerability gives no means for an attacker to know what
   applications or versions are present on the system.

 - Any attempt to exploit the vulnerability requires that the
   attacker host a malicious executable on a server accessible
   to the intended victim. If the hosting server is
   unreachable for any reason, such as DNS blocking or the
   server being taken down, the attack would fail.

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-023.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Jani Laatikainen (jani@laatikainen.net) for reporting one of the
   "Content-Disposition variants. 
 - Yuu Arai of LAC SNS Team (http://www.lac.co.jp/security/) for
   reporting one of the "Content-Disposition variants. 
 - Cistobal Bielza Lino and Juan Carlos G. Cuartango from 
   Instituto Seguridad Internet (www.instisec.com) for reporting
   the Zone Spoofing through Malformed Web Page vulnerability.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPOLRUY0ZSRQxA/UrAQHuJAf+I9CatGyrjkE6H8uaTNhlrpnXBFhvSXWz
zAbGD30AkFOpB5DbzFqaz0Wnc7syaR/dqwjQ/l/eAJhVW0EDPtJ1augtCrM7zlUZ
1b+T3yv5oynDdnd+EoktdrePxzv+bZCAlaogIOwk/cYIQCwV2o9PWH/xF687ilQ8
Ut2sW6FU8HCrKn7xVPjyrn37XwWKE5qbgBgpg9fcj8rUwlhLMFJCa812cVPVZ9++
mxCuFRpc0+xp/5AZ8OzkNWyIiEt3dLKIHPfCt52IdC27CpFTYVuXMd6bfpquuOcZ
y4JyaB/JaAsXaGHKVR3aQxttcouajE1v3LSfTBOn8uAkM8bf9Ugj/g==
=mw7q
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Send an email to unsubscribe to the Service by following these steps: 
a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to process the subscription request, and can be anything you like. 
b. Send the e-mail. 
c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply. 
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.