MSIE Uber-patch Of The Month

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Thursday May 16, 2002 @05:50AM from the windstorm-'97 dept.

mkraft writes "Microsoft released another security patch for Internet Explorer to fix 6 'new' vulnerabilities. Info on the patch can be obtained via download or Windows Update. Not sure what 6 things the patch fixed, but I'm assuming they fixed 6 of the 14 known exploits listed at http://jscript.dk/unpatched/" Maybe not even all six -- the maintainer of the above URL claims in a post to Bugtraq that Microsoft got some facts wrong and "patched a symptom" of one of the vulnerabilities, "not its root cause," and that IE5 and IE5.5 remain unpatched with the same "Critical" vulnerability. Also, please compare to previous MSIE Uber-Patches Of The Month: December 2001, 3+? holes in IE; March 2002, 2+? holes in IE; April 2002, 2+? holes in Mac IE.

7 of 357 comments (clear)

Min score:

Reason:

Sort:

Breaks some Javascript by DaDigz · 2002-05-16 05:57 · Score: 5, Informative

Just posted to the NTBugTraq list is a message noting that it breaks some Javascript.
The example code that fails with the patch is here.

--
Those who will sacrifice Freedom and Security will get Windows...
C'mon, guys... by bricriu · 2002-05-16 05:59 · Score: 4, Informative

the page you link to HAS the vulnerabilities fixed LISTED.

And if you actually go to download it, you'll see that it DOES apply to versions 5 and 5.5. (http://www.microsoft.com/windows/ie/downloads/cri tical/Q321232/default.asp)

--
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
1. Re:C'mon, guys... by gclef · 2002-05-16 06:31 · Score: 5, Informative
  
  Yes, but the patch doesn't actually *do* what it claims. Therein lies the problem. There has been a steady stream of messages to various security lists today about how this patch does not actually fix many of the issues that it claims to fix, and breaks other stuff in the process. see http://jscript.dk/unpatched/ for the present list of unpatched IE problems, and some commentary on this patch.
Re:I wish things were always so easy... by SirThomas · 2002-05-16 06:25 · Score: 5, Informative

Um, RedHat comes with an auto-updater 'up2date'.

You just need to register your machine and it can automatically update your machine for you.

Some may complain that it is a 'for pay' service but you do get one system for FREE.

Check rhn.redhat.com for more details.
Debian by nuggz · 2002-05-16 06:34 · Score: 4, Informative

Come on, they exist.
upgrading with apt is easy, and not much work.
*BSD also have their update tools, and some other posters mentioned Redhat tools.

These things exist, you just have to use them. Or maybe they should be made prominent however XP does it so people will complain about the security pitfalls of doing so.
What the patches fixed (for the lazy) by aardwolf64 · 2002-05-16 06:35 · Score: 4, Informative
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-023.asp

For those that are SO lazy that you can't click on the link:

Technical description:

This is a cumulative patch that includes the functionality of all previously released patches for IE 5.01, 5.5 and 6.0. In addition, it eliminates the following six newly discovered vulnerabilities:
- A cross-site scripting vulnerability in a Local HTML Resource. IE ships with several files that contain HTML on the local file system to provide functionality. One of these files contains a cross-site scripting vulnerability that could allow a script to execute as if it were run by the user herself, causing it to run in the local computer zone. An attacker could craft a web page with a URL that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the web page was viewed and the user clicked on the URL link, the attacker's script injected into the local resource, the attacker's script would run in the Local Computer zone, allowing it to run with fewer restrictions than it would otherwise have.
- An information disclosure vulnerability related to the use of am HTML object provides that support for Cascading Style Sheets that could allow an attacker to read, but not add, delete or change, data on the local system. An attacker could craft a web page that exploits this vulnerability and then either host that page on a web server or send it as HTML email. When the page was viewed, the element would be invoked. Successfully exploiting this vulnerability, however, requires exact knowledge of the location of the intended file to be read on the user's system. Further, it requires that the intended file contain a single, parcicular ASCII character.
- An information disclosure vulnerability related to the handling of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page with a hyperlink that would deliver that cookie to the user's system and invoke it. He could then send that web page as mail or post it on a server. When the user clicked the hyperlink and the page invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully.
- A zone spoofing vulnerability that could allow a web page to be incorrectly reckoned to be in the Intranet zone or, in some very rare cases, in the Trusted Sites zone. An attacker could construct a web page that exploits this vulnerability and attempt to entice the user to visit the web page. If the attack were successful, the page would be run with fewer security restrictions than is appropriate.
- Two variants of the "Content Disposition" vulnerability discussed in Microsoft Security Bulletin MS01-058 affecting how IE handles downloads when a downloadable file's Content-Disposition and Content-Type headers are intentionally malformed. In such a case, it is possible for IE to believe that a file is a type safe for automatic handling, when in fact it is executable content. An attacker could seek to exploit this vulnerability by constructing a specially malformed web page and posting a malformed executable file. He could then post the web page or mail it to the intended target. These two new variants differ from the original vulnerability in that they for a system to be vulnerable, it must have present an application present that, when it is erroneously passed the malformed content, chooses to hand it back to the operating system rather than immediately raise an error. A successful attack, therefore, would require that the attacker know that the intended victim has one of these applications present on their system.
Finally, it introduces a behavior change to the Restricted Sites zone. Specifically, it disables frames in the Restricted Sites zone. Since the Outlook Express 6.0, Outlook 98 and Outlook 2000 with the Outlook Email Security Update and Outlook 2002 all read email in the Restricted Sites zone by default, this enhancement means that those products now effectively disable frames in HTML email by default. This new behavior makes it impossible for an HTML email to automatically open a new window or to launch the download of an executable.
MS is rich because.... by Steveftoth · 2002-05-16 06:38 · Score: 4, Informative

they are great salesmen. They basically sold the entire world a product that simply didn't do what they said it would do. Only now are they finally making good on their promise.
They are finally making the software robust and not crash 20 times a day.
They are finally making it such that you can actually use the programs without fear of having to reinstall the whole when you try to get a new screensaver.
They are finally making it a good product.

What's wrong with this? They've been charging for the full product all along, when only now are they finally delivering. They have suckered the entire world. They take your money every time you buy a computer even if you don't use their software.