Microsoft Security Bulletin MS03-048 - A cumulative update patch has been released for Internet Explorer that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following five newly-discovered vulnerabilities.
dfc29d27adae94c6b106aaaf9545a35d4b5a7adc9870d2ce88bb70b85d0bef8c
Microsoft Security Bulletin MS03-048
Print Print
Cumulative Security Update for Internet Explorer (824145)
Issued: November 12, 2003
Version: 1.1
Summary
Who Should Read This Document: Customers who have Microsoft®
Internet Explorer® installed
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should install this security update
immediately.
Security Update Replacement: This update replaces the one that is
provided in Microsoft Security Bulletin MS03-040, which is itself a
cumulative update.
Caveats: None
Tested Software and Security Update Download Locations:
Affected Software
* Microsoft Windows 98
* Microsoft Windows 98 Second Edition
* Microsoft Windows Millennium Edition
* Microsoft Windows NT® Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition, Service
Pack 6
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service
Pack 4
* Microsoft Windows XP, Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server® 2003
* Microsoft Windows Server 2003, 64-Bit Edition
Tested Microsoft Windows Components:
Affected Components:
* Internet Explorer 6 Service Pack 1: Download the update.
* Internet Explorer 6 Service Pack 1 (64-Bit Edition): Download the
update.
* Internet Explorer 6 Service Pack 1 for Windows Server 2003:
Download the update.
* Internet Explorer 6 Service Pack 1 for Windows Server 2003 (64-Bit
Edition): Download the update.
* Internet Explorer 6: Download the update.
* Internet Explorer 5.5 Service Pack 2: Download the update.
* Internet Explorer 5.01 Service Pack 4: Download the update.
* Internet Explorer 5.01 Service Pack 3: Download the update.
* Internet Explorer 5.01 Service Pack 2: Download the update.
The software listed above has been tested to determine if the
versions are affected. Other versions are no longer supported and
may or may not be affected.
[plus.gif] Technical Details
Technical description:
This is a cumulative update that includes the functionality of all
the previously-released updates for Internet Explorer 5.01,
Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it
eliminates the following five newly-discovered vulnerabilities:
* Three vulnerabilities that involve the cross-domain security model
of Internet Explorer, which keeps windows of different domains
from sharing information. These vulnerabilities could result in
the execution of script in the My Computer zone. To exploit one of
these vulnerabilities, an attacker would have to host a malicious
Web site that contains a Web page that is designed to exploit the
particular vulnerability and then persuade a user to view the Web
page. The attacker could also create an HTML e-mail message that
designed to exploit one of these vulnerabilities and persuade the
user to view the HTML e-mail message. After the user has visited
the malicious Web site or viewed the malicious HTML e-mail message
an attacker who exploited one of these vulnerabilities could
access information from other Web sites, access files on a user's
system, and run arbitrary code on a user's system. This code would
run in the security context of the currently logged on user.
* A vulnerability that involves the way that zone information is
passed to an XML object within Internet Explorer. This
vulnerability could allow an attacker to read local files on a
user's system. To exploit this vulnerability, an attacker would
have to host a malicious Web site that contains a Web page that is
designed to exploit the particular vulnerability and then persuade
a user to view the Web page. The attacker could also create an
HTML e-mail message that is designed to exploit this vulnerability
and persuade the user to view the HTML e-mail message. After the
user visits the malicious Web site or views the malicious HTML
e-mail message, the user would then be prompted to download an
HTML file. If the user accepts the download of this HTML file, an
attacker could read local files that are in a known location on
the user's system.
* A vulnerability that involves performing a drag-and-drop operation
during dynamic HTML (DHTML) events in Internet Explorer. This
vulnerability could allow a file to be saved in a target location
on the user's system if the user clicks a link. No dialog box
would request that the user approve this download. To exploit one
of these vulnerabilities, an attacker would have to host a
malicious Web site that contains a Web page that has a
specially-crafted link. The attacker would then have to persuade a
user to click that link. The attacker could also create an HTML
e-mail message that has a specially-crafted link, and then
persuade the user to view the HTML e-mail message and then click
the malicious link. If the user clicked this link, code of the
attacker's choice could be saved on the user's computer in a
targeted location.
As with the previous Internet Explorer cumulative updates that were
released with bulletins MS03-004, MS03-015, MS03-020, MS03-032, and
MS03-040, this cumulative update causes the window.showHelp( )
control to no longer work if you have not applied the HTML Help
update. If you have installed the updated HTML Help control from
Knowledge Base article 811630, you will still be able to use HTML
Help functionality after you apply this update.
Mitigating factors:
There are three common mitigating factors across all the
vulnerabilities:
* By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of
Internet Explorer blocks automatic exploitation of this attack. If
Internet Explorer Enhanced Security Configuration has been
disabled, the protections that are put in place that prevent these
vulnerabilities from being automatically exploited would be
removed.
* In the Web-based attack scenario, the attacker would have to host
a Web site that contains a Web page that is used to exploit these
vulnerabilities. An attacker would have no way to force a user to
visit a malicious Web site. Instead, the attacker would have to
lure them there, typically by getting them to click a link that
takes them to the attacker's site.
* By default, Outlook Express 6.0, Outlook 2002 and Outlook 2003
open HTML e-mail messages in the Restricted sites zone.
Additionally, Outlook 98 and 2000 open HTML e-mail messages in the
Restricted sites zone if the Outlook E-mail Security Update has
been installed. The risk of attack from the HTML email vector can
be significantly reduced if the following conditions are met:
+ You have applied the patch included with Microsoft Security
bulletin MS03-040
+ You are using Internet Explorer 6 or later
+ You are using the Microsoft Outlook Email Security Update or
Microsoft Outlook Express 6.0 and higher, or Microsoft
Outlook 2000 or higher in their default configuration.
* If an attacker exploited these vulnerabilities, they would gain
only the same privileges as the user. Users whose accounts are
configured to have few privileges on the system would be at less
risk than ones who operate with administrative privileges.
In addition, there are two individual mitigating factors for the
XML Object Vulnerability:
* A Web page that tried to exploit this vulnerability would present
the user with a prompt to download an HTML file. An attacker could
only access files on the user's system if the user accepted this
prompt.
* An attacker can only access files that are in a known location on
the user's system.
Severity Rating:
Internet Explorer 5.01 SP2, SP3, SP4 Internet Explorer 5.5 SP2
Internet Explorer 6 and Internet Explorer 6 SP1 (All versions earlier
than Windows Server 2003) Internet Explorer 6 SP1 for Windows Server
2003 Internet Explorer 6 SP1 for Windows Server 2003 (64-Bit)
Cross-Domain Vulnerabilities Critical Critical Critical Moderate
Moderate
XML Object Vulnerability Not affected Moderate Moderate Low Low
Drag-and-Drop Operation Vulnerability Important` Important Important
Moderate Moderate
Aggregate Severity of All Issues Included in This Update Critical
Critical Critical Moderate Moderate
The above assessment is based on the types of systems that are
affected by the vulnerability, their typical deployment patterns,
and the effect that exploiting the vulnerability would have on
them.
Vulnerability identifier:
* ExecCommand Cross Domain Vulnerability: CAN-2003-0814
* Function Pointer Override Cross Domain Vulnerability:
CAN-2003-0815
* Script URLs Cross Domain Vulnerability: CAN-2003-0816
* XML Object Vulnerability: CAN-2003-0817
* Drag-and-Drop Operation Vulnerability: : CAN-2003-0823
Tested Versions:
Microsoft tested Internet Explorer 5.01 Service Pack 2, Internet
Explorer 5.01 Service Pack 3, Internet Explorer 5.01 Service Pack
4, Internet Explorer 5.5 Service Pack 2, Internet Explorer 6.0, and
Internet Explorer 6.0 Service Pack 1 to assess whether they are
affected by these vulnerabilities. Previous versions are no longer
supported, and may or may not be affected by these vulnerabilities.
[plus.gif] Workarounds
Microsoft has tested the following workarounds that apply across
all the vulnerabilities. These workarounds help block known attack
vectors, however they will not correct the underlying
vulnerabilities. Workarounds may reduce functionality in some
cases; in such cases, the reduction in functionality is identified
below.
Prompt before running ActiveX controls and active scripting in the
Internet zone and in the Intranet zone
You can help protect against these vulnerabilities by changing your
settings for the Internet security zone to prompt before running
ActiveX controls. To do this, follow these steps:
1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section,
under Run ActiveX controls and plug-ins, click Prompt.
5. In the Scripting section, under Active Scripting, click Prompt,
and then click OK.
6. Click Local intranet, and then click Custom Level.
7. Under Settings, in the ActiveX controls and plug-ins section,
under Run ActiveX controls and plug-ins, click Prompt
8. In the Scripting section, under Active Scripting, click Prompt.
9. Click OK two times to return to Internet Explorer.
Impact of Workaround:
There are side effects to prompting before running ActiveX
controls. Many Web sites that are on the Internet or on an intranet
use ActiveX to provide additional functionality. For example, an
online e-commerce site or banking site may use ActiveX controls to
provide menus, ordering forms, or even account statements.
Prompting before running ActiveX controls is a global setting that
affects all Internet and Intranet sites. You will be prompted
frequently when you enable this workaround. For each prompt, if you
feel you trust the site that you are visiting, click Yes to run
ActiveX controls. If you do not want to be prompted for all these
sites, use the "Restrict Web sites to only your trusted Web sites"
workaround.
Restrict Web sites to only your trusted Web sites
After you set Internet Explorer to require a prompt before it runs
ActiveX in the Internet zone and in the Intranet zone, you can add
sites that you trust to Internet Explorer's Trusted sites zone.
This will allow you to continue to use trusted Web sites exactly as
you do today, while helping to protect you from this attack on
untrusted sites. Microsoft recommends that you only add sites that
you trust to the Trusted sites zone.
To do this, follow these steps:
1. In Internet Explorer, click Tools, click Internet Options, and
then click the Security tab.
2. In the Select a Web content zone to specify its current security
settings box, click Trusted Sites, and then click Sites.
3. If you want to add sites that do not require an encrypted channel,
click to clear the Require server verification (https:) for all
sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL of a site
that you trust, and then click Add.
5. Repeat these steps for each site that you want to add to the zone.
6. Click OK two times to accept the changes and return to Internet
Explorer. Add any sites that you trust not to take malicious
action on your computer. One in particular that you may want to
add is "*.windowsupdate.microsoft.com" (without the quotes). This
is the site that will host the update, and it requires the use of
an ActiveX control to install the update.
Impact of Workaround:
For those sites that you have not configured to be in your Trusted
sites zone, their functionality will be impaired if they require
the use of ActiveX controls to function correctly. Adding sites to
your Trusted sites zone will allow them to be able to download the
ActiveX control that they require to function correctly. However
you should only add Web sites you trust to the Trusted sites zone.
Install Outlook E-mail Security Update if you are using Outlook
2000 SP1 or earlier
By default, the Outlook Email Security Update causes Outlook 98 and
2000 to open HTML e-mail messages in the Restricted sites zone. By
default, Outlook Express 6.0, Outlook 2002, and Outlook 2003 open
HTML e-mail messages in the Restricted sites zone. Customers who
use any of these products are at reduced risk from an e-mail-borne
attack that tries to exploit this vulnerability, unless the user
clicks a malicious link in the e-mail message.
If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later,
read e-mail messages in plain text format to help protect yourself
from the HTML e-mail attack vector
Microsoft Outlook 2002 users who have applied Service Pack 1 or
later and Outlook Express 6.0 users who have applied Service Pack 1
or later can enable a feature that will enable them to view all
non-digitally-signed e-mail messages or non-encrypted e-mail
messages in plain text only.
Digitally-signed e-mail messages and encrypted e-mail messages are
not affected by the setting and may be read in their original
formats. Information about how to enable this setting in Outlook
2002 can be found in the following Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307594
Information about how to enable this setting in Outlook Express 6.0
can be found in the following Knowledge Base article:
http://support.microsoft.com/?kbid=291387
Impact of Workaround:
E-mail that is viewed in plain text format cannot contain pictures,
specialized fonts, animations, or other rich content. Additionally:
* The changes are applied to the preview pane and to open messages.
* Pictures become attachments to avoid loss of message content.
* Because the message is still in Rich Text Format or in HTML format
in the store, the object model (custom code solutions) may behave
unexpectedly because the message is still in Rich Text Format or
in HTML format in the mail store.
[plus.gif] Frequently Asked Questions
Why are the version numbers for the files in the Internet Explorer
5.01 Service Pack 3 Security Update lower than the version numbers
of the files in the Internet Explorer 5.01 Service Pack 3 Security
Update described by MS03-040?
Prior to this release the Internet Explorer 5.01 Service Pack 3 and
the Internet Explorer 5.01 Service Pack 4 Security Updates were
combined in a single package that installed on both platforms. In
this release, these were separated to correct a problem with the
About help screen on Internet Explorer 5.01 Service Pack 3. As part
of this separation, the version numbers of the files in this
package were lowered.
Does the Internet Explorer 5.01 Service Pack 3 Security Update in
this release contain all the fixes up to and including this release
even though the files are a lower version number?
Yes. Even though the file versions for the Internet Explorer
Service Pack 3 Security Update are lower than previous Security
Updates for this platform, it is still cumulative and includes all
fixes in past Security Updates including this Security Update
(MS03-048).
Why is the update available for Windows 98 and Windows 98 Second
Edition?
While Windows 98 and Windows 98 Second Edition no longer qualify
for no-charge or extended support, Internet Explorer 6 Service Pack
1 and Internet Explorer 5.5 Service Pack 2 are supported on those
operating systems until January 16, 2004 and December 31, 2003
respectively. See the Internet Explorer FAQ, the Windows 98 and
Windows 98 SE FAQ or the Microsoft Support Lifecycle site for
additional information.
What vulnerabilities are eliminated by this update?
This is a cumulative update that incorporates the functionality of
all previously released updates for Internet Explorer.
Additionally, this update eliminates the following newly reported
vulnerabilities:
* Three vulnerabilities that could allow an attacker to cause
arbitrary code to run on the user's system.
* A vulnerability that could allow an attacker to access local files
and cookies on a user's system.
* A vulnerability that could allow an attacker to save arbitrary
code on the user's system.
Does the update contain any other security changes?
Yes. This update also sets the kill bit on the following ActiveX
controls:
Description File Name CLSID
Windows Trouble Shooter Tshoot.ocx
4B106874-DD36-11D0-8B44-00A024DD9EFF
Symantec® RuFSI Registry Information Class Rufsi.dll
69DEAF94-AF66-11D3-BEC0-00105AA9B6AE
RAV Online Scanner Ravonine.cab D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249
These controls have been found to contain security vulnerabilities
and are no longer supported by Internet Explorer. To protect
customers who have this control installed, this update helps
prevent the control from running or from being reintroduced onto
users' systems by setting the kill bit for this control. In the
cases where a kill-bit is set on a 3^rd party control, the setting
has been made with the permission of the owner. A kill-bit can be
set for any control manually by following the instructions in the
Knowledge Base article Q240797.
I am running Internet Explorer on Windows Server 2003. Does this
mitigate these vulnerabilities?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a
restricted mode that is known as Enhanced Security Configuration.
What is Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a group of
preconfigured Internet Explorer settings that reduce the likelihood
of a user or of an administrator downloading and running malicious
Web content on a server. Internet Explorer Enhanced Security
Configuration reduces this risk by modifying numerous
security-related settings, including the settings on the Security
and the Advanced tab in the Internet Options dialog box. Some of
the important modifications include:
* Security level for the Internet zone is set to High. This setting
disables scripts, ActiveX controls, Microsoft Java Virtual Machine
(MSJVM), HTML content, and file downloads.
* Automatic detection of intranet sites is disabled. This setting
assigns all intranet Web sites and all Universal Naming Convention
(UNC) paths that are not explicitly listed in the Local intranet
zone to the Internet zone.
* Install On Demand and non-Microsoft browser extensions are
disabled. This setting prevents Web pages from automatically
installing components and prevents non-Microsoft extensions from
running.
* Multimedia content is disabled. This setting prevents music,
animations, and video clips from running.
Disabling Internet Explorer Enhanced Security Configuration would
remove the protections that are put in place to help prevent this
vulnerability from being exploited. For more information about
Internet Explorer Enhanced Security Configuration, see the Managing
Internet Explorer Enhanced Security Configuration guide. To do so,
visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e
2e1-4960-99bb-9757f7e9e31b&DisplayLang=en
Is there any configuration of Windows Server 2003 that is likely to
have Internet Explorer Enhanced Security Configuration disabled?
Yes. Systems Administrators who have deployed Windows Server 2003
as a Terminal Server would likely disable Internet Explorer
Enhanced Security Configuration to allow users of the Terminal
Server to use Internet Explorer in an unrestricted mode.
CAN-2003-0814, CAN-2003-0815, CAN-2003-8016: ExecCommand, Function
Pointer Override, and Script URL Cross-Domain Vulnerabilities Could
Allow Remote Code Execution
What is the scope of these vulnerabilities?
These vulnerabilities could allow a malicious Web site operator to
access information in another Internet or intranet domain or on the
user's local system by injecting specially-crafted code when the
browser parses specially formatted Script URLs. This could also
allow an attacker to run an executable file of their choice on the
user's system. Although these vulnerabilities are all subtly
different, the effects are the same.
What causes these vulnerabilities?
These vulnerabilities result because three different programming
functions can bypass the cross-domain security model that Internet
Explorer implements.
What is the cross-domain security model that Internet Explorer
implements?
One of the principal security functions of a browser is to ensure
that browser windows that are under the control of different Web
sites cannot interfere with each other or access each other's data,
while allowing windows from the same site to interact with each
other. To differentiate between cooperative and uncooperative
browser windows, the concept of a "domain" has been created. A
domain is a security boundary - any open windows within the same
domain can interact with each other, but windows from different
domains cannot. The cross-domain security model is the part of the
security architecture that keeps windows from different domains
from interfering with each other.
The simplest example of a domain is associated with Web sites. If
you visit http://www.microsoft.com, and it opens a window to
http://www.microsoft.com/security, the two windows can interact
with each other because both sites belong to the same domain,
http://www.microsoft.com. However, if you visited
http://www.microsoft.com, and it opened a window to a different Web
site, the cross-domain security model would protect the two windows
from each other. The concept goes even further. The file system on
your local computer is also a domain. For example,
http://www.microsoft.com could open a window and show you a file on
your hard disk. However, because your local file system is in a
different domain from the Web site, the cross-domain security model
should prevent the Web site from reading the file that is being
displayed.
The Internet Explorer cross-domain security model can be configured
by using the security zone settings in Internet Explorer.
What are Internet Explorer security zones?
Internet Explorer security zones are a system that divides online
content into categories or zones based on its trustworthiness.
Specific Web domains can be assigned to a zone, depending on how
much trust is placed in the content of each domain. The zone then
restricts the capabilities of the Web content, based on the zone's
policy. By default, most Internet domains are treated as part of
the Internet zone, which has default policy that prevents scripts
and other active code from accessing resources on the local system.
What is wrong with the way Internet Explorer calculates cross
domain security?
Internet Explorer evaluates security when one Web Page requests
access to resources in another security zone. However, there are
three vulnerabilities in how the security is calculated when three
different programming functions are used. As a result, an attacker
can bypass the security checks. Although these vulnerabilities are
all subtly different, the effects are the same.
What could these vulnerabilities enable an attacker to do?
An attacker could use these vulnerabilities to create a Web page
that could allow the attacker to access data across domains. This
could include accessing information from other Web sites, from
local files on the system, or from running executable files that
already exist on the local file system. This could also include
running executable files of the attacker's choice on the user's
local file system.
How could an attacker exploit these vulnerabilities?
An attacker could seek to exploit these vulnerabilities by creating
a malicious Web page or an HTML e-mail message and then enticing
the user to visit this page or to view the HTML e-mail message.
When the user visited the page or viewed the e-mail message, the
attacker could cause script to run in the security context of the
My Computer zone.
What systems are primarily at risk from the vulnerability?
Any system that has Internet Explorer installed is at risk from
these vulnerabilities. This update should be installed immediately
on all systems. However, these vulnerabilities require a user to be
logged on and to be using Internet Explorer for any malicious
action to occur. Therefore, any systems where Internet Explorer is
actively used (such as user's workstations) are at the most risk
from these vulnerabilities. Systems where Internet Explorer is not
actively used (such as most server systems) are at a reduced risk.
What does the update do?
The update addresses the vulnerabilities by ensuring that the
correct cross domain security checks take place whenever the
affected programming functions are used.
CAN-2003-0817: XML Object Vulnerability Could Allow Information
Disclosure
What is the scope of the vulnerability?
This vulnerability involves how zone information is passed to an
XML document in Internet Explorer and could result in an attacker
being able to read local files on a user's system. To exploit this
vulnerability, an attacker would have to host a malicious Web site
that contained a Web page that is designed to exploit this
particular vulnerability and then persuade a user to visit that
site. After the user had visited the malicious Web site, an
attacker could read local files from a known location on the user's
system.
What causes the vulnerability?
This vulnerability results because Internet Explorer improperly
validates the path when binding content to a XML document. As a
result, local file content can be bound to an XML document from the
Internet zone or from the intranet zone.
What is an XML document?
An XML document is a representation of the World Wide Web
Consortium's (W3C) Document Object Model (DOM) Level 1 Core and the
Core DOM Level 2. These documents provide standards-based support
for processing XML. For more information about XML documents, visit
MSDN.
What might an attacker use the vulnerability to do?
An attacker that successfully exploited this vulnerability could
obtain a list of recently visited Web sites, grab session
information from the user's cookie files, or access data in files
that are stored in a known location on the user's file system.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would have to host a
malicious Web site or an HTML e-mail message that contained a Web
page that is designed to exploit this particular vulnerability and
then persuade a user to visit that site or view the e-mail message.
After the user viewed the Web site or the HTML e-mail message, they
would be prompted to download an HTML file. If the user accepted
the download of this HTML file, an attacker could read local files
on the user's system.
What systems are primarily at risk from the vulnerability?
Any system that has Internet Explorer installed is at risk from
this vulnerability and this update should be installed immediately
on all systems. However, this vulnerability requires a user to be
logged on and to be using Internet Explorer for any malicious
action to occur. Therefore, any systems where Internet Explorer is
actively used (such as user's workstations) are at the most risk
from this vulnerability. Systems where Internet Explorer is not
actively used (such as most server systems) are at a reduced risk.
What does the update do?
The update corrects the vulnerability by ensuring that the path is
properly evaluated when binding content to a data object. As a
result, local file content cannot be bound to a XML object from the
Internet zone or from the Intranet zone.
CAN-2003-0823: Drag and Drop Vulnerability Could Allow Arbitrary
Code to be Saved on User's System
What is the scope of the vulnerability?
This vulnerability involves the Drag and Drop event in Internet
Explorer and could result in a file being saved on the user's
system when the user clicked a link. The user would not receive a
dialog box requesting to approve the download. To exploit this
vulnerability, an attacker would have to host a malicious Web site
that contained a Web page with a link that is designed to exploit
this particular vulnerability and then persuade a user to visit
that site. If the user clicked the malicious link, any code of the
attacker's choice could be saved in a target location on the user's
computer.
What causes the vulnerability?
This vulnerability is caused by Drag and Drop technology improperly
validating certain Dynamic HTML (DHTML) events. As a result, a file
could be downloaded to the user's system after the user clicks a
link.
What are DHTML events?
DHTML events are special actions that are provided by the DHTML
Object Model. These events can be used in script code to add
dynamic content to a Web site. For more information about DHTML
events, visit MSDN.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could
save code of their choice to the user's local file system. Although
this code could not be executed through this vulnerability
directly, the operating system might open the file if it is dropped
to a sensitive location, or a user may click the file
inadvertently, causing the attacker's code to be executed.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would have to host a
malicious Web site that contained a Web page with a link that is
designed to exploit this particular vulnerability and then persuade
a user to visit that site. If the user clicked the malicious link,
any code of the attacker's choice could be saved on the user's
computer in a targeted location.
What systems are primarily at risk from the vulnerability?
Any system that has Internet Explorer installed is at risk from
this vulnerability, and this update should be installed immediately
on all systems. However, this vulnerability requires a user to be
logged on and to be using Internet Explorer for any malicious
action to occur. Therefore, any systems where Internet Explorer is
actively used (such as user's workstations) are at the most risk
from this vulnerability. Systems where Internet Explorer is not
actively used (such as most server systems) are a reduced risk.
What does the update do?
This update corrects this vulnerability by correctly evaluating
Drag and Drop operations during DHTML events.
[plus.gif] Security Update Information
Prerequisites
Microsoft has tested the versions of Windows and the versions of
Internet Explorer that are listed in this bulletin to assess
whether they are affected by these vulnerabilities and to confirm
that the update that this bulletin describes addresses these
vulnerabilities.
To install the Internet Explorer 6 Service Pack 1 (SP1) versions of
this update, you must be running Internet Explorer 6 SP1 (version
6.00.2800.1106) on one of the following versions of Windows:
* Microsoft Windows 98
* Microsoft Windows 98 Second Edition
* Microsoft Windows Millennium Edition
* Microsoft Windows NT® Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition, Service
Pack 6
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service
Pack 4
* Microsoft Windows XP
* Microsoft Windows XP Service Pack 1
To install the Internet Explorer 6 version of this update, you must
be running Internet Explorer 6 (version 6.00.2600.0000) on Windows
XP.
To install the Internet Explorer 5.5 version of this update, you
must be running Internet Explorer 5.5 Service Pack 2 (version
5.50.4807.2300) on one of the following versions of Windows:
* Microsoft Windows 98
* Microsoft Windows 98 Second Edition
* Microsoft Windows Millennium Edition
* Microsoft Windows NT® Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition, Service
Pack 6
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service
Pack 4
To install the Internet Explorer 5.01 version of this update, you
must be running one of the following:
* Internet Explorer 5.01 Service Pack 4 (version 5.00.3700.1000) on
Windows 2000 SP4
* Internet Explorer 5.01 Service Pack 3 (version 5.00.3502.1000) on
Windows 2000 SP3
* Internet Explorer 5.01 Service Pack 2 (version 5.00.3502.1000) on
Windows 2000 SP2
Note: Versions of Windows and versions of Internet Explorer that
are not listed in this article are no longer supported. Although
you can install some of the update packages that are described in
this article on these versions of Windows and of Internet Explorer,
Microsoft has not tested these versions to assess whether they are
affected by these vulnerabilities or to confirm that the update
that this article describes addresses these vulnerabilities.
Microsoft recommends that you upgrade to a supported version of
Windows and of Internet Explorer, and then apply the appropriate
update.
For additional information about how to determine which version of
Internet Explorer you are running, click the following article
number to view the article in the Microsoft Knowledge Base:
164539 How to Determine Which Version of Internet Explorer Is
Installed
For additional information about support life cycles for Windows
components, visit the following Microsoft Web site:
http://www.microsoft.com/windows/lifecycle/desktop/business/compone
nts.mspx
For additional information about how to obtain the latest service
pack for Internet Explorer 6, click the following article number to
view the article in the Microsoft Knowledge Base:
328548 How to Obtain the Latest Service Pack for Internet Explorer
6
For additional information about how to obtain the latest service
pack for Internet Explorer 5.5, click the following article number
to view the article in the Microsoft Knowledge Base:
276369 How to Obtain the Latest Service Pack for Internet Explorer
5.5
For additional information about how to obtain the latest service
pack for Internet Explorer 5.01, click the following article number
to view the article in the Microsoft Knowledge Base:
267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack
Restart Requirements
You must restart your computer to complete the installation. After
reboot, an administrator logon is no longer required for any
version of this update.
Previous Update Status
This update replaces the MS03-040: October, 2003, Cumulative Update
for Internet Explorer (828750).
Setup Switches
The Windows Server 2003 versions of this security update (including
Windows XP 64-Bit Edition, Version 2003) support the following
Setup switches:
/?: Show the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/n: Do not back up files for removal.
/o: Overwrite OEM files without prompting.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
/l: List the installed hotfixes.
/x: Extract the files without running Setup.
For example, to install the Windows Server 2003 32-bit security
update without any user intervention, use the following command:
windowsserver2003-kb824145-x86-enu.exe /u /q
To install this security update without forcing the computer to
restart, use the following command:
windowsserver2003-kb824145-x86-enu.exe /z
Note: You can combine these switches in one command.
For information about how to deploy this security update by using
Software Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/windowsupdate/sus/susoverview.
asp
The other update packages for this security update support the
following Setup switches:
/q: Use Quiet mode or suppress messages when the files are being
extracted.
/q:u: Use User-Quiet mode. User-Quiet mode presents some dialog
boxes to the user.
/q:a: Use Administrator-Quiet mode. Administrator-Quiet mode does
not present any dialog boxes to the user.
/t: path: Specify the location of the temporary folder that is used
by Setup or the target folder for extracting the files (when you
are using the /c switch).
/c: Extract the files without installing them. If you do not
specify the /t: path switch, you are prompted for a target folder.
/c: path: Specify the path and the name of the Setup .inf file or
the .exe file.
/r:n: Never restart the computer after installation.
/r:i: Prompt the user to restart the computer if a restart is
required, except when this switch is used with the /q:a switch.
/r:a: Always restart the computer after installation.
/r:s: Restart the computer after installation without prompting the
user.
/n:v: Do not check the version. Use this switch with caution to
install the update on any version of Internet Explorer.
For example, to install the update without any user intervention
and not force the computer to restart, use the following command:
q824145.exe /q:a /r:n
Verifying Update Installation
To verify that the security update is installed on your computer
use the Microsoft Baseline Security Analyzer (MBSA) tool. For
additional information about MBSA, click the following article
number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is
Available
You may also be able to verify the files that this security update
installed by using one of the following methods:
* Confirm that Q824145 is listed in the Update Versions field in the
About Internet Explorer dialog box. You cannot use this method on
Windows Server 2003 or on Windows XP 64-Bit Edition, Version 2003
because the package does not update the Update Versions field for
these versions of Windows.
* Compare the versions of the updated files on your computer with
the files that are listed in the "File Information" section in
this bulletin.
* Confirm that the following registry entries exist:
+ Windows Server 2003 and Windows XP 64-Bit Edition, Version
2003:
Confirm that the Installed DWORD value with a data value of 1
appears in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB824145
+ All other versions of Windows:
Confirm that the IsInstalled DWORD value with a data value of
1 appears in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed
Components\{057997dd-71e4-43cc-b161-3f8180691a9e}
Removal Information
To remove this update, use the Add or Remove Programs tool (or the
Add/Remove Programs tool) in Control Panel. Click Internet Explorer
Q824145, and then click Change/Remove (or click Add/Remove).
On Windows Server 2003 and on Windows XP 64-Bit Edition, Version
2003, system administrators can use the Spunist.exe utility to
remove this security update. The Spuninst.exe utility is located in
the %Windir%\$NTUninstallKB824145$\Spuninst folder. This utility
supports the following Setup switches:
/?: Show the list of installation switches.
/u: Use Unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
On all other versions of Windows, system administrators can use the
Ieuninst.exe utility to remove this update. This security update
installs the Ieuninst.exe utility in the %Windir% folder. This
utility supports the following Setup switches:
/?: Show the list of supported switches.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
For example, to remove this update quietly, use the following
command:
c:\windows\ieuninst /q c:\windows\inf\q824145.inf
Note: This command assumes that Windows is installed in the
C:\Windows folder.
File Information
The English version of this fix has the file attributes (or later)
that are listed in the following table. The dates and times for
these files are listed in coordinated universal time (UTC). When
you view the file information, it is converted to local time. To
find the difference between UTC and local time, use the Time Zone
tab in the Date and Time tool in Control Panel.
For information about the specific security update for your
platform, click the appropriate link.
[plus.gif] Internet Explorer 6 SP1 for Windows XP, Windows XP SP1,
Windows 2000 SP2, Windows 2000 SP3, Windows 2000 SP4, Windows NT 4.0
SP6a, Windows Millennium Edition, Windows 98, and Windows 98 Second
Edition
Version Size Date File name
6.0.2800.1276 2,799,104 10-16-2003 Mshtml.dll
6.0.2800.1276 1,339,392 10-16-2003 Shdocvw.dll
6.0.2800.1276 395,264 10-16-2003 Shlwapi.dll
6.0.2800.1282 484,352 10-17-2003 Urlmon.dll
[plus.gif] Internet Explorer 6 SP1 (64-Bit) for Windows XP 64-Bit
Edition
Version Size Date File name
6.0.2800.1276 9,082,368 10-16-2003 Mshtml.dll
6.0.2800.1276 3,649,536 10-16-2003 Shdocvw.dll
6.0.2800.1276 1,095,168 10-16-2003 Shlwapi.dll
6.0.2800.1282 1,414,656 10-20-2003 Urlmon.dll
[plus.gif] Internet Explorer 6 SP1 on Windows Server 2003
Version Size Date File name
RTMQFE
6.0.3790.96 509,440 10-24-2003 urlmon.dll
6.0.3790.94 2,918,400 10-24-2003 mshtml.dll
6.0.3790.94 1,394,688 10-24-2003 shdocvw.dll
RTMGDR
6.0.3790.94 509,440 10-24-2003 urlmon.dll
6.0.3790.94 2,918,400 10-24-2003 mshtml.dll
6.0.3790.94 1,394,688 10-24-2003 shdocvw.dll
[plus.gif] Internet Explorer 6 SP1 (64-Bit) on Windows 2003 64-Bit
Versions and on Windows XP 64-Bit Edition, Version 2003
Version Size Date File name
RTMQFE
6.0.3790.94 8,211,968 10-24-2003 mshtml.dll
6.0.3790.94 3,360,256 10-24-2003 shdocvw.dll
6.0.3790.96 1,271,808 10-24-2003 urlmon.dll
RTMQFE - WOW
6.0.3790.94 2,918,400 10-24-2003 wmshtml.dll
6.0.3790.94 1,394,688 10-24-2003 wshdocvw.dll
6.0.3790.96 509,440 10-24-2003 wurlmon.dll
RTMGDR
6.0.3790.94 8,211,968 10-24-2003 mshtml.dll
6.0.3790.94 3,360,768 10-24-2003 shdocvw.dll
6.0.3790.94 1,271,808 10-24-2003 urlmon.dll
RTMGDR - WOW
6.0.3790.94 2,918,400 10-24-2003 wmshtml.dll
6.0.3790.94 1,394,688 10-24-2003 wshdocvw.dll
6.0.3790.94 509,440 10-24-2003 wurlmon.dll
[plus.gif] Internet Explorer 6 for Windows XP
Version Size Date File name
6.0.2734.1600 2,763,776 10-16-2003 mshtml.dll
6.0.2722.900 34,304 08-15-2003 pngfilt.dll
6.0.2715.400 548,864 03-04-2002 shdoclc.dll
6.0.2734.1600 1,336,832 10-16-2003 shdocvw.dll
6.0.2730.1200 391,168 08-15-2003 shlwapi.dll
6.0.2715.400 109,568 08-15-2003 url.dll
6.0.2734.200 481,792 10-02-2003 urlmon.dll
6.0.2718.400 583,168 06-06-2002 wininet.dll
[plus.gif] Internet Explorer 5.5 SP2 for Windows 2000 SP2, Windows
2000 SP3, Windows 2000 SP4, Windows NT 4.0 SP6a, Windows Millennium
Edition, Windows 98, and Windows 98 Second Edition
Version Size Date File name
5.50.4934.1600 2,760,976 10-16-2003 Mshtml.dll
5.50.4922.900 48,912 10-16-2002 Pngfilt.dll
5.50.4934.1600 1,149,712 10-16-2003 Shdocvw.dll
5.50.4930.1200 300,816 06-12-2003 Shlwapi.dll
5.50.4915.500 84,240 03-04-2002 Url.dll
5.50.4934.200 451,344 10-02-2003 Urlmon.dll
5.50.4918.600 481,552 06-06-2002 Wininet.dll
[plus.gif] Internet Explorer 5.01 for Windows 2000 SP2
Version Size Date File name
5.0.3523.1700 2,282,768 10-17-2003 Mshtml.dll
5.0.3521.1800 48,912 08-19-2003 Pngfilt.dll
5.0.3523.1700 1,099,536 10-17-2003 Shdocvw.dll
5.0.3521.1800 279,824 08-19-2003 Shlwapi.dll
5.50.4915.500 84,240 03-04-2002 Url.dll
5.0.3523.200 409,360 10-02-2003 Urlmon.dll
5.0.3521.1800 445,200 08-19-2003 Wininet.dll
[plus.gif] Internet Explorer 5.01 for Windows 2000 SP3
Version Size Date File name
5.0.3523.1700 2,282,768 10-17-2003 mshtml.dll
5.0.3521.1800 48,912 08-19-2003 pngfilt.dll
5.0.3523.1700 1,099,536 10-17-2003 shdocvw.dll
5.0.3521.1800 279,824 08-19-2003 shlwapi.dll
5.50.4915.500 84,240 03-04-2002 url.dll
5.0.3523.200 409,360 10-02-2003 urlmon.dll
5.0.3521.1800 445,200 08-19-2003 wininet.dll
[plus.gif] Internet Explorer 5.01 for Windows 2000 SP4
Version Size Date File name
5.0.3810.1700 2,282,768 10-17-2003 mshtml.dll
5.0.3806.1200 48,912 06-12-2003 pngfilt.dll
5.0.3810.1700 1,099,536 10-17-2003 shdocvw.dll
5.0.3806.1200 279,824 06-12-2003 shlwapi.dll
5.50.4915.500 84,240 03-04-2002 url.dll
5.0.3810.200 409,360 10-02-2003 urlmon.dll
5.0.3806.1200 445,200 06-12-2003 wininet.dll
Acknowledgments
Microsoft thanks the following for working with us to help protect
customers:
* jelmer (jkuperus@planet.nl) for reporting the XML Object
(CAN-2003-0817) issue to us.
Obtaining other security updates:
Updates for other security issues are available from the following
locations:
* Security updates are available from the Microsoft Download Center
and can be most easily found by doing a keyword search for
"security_patch."
* Updates for consumer platforms are available from the Windows
Update Web site.
Support:
* Technical support is available from Microsoft Product Support
Services at 1-866-PCSAFETY. There is no charge for support calls
associated with security patches.
* International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with
security updates. Information on how to contact Microsoft support
is available at
http://support.microsoft.com/common/international.aspx
Security Resources:
* The Microsoft TechNet Security Web site provides additional
information about security in Microsoft products.
* Microsoft Software Update Services: http://www.microsoft.com/sus/
* Microsoft Baseline Security Analyzer (MBSA) details:
http://www.microsoft.com/mbsa. Please see
http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for
list of security updates that have detection limitations with MBSA
tool.
* Windows Update Catalog:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
* Windows Update: http://windowsupdate.microsoft.com
* Office Update: http://office.microsoft.com/officeupdate/
Software Update Services (SUS):
Microsoft Software Update Services (SUS) enables administrators to
quickly and reliably deploy the latest critical updates and security
updates to Windows® 2000 and Windows Server(TM) 2003-based servers, as
well as to desktop computers running Windows 2000 Professional or
Windows XP Professional.
For information about how to deploy this security patch with Software
Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/sus/
Systems Management Server (SMS):
Systems Management Server can provide assistance deploying this
security update. For information about Systems Management Server visit
the SMS Web Site. SMS also provides several additional tools to assist
administrators in the deployment of security updates such as the SMS
2.0 Software Update Services Feature Pack and the SMS 2.0
Administration Feature Pack. The SMS 2.0 Software Update Services
Feature Pack utilizes the Microsoft Baseline Security Analyzer and the
Microsoft Office Detection Tool to provide broad support for security
bulletin remediation. Some software updates may require administrative
rights following a restart of the computer.
Note: The inventory capabilities of the SMS 2.0 Software Update
Services Feature Pack may be used for targeting updates to specific
computers, and the SMS 2.0 Administration Feature Pack's Elevated
Rights Deployment Tool can be used for installation. This provides
optimal deployment for updates that require explicit targeting using
Systems Management Server and administrative rights after the computer
has been restarted.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event
shall Microsoft Corporation or its suppliers be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if Microsoft Corporation
or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may
not apply.
Revisions:
* V1.0 (November 11, 2003): Bulletin published
* V1.1 November 12, 2003: Updated severity rating URL in Technical
Details and added clarification text in Tested Versions.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed