IE has another megapatch
John McCormick
Published: 28 May 2002 10:15 BST
Applicability
Microsoft Internet Explorer releases 5.01, 5.5, and 6.0 are affected by these threats. Microsoft no longer supports earlier versions of IE, although they could be affected by these flaws.
Risk level -- critical
Microsoft rates a number of the covered vulnerabilities as critical and recommends that any users of IE 5, IE 5.5, or IE 6 apply this patch immediately.
Cross-Site Scripting in Local HTML Resource is critical for IE 6.0 clients and moderate for servers. According to Microsoft, this poses no threat to IE 5.01 and IE 5.5, but if GreyMagic is correct -- and as far as I can determine, it is -- IE 5.01 occasionally and IE 5.5 always remain vulnerable to this threat even after this patch.
The Local Information Disclosure Through HTML Object threat affects IE 5.01, IE 5.5, and IE 6.0 and is critical for client systems and moderate for servers.
The Information Disclosure Vulnerability Cookie Scripts threat affects IE 5.5 and IE 6.0 and is critical for client systems and moderate for servers. According to Microsoft, IE 5.01 is not vulnerable.
The Zone Spoofing Through Malformed Web Page flaw is low for all. The Content Disposition variants are moderate for IE 5.01 and 6.0 servers and clients and pose no risk for IE 5.5 client or server.
Mitigating factors
Cross-Site Scripting in Local HTML Resource
Microsoft says that there is no way to automate this attack because it requires the user to click on a hyperlink. However, according to GreyMagic, "This is simply wrong; the user doesn't have to click anything for this issue to be exploited. It can run automatically." Microsoft also indicated that correctly updated and patched versions of Outlook, Outlook Express, and Outlook 2002 SP1 now open all HTML code in the Restricted Sites Zone, which would block this attack.
Previous
Did you find this article useful?
145 out of 299 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
