November 20, 2002 Information Security Advisory Today, Microsoft issued a new Internet Explorer security patch. If you perform a Windows update on your PC, you will notice that additional Windows XP, Windows 2000, etc. updates are also available. One of them fixes the certificate security issue we reported to you on August 13, 2002: poor Microsoft implementation of the SSL web security standard that enables a hacker to spoof a server certificate. Microsoft finally got to it and released the patch today. Cumulative Patch for Internet Explorer (Q328970) Originally posted: November 20, 2002 Summary Who should read this bulletin: Customers using Microsoft® Internet Explorer Impact of vulnerability: Six new vulnerabilities, the most serious of which could enable an attacker to execute commands on a user's system. Maximum Severity Rating: Important Our recommendation: you should install the patch at the earliest opportunity. Point your browser to http://www.microsoft.com/windows/ie/downloads/default.asp to download the latest update or install the latest version of Microsoft's Internet Explorer available from http://v4.windowsupdate.microsoft.com/en/default.asp Affected Software: - Microsoft Internet Explorer 5.01 - Microsoft Internet Explorer 5.5 - Microsoft Internet Explorer 6.0 For those who care, here is the technical description: This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities: - A buffer overrun vulnerability that occurs because Internet Explorer does not correctly check the parameters of a PNG graphics file when it is opened. To the best of Microsoft's knowledge, this vulnerability could only be used to cause Internet Explorer to fail. The effect of exploiting the vulnerability against Internet Explorer would be relatively minor - the user would only need to restart the browser to restore normal operation. However, a number of other Microsoft products - notably, most Microsoft Office products and Microsoft Index Server - rely on Internet Explorer to render PNG files, and exploiting the vulnerability against such an application would cause them to fail as well. Because of this, Microsoft recommends that customers install this patch regardless of whether they are using Internet Explorer as their primary web browser. - An information disclosure vulnerability related to the way that Internet Explorer handles encoded characters in a URL. This vulnerability could allow an attacker to craft a URL containing some encoded characters that would redirect a user to a second web site. If a user followed the URL, the attacker would be able to piggy-back the user's access to the second website. This could allow the attacker to access any information the user shared with the second web site. - A vulnerability that occurs because under certain circumstances Internet Explorer does not correctly check the component that the OBJECT tag calls. This could allow an attacker to obtain the name of the Temporary Internet Files folder on the user's local machine. The vulnerability would not allow an attacker to read or modify any files on the user's local system, since the Temporary Internet Files folder resides in the Internet security zone. Knowledge of the name of the Temporary Internet Files folder could allow an attacker to identify the username of the logged-on user and read other information in the Temporary Internet Files folder such as cookies. - Three vulnerabilities that although having differing root causes, have the same net effects. All three vulnerabilities result because of incomplete security checks being carried out when using particular programming techniques in web pages, and would have the effect of allowing one website to access information in another domain, including the user's local system. This could enable the web site operator to read, but not change, any file on the user's local computer that could be viewed in a browser window. In addition, this could also enable an attacker to invoke an executable that was already present on the local system. In addition, the patch sets the Kill Bit on a legacy DirectX ActiveX control which has been retired but which has a security vulnerability. This has been done to ensure that the vulnerable control cannot be reintroduced onto users' systems and ensures that users who already have the control on their system are protected. This is discussed further in Microsoft Knowledge Base Article 810202. * To ensure your privacy, your address is not visible to the recipients of this message. * If you would like to be removed from this list, please reply to this email * with "remove" in the body of the email. Scan your computer for viruses every week and don't forget to back up your files! Fredo http://www.workingarts.com/infosecarchives