Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSIE Uber-patch Of The Month

Posted by ryuzaki0 on from the windstorm-'97 dept.

mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/" Maybe not even all six -- the maintainer of the above URL claims in a post to Bugtraq that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability. Also, please compare to previous MSIE Uber-Patches Of The Month: December 2001, 3+? holes in IE; March 2002, 2+? holes in IE; April 2002, 2+? holes in Mac IE.

20 of 357 comments (clear)

  1. It Breaks Javascript by inetd · · Score: 2, Informative

    According to NTBUGTRAQ it breaks certain javascript

    http://www.ntbugtraq.com/default.asp?pid=36&sid= 1& A2=ind0205&L=ntbugtraq&F=P&S=&P=2859

  2. Breaks some Javascript by DaDigz · · Score: 5, Informative
    Just posted to the NTBugTraq list is a message noting that it breaks some Javascript.

    The example code that fails with the patch is here.

    --
    Those who will sacrifice Freedom and Security will get Windows...
  3. C'mon, guys... by bricriu · · Score: 4, Informative

    the page you link to HAS the vulnerabilities fixed LISTED.

    And if you actually go to download it, you'll see that it DOES apply to versions 5 and 5.5. (http://www.microsoft.com/windows/ie/downloads/cri tical/Q321232/default.asp)

    --

    AHHHHHHH! I'm burning with goodness again!
    - Reakk, Sluggy Freelance

    1. Re:C'mon, guys... by gclef · · Score: 5, Informative

      Yes, but the patch doesn't actually *do* what it claims. Therein lies the problem. There has been a steady stream of messages to various security lists today about how this patch does not actually fix many of the issues that it claims to fix, and breaks other stuff in the process. see http://jscript.dk/unpatched/ for the present list of unpatched IE problems, and some commentary on this patch.

  4. Re:I have a question? by techstar25 · · Score: 2, Informative

    I think it matters becuase a ton of slashdotters use IE, whether they admit it or not. And for those folks who do use it, they might not have the auto-update turned on, and therefore might not know about the update any other way. Of course they all should be using Opera. . .

  5. Re:I wish things were always so easy... by SirThomas · · Score: 5, Informative

    Um, RedHat comes with an auto-updater 'up2date'.

    You just need to register your machine and it can automatically update your machine for you.

    Some may complain that it is a 'for pay' service but you do get one system for FREE.

    Check rhn.redhat.com for more details.

  6. Debian by nuggz · · Score: 4, Informative

    Come on, they exist.
    upgrading with apt is easy, and not much work.
    *BSD also have their update tools, and some other posters mentioned Redhat tools.

    These things exist, you just have to use them. Or maybe they should be made prominent however XP does it so people will complain about the security pitfalls of doing so.

  7. What the patches fixed (for the lazy) by aardwolf64 · · Score: 4, Informative
    http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-023.asp

    For those that are SO lazy that you can't click on the link:

    Technical description:

    This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:

    • A cross-site scripting vulnerability in a Local HTML Resource. IE ships with several files that contain HTML on the local file system to provide functionality. One of these files contains a cross-site scripting vulnerability that could allow a script to execute as if it were run by the user herself, causing it to run in the local computer zone. An attacker could craft a web page with a URL that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the web page was viewed and the user clicked on the URL link, the attacker's script injected into the local resource, the attacker's script would run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have.
    • An information disclosure vulnerability related to the use of am HTML object provides that support for Cascading Style Sheets that could allow an attacker to read, but not add, delete or change, data on the local system. An attacker could craft a web page that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the page was viewed, the element would be invoked. Successfully exploiting this vulnerability, however, requires exact knowledge of the location of the intended file to be read on the user's system. Further, it requires that the intended file contain a single, parcicular ASCII character.
    • An information disclosure vulnerability related to the handling of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page with a hyperlink that would deliver that cookie to the user's system and invoke it. He could then send that web page as mail or post it on a server. When the user clicked the hyperlink and the page invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully.
    • A zone spoofing vulnerability that could allow a web page to be incorrectly reckoned to be in the Intranet zone or, in some very rare cases, in the Trusted Sites zone. An attacker could construct a web page that exploits this vulnerability and attempt to entice the user to visit the web page. If the attack were successful, the page would be run with fewer security restrictions than is appropriate.
    • Two variants of the "Content Disposition" vulnerability discussed in Microsoft Security Bulletin MS01-058 affecting how IE handles downloads when a downloadable file's Content-Disposition and Content-Type headers are intentionally malformed. In such a case, it is possible for IE to believe that a file is a type safe for automatic handling, when in fact it is executable content. An attacker could seek to exploit this vulnerability by constructing a specially malformed web page and posting a malformed executable file. He could then post the web page or mail it to the intended target. These two new variants differ from the original vulnerability in that they for a system to be vulnerable, it must have present an application present that, when it is erroneously passed the malformed content, chooses to hand it back to the operating system rather than immediately raise an error. A successful attack, therefore, would require that the attacker know that the intended victim has one of these applications present on their system.


    Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable.

  8. MS is rich because.... by Steveftoth · · Score: 4, Informative

    they are great salesmen. They basically sold the entire world a product that simply didn't do what they said it would do. Only now are they finally making good on their promise.
    They are finally making the software robust and not crash 20 times a day.
    They are finally making it such that you can actually use the programs without fear of having to reinstall the whole when you try to get a new screensaver.
    They are finally making it a good product.

    What's wrong with this? They've been charging for the full product all along, when only now are they finally delivering. They have suckered the entire world. They take your money every time you buy a computer even if you don't use their software.

  9. Re:Well, golly. If only I COULD patch mine. by WolfWithoutAClause · · Score: 3, Informative

    Actually you can download the updates manually if you wish; they're on their website somewhere or other. This is a supported patch technique.

    --

    -WolfWithoutAClause

    "Gravity is only a theory, not a fact!"
  10. Re:I wish things were always so easy... by Anonymous Coward · · Score: 1, Informative

    Eerr, you can pick and choose the updates that are installed if you configure it that way. Not only on XP but also with Windows Update on W2k.

  11. Re:I wish things were always so easy... by Fizzlewhiff · · Score: 3, Informative

    Red Hat 7.3 flashes a little update icon when there are updates available. Click the icon and then cycle through the Next buttons and you are patched.

    --

    'Same speed C but faster'
  12. Re:Well, golly. If only I COULD patch mine. by Anonymous Coward · · Score: 1, Informative

    Here in this case.

  13. Re:This is getting boring... by martissimo · · Score: 3, Informative

    I cannot go patching my software every morning after booting the computer!!

    thats one of the things that Windows does rather seamlessly though. I booted to it this morning to take care of a few things, and a little reminder notice popped up in the toolbar saying "a update is available"... all i did was click "Yes" and it was installed, it told me i had to restart to finish the update, and i ignored that part...once i finally do restart my computer it will be fully installed. This process took me a grand total of about 1 second of my time.

    There are plenty of valid complaints about MS, but this is one of those cases where they are doing something right.

  14. Re:God Forbid... by rark · · Score: 3, Informative

    Except (if you read the bugtraq post) MS left IE6 vunerable (and released no patch for IE5). It gave incorrect information about several vunerabilities, which makes one suspect that they might have not fixed them correctly.

    I can't vouch for the accuracy of the bugtraq post, but if true, this is not 'fixing the symptom until the underlying problem can be fixed', this is 'fixing one popularized symptom while leaving others untouched'.

    A number of people have noticed that a majority of /. users use IE. Some of them may well be opera or other browser users who have their browsers to announce otherwise, but certainly, a number of /. users actually use IE. Some of us still use Win98 too, even if just at work or at home because our families can't use another OS (yet...)

  15. Re:I wish things were always so easy... by Stardate · · Score: 2, Informative

    It's not exactly automatic when you still have to close all your apps and reboot your PC. :-(

    --
    "... I declare our city to be a free and independent state to be named Tri-Insula!" --Fernando Wood, Mayor of NYC 1861
  16. Re:I wish things were always so easy... by Chewie · · Score: 3, Informative

    Well, while I will agree that it's not terribly newbie-friendly, it's not impossible to circumvent. First of all, the local box should allow you to register the machine without a problem, but you won't be able to update your software. All you do is log into the rhn site rnh.redhat.com, click on "entitlements", change the old registration's entitlement to "none", and the new one to "basic". Then run up2date -u and you should be set.

    --
    49 20 68 61 76 65 20 74 6F 6F 20 6D 75 63 68 20 66 72 65 65 20 74 69 6D 65 2E
  17. Re:I wish things were always so easy... by jonbrewer · · Score: 3, Informative
    Rather, let me decide and then it's my fault if I download a worm
    What's nice about XP is that you do have the choice with auto-update. In fact, you have several choices. I'll list them:

    1. Download the updates automatically and notify me when they are ready to be installed.
    2. Notify me before downloading any updates and notify me again before installing them on my computer.
    3. Turn off automatic updating. I want to update my computer manually.

    I, being a lazy bastard, choose option 1, then hit the snooze button for a few days before installing... it's the only time I ever have to reboot!
  18. Re:Windows Update hosed my system!! by dorix · · Score: 2, Informative
    I don't know how I'm going to back out the patch if I can't run the Control Panel Applet without IE/Windows Explorer.

    You should be able to run a control panel applet from cmd.exe by:
    rundll32 shell32.dll,Control_RunDLL appwiz.cpl
    This example, for instance, would run the Add/Remove Programs control panel.

    Good luck!
  19. Re:Windows Update hosed my system!! by Anonymous Coward · · Score: 1, Informative

    simplified further:

    control appwiz.cpl