CERT Announces MORE vunlerabilities in Internet Explorer

[Mithrandir]

This should come as no surprise to anyone who's listened to my security lectures before...

Multiple Vulnerabilities in Microsoft Internet Explorer

Original issue date: February 02, 2004
Last revised: --
Source: US-CERT

Systems Affected

Microsoft Windows systems running

* Internet Explorer 5.01
* Internet Explorer 5.50
* Internet Explorer 6

Previous, unsupported, versions of Internet Explorer may also be
affected.

Overview

Microsoft Internet Explorer (IE) contains multiple vulnerabilities,
the most serious of which could allow a remote attacker to execute
arbitrary code with the privileges of the user running IE.

Description

Microsoft Security Bulletin MS04-004 describes three vulnerabilities
in Internet Explorer. These vulnerabilities are listed below. More
detailed information is available in the individual vulnerability
notes. Note that in addition to IE, any applications that use the IE
HTML rendering engine to interpret HTML documents may present
additional attack vectors for these vulnerabilities.

VU#784102 - Microsoft Internet Explorer Travel Log Cross Domain
Vulnerability

A cross-domain scripting vulnerability exists in the Travel Log
functionality of Internet Explorer. This vulnerability could allow a
remote attacker to execute arbitrary script in a different domain,
including the Local Machine Zone.
(Other resources: CAN-2003-01026)

VU#413886 - Microsoft Internet Explorer Drag-and-Drop Operation
Vulnerability

Internet Explorer allows remote attackers to direct drag and drop
behaviors and other mouse click actions by using method caching
(SaveRef) to access the window.moveBy method.
(Other resources: CAN-2003-01027)

VU#652278 - Microsoft Internet Explorer does not properly display URLs

Microsoft Internet Explorer does not properly display the location of
HTML documents. An attacker could exploit this behavior to mislead
users into revealing sensitive information.
(Other resources: CAN-2003-01025)

Impact

These vulnerabilities have different impacts, ranging from disguising
the true location of a URL to executing arbitrary commands or code.
Please see the individual vulnerability notes for specific
information. The most serious of these vulnerabilities (VU#784102)
could allow a remote attacker to execute arbitrary code with the
privileges of the user running IE. The attacker could exploit this
vulnerability by convincing the user to access a specially crafted
HTML document, such as a web page or HTML email message. No user
intervention is required beyond viewing the attacker's HTML document
with IE.

Solutions

Apply a patch

Apply the appropriate patch as specified by Microsoft Security
Bulletin MS04-004.

* Microsoft Security Bulletin MS04-004 -
<http://microsoft.com/technet/security/bulletin/MS04-004.asp>

Note: The fix included in MS04-004 for VU#652278 may cause sites that
use URLs of the form "username:password@www.example.com" to break.
This change, along with workarounds for users and administrators of
such sites, is covered in Microsoft KB Article 834489.

Vendor Information

This section contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.

Microsoft

Please see Microsoft Security Bulletin MS04-004.
_________________________________________________________________

References

* CERT/CC Vulnerability Note VU#784102 -
<http://www.kb.cert.org/vuls/id/784102>

* CERT/CC Vulnerability Note VU#413886 -
<http://www.kb.cert.org/vuls/id/413886>

* CERT/CC Vulnerability Note VU#652278 -
<http://www.kb.cert.org/vuls/id/652278>

* Microsoft Security Bulletin MS04-004 -
<http://microsoft.com/technet/security/bulletin/MS04-004.asp>

* Microsoft KB Article 834489 -
<http://support.microsoft.com/?id=834489>

* CVE CAN-2003-01025 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-01025>

* CVE CAN-2003-01026 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-01026>

* CVE CAN-2003-01027 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-01027>

[Mithrandir]

Sorry to double post... Thread to long.

Notice this time: At least there's a PATCH! This finally fixes the spoof vulnerabilities from, what, last year?!?!.

[Straylight]

Clearly this is the reason why dodgy things have hijacked IE without any user interaction. Just another reason why people should stop using IE.

[TheMelodyMaker]

Hmm... I downloaded an update from Windows Update this morning for IE that mentioned fixing vulnerabilities even when IE isn't running. That means that even if you don't use IE, simply having it installed could cause problems. However, I do consider IE to be a core Windows component, like DirectX.

...I have no idea what my point is here. I guess I'm just a die-hard Windows fan. ^_^; *ducks for cover*

[ShiroiHikari]

I wish I could get away with getting IE OUT of my system entirely. I think I tried it once when I was like 14 and had Win95 XD

[LorentzForce]

good thing i moved over to Linux; can't see no IE anymore.

mmm w3m...

[Mithrandir]

I wish I could get away with getting IE OUT of my system entirely. I think I tried it once when I was like 14 and had Win95 XD

...ouch. That's a fun fix..

[Fsiphskilm]

That's a sad pat

[inkhana]

...ouch. That's a fun fix..

Heh, and familiar too...I remember back when we got...I guess it was the old comp that was later doomed to be fried by me (another story). It came preinstalled with IE4. I remember at one point trying to get IE out because it wouldn't coexist with Netscape for some reason (integration = NOT YOUR FRIEND! LOL) Did it go well? Only if I wanted to spend the rest of my week putting back the pieces of the messed up OS...XP

I typically try to avoid bashing stuff, but after all the problems I have had to fix due to our friendly friend Microsoft (thanks Dad for being an avid M$ supporter... ), I can say from experience that IE stinks.

[madphilb]

One word.... 98lite (or whatever it's called now)

[Fsiphskilm]

OOOooo What's that?

[TheMelodyMaker]

My guess is that it's the first release of 98, as opposed to 98 Second Edition.

[madphilb]

98lite allows you to remove some of the things that Microsoft said can't be removed... it's primary function was to remove IE from 98 and 98SE, and would do this to various different levels.

To completely remove IE you need a copy of the Win95 CD and it will make the Start menu behave as it did with Win95 (by actually using the Win95 files). This keeps you from re-arranging the menus by dragging the shortcuts around on the menu itself (you have to use the old method of opening up the Start menu as a folder or going to those files in Explorer).

To a lesser degree it can sever IE from the system, it allows you to leave the HTML renderer DLLs behind so that you can have it sill be used by programs that use it (such as the mini-browser in WinAMP, Yahoo's IM software uses it to generate all the windows, and I think MSes new help system is based off the HTML renderer).

In the process of doing this (depending on the level you use the program at) you will lose ActiveX support, however since MS will be dropping support for Win98 updates (recently they extended the date at which they will do it), the only other uses for ActiveX are generally viruses and worms.

You can find the "lite" software at: http://www.litepc.com/

The "Free Preview" is what I've been using I think, the full "professional" version adds support to remove a bunch of other things, or even do new installs without those options ever being installed in the first place.

The web site explains it better than better than I did I think

[Fsiphskilm]

Interesting. I'll h