IE has another megapatch
John McCormick
Published: 28 May 2002 10:15 BST
Local Information Disclosure Through HTML Object
Attackers must know the name and directory for the file they want to exploit. In addition, the file must contain a specific ASCII character or the attack will fail. Recently patched versions of Outlook and Outlook Express open HTML e-mails in the restricted security zone, which will block this attack as well. Outlook 2002 SP1 with Read As Plain Text enabled for HTML e-mail would also block the attack.
Information Disclosure Vulnerability Cookie Scripts
Microsoft says that an attack would require that the exact name of the cookie be known. The attack requires the user to click on a link. In other words, the attack can't be automated, and the same patches and versions described as being safe in the previous vulnerability (HTML Object CSS) will also be protected from this attack.
Zone Spoofing Through Malformed Web Page
Any attack would require direct NetBIOS connection between the user and the attacker's Web site. A firewall and most ISPs' standard filtering will block the attack. Other vectors of attack using this vulnerability will require a detailed knowledge of the user's system settings, and default settings won't be vulnerable.
Content Disposition variants
Several technical aspects of this attack make it unlikely that it would be successful, including the requirement that the attacker have intimate knowledge of the user's system. This indicates that the attack would probably be successful only if made by an insider, and DNS blocking would foil the attack.
Fix
For the moment, applying the patch supplied with MS02-023 appears to fix all known problems in IE 6.0. Since Microsoft hasn't documented the dialogArguments (Cross-Site Scripting) vulnerability for IE 5.01 and IE 5.5 and, according to GreyMagic, actually patched only a portion of the problem, the current patch doesn't fix this vulnerability in IE 5.01 or IE 5.5. There remains some doubt as to whether IE 6.0 is correctly patched, since the explanation of this vulnerability as given by Microsoft in its security bulletin is in dispute by outside security experts who claim it wasn't properly addressed. The other threats to IE 5.01 and IE 5.5 appear to be corrected by this patch.
Final word
Thanks to GreyMagic for immediately notifying me of problems it discovered with this cumulative patch. I contacted Microsoft for clarification on this matter, but at the time of this writing, I hadn't heard back. I will post any response from Microsoft in the discussion section below.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
Previous
Did you find this article useful?
145 out of 299 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
