Microsoft Security Bulletin MS03-040

Technical description:
This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates the following newly discovered vulnerabilities:

• A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server in a popup window. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML–based e-mail that would attempt to exploit this vulnerability.
• A vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a Web server during XML data binding. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it could be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML–based e-mail that would attempt to exploit this vulnerability.

In addition, a change has been made to the method by which Internet Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted Zone. It could be possible for an attacker exploiting a separate vulnerability (such as one of the two vulnerabilities discussed above) to cause Internet Explorer to run script code in the security context of the Internet Zone. In addition, an attacker could use Windows Media Player’s (WMP) ability to open URLs to construct an attack. An attacker could also craft an HTML-based e-mail that could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially formed HTML–based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit these vulnerabilities.

As with the previous Internet Explorer cumulative patches released with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch.

In addition to applying this security patch it is recommended that users also install the Windows Media Player update referenced in Knowledge Base Article 828026. This update is available from Windows Update as well as the Microsoft Download Center for all supported versions of Windows Media Player. While not a security patch, this update contains a change to the behavior of Windows Media Player’s ability to launch URLs to help protect against DHTML behavior based attacks. Specifically, it restricts Windows Media Player’s ability to launch URLs in the local computer zone from other zones.

Mitigating factors:

• By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections put in place that prevent this vulnerability from being automatically exploited would be removed.
• In the Web-based attack scenario, the attacker would have to host a Web site that contained a Web page used to exploit this vulnerability.
• Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have user level privileges on the system would be at less risk than ones who operate with administrative privileges.

Severity Rating:

	Internet Explorer 5.01 SP3	Internet Explorer 5.01 SP4	Internet Explorer 5.5 SP2	Internet Explorer 6.0 Gold	Internet Explorer 6.0 SP1	Internet Explorer 6.0 for Windows Server 2003
Object Tag vulnerability in Popup Window	Critical	Critical	Critical	Critical	Critical	Moderate
Object Tag vulnerability with XML data binding	Critical	Critical	Critical	Critical	Critical	Moderate
Aggregate Severity of all issues included in this patch	Critical	Critical	Critical	Critical	Critical	Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier:

• Object Tag vulnerability in Popup Window: CAN-2003-0838
• Object Tag vulnerability with XML data binding: CAN-2003-0809

Tested Versions:
Microsoft tested Internet Explorer versions 5.01 Service Pack 3, Internet Explorer 5.01 Service Pack 4, Internet Explorer 5.5 Service pack 2, Internet Explorer 6.0 and Internet Explorer 6.0 Service Pack 1 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What’s the scope of the vulnerability?

This is a cumulative patch that incorporates the functionality of all previously released patches for Internet Explorer. In addition, the patch eliminates the following newly reported vulnerabilities:

• Two vulnerabilities that could allow an attacker to cause arbitrary code to run on the user's system.

Are there any other security changes made by the patch?

Yes - A behavioral change has been made to the method by which Internet Explorer handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted Zone. It could be possible for an attacker exploiting a separate vulnerability (such as one of the two vulnerabilities discussed above) to cause Internet Explorer to run script code in the security context of the Internet Zone. In addition, an attacker could use Windows Media Player’s (WMP) ability to open URL’s to construct an attack.

An attacker could also craft an HTML-based e-mail that could attempt to exploit this behavior.

What are DHTML Behaviors?

DHTML Behaviors are components that allow extra functionality on a standard HTML page. For example, DHTML Behaviors can be used with an HTML “unordered list” (<ul>) tag allow a list to be expanded and contracted by clicking on a list item. More information about DHTML Behaviors can be found here.

Are there any other steps I should take in addition to applying this patch to help protect my computer?

Yes - In addition to applying this security patch it is recommended that users also install the Windows Media Player update referenced in Knowledge Base Article 828026. This update is available from Windows Update as well as the Microsoft Download Center for all supported versions of Windows Media Player. While not a security patch, this update contains a change to the behavior of Windows Media Player’s ability to launch URLs to help protect against DHTML behavior based attacks.

Specifically, it restricts Windows Media Player’s ability to launch URLs in the local computer zone from other zones.

I am running Internet Explorer on Windows Server 2003. Does this mitigate these vulnerabilities?

Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode known as Enhanced Security Configuration.

What is Internet Explorer Enhanced Security Configuration?

Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying numerous security-related settings, including Security and Advanced tab settings in Internet Options. Some of the key modifications include:

• Security level for the Internet zone is set to High. This setting disables scripts, ActiveX controls, Microsoft virtual machine (Microsoft VM), HTML content, and file downloads.
• Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
• Install On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
• Multimedia content is disabled. This setting prevents music, animations, and video clips from running.

Disabling Internet Explorer Enhanced Security Configuration would remove the protections put in place that help prevent this vulnerability from being exploited. For more information about Internet Explorer Enhanced Security Configuration, see the Managing Internet Explorer Enhanced Security Configuration guide. To do so, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

Is there any configuration of Windows Server 2003 that is likely to have Internet Explorer Enhanced Security Configuration Disabled?

Yes. Systems Administrators who have deployed Windows Server 2003 as a Terminal Server would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to use Internet Explorer in an unrestricted mode.

CAN-2003-0838: Object Tag vulnerability in a Popup Window

What’s the scope of this vulnerability?

A flaw in the way Internet Explorer handles a specific HTTP request could allow arbitrary code to execute in the context of the logged-on user, should the user visit a site under the attacker's control.

What causes the vulnerability?

The vulnerability results because Internet Explorer does not properly check a specially crafted HTTP response that can be encountered when Internet Explorer handles an object tag in an Internet Explorer windows created with by a Window.CreatePopup script command.

What's wrong with the way Internet Explorer handles object tags?

There is a flaw in the way Internet Explorer determines an object type. Internet Explorer does not conduct a proper parameter check on an HTTP response. The response can point to a particular file type which will then cause an object to be scripted, then run. This could allow an attacker to run arbitrary code on a user’s machine.

What could this vulnerability enable an attacker to do?

This vulnerability could enable an attacker to cause Internet Explorer to execute code of the attacker's choice. This would allow an attacker to take any action on a user's system in the security context of the currently logged-on user.

How could an attacker exploit this vulnerability?

An attacker could seek to exploit this vulnerability by hosting a specially constructed Web page. If the user visited this Web page, Internet Explorer could fail and could allow arbitrary code to execute in the context of the user. Alternatively, an attacker could also craft an HTML–based e-mail that attempts to exploit this vulnerability.

What does the patch do?

The patch addresses the vulnerabilities by ensuring that Internet Explorer performs proper checks when it receives an HTTP response.

CAN-2003-0809: Object Tag vulnerability with XML data binding

What’s the scope of this vulnerability?

A flaw in the way Internet Explorer handles a specific HTTP request could allow arbitrary code to execute in the context of the logged-on user, should the user visit a site under the attacker's control.

What causes the vulnerability?

The vulnerability results because Internet Explorer does not properly check a specially crafted HTTP response that can be encountered when Internet Explorer handles an object tag in an Internet Explorer window that uses XML data binding.

What is XML data binding?

XML data binding is a method which allows a web page author to bind HTML data to an XML data set. An example of this might be where a web page author uses XML data binding to have the update the contents of an HTML table when the XML dataset changes. More information about XML data binding can be found here.

What's wrong with the way Internet Explorer handles object tags with XML data binding?

There is a flaw in the way Internet Explorer determines an object type. Internet Explorer does not conduct a proper parameter check on an HTTP response. The response can point to a particular file type which will then cause an object to be scripted, then run. This could allow an attacker to run arbitrary code on a user’s machine.

What could this vulnerability enable an attacker to do?

This vulnerability could enable an attacker to cause Internet Explorer to execute code of the attacker's choice. This would allow an attacker to take any action on a user's system in the security context of the currently logged-on user.

How could an attacker exploit this vulnerability?

An attacker could seek to exploit this vulnerability by hosting a specially constructed Web page. If the user visited this Web page, Internet Explorer could fail and could allow arbitrary code to execute in the context of the user. Alternatively, an attacker could also craft an HTML–based e-mail that attempts to exploit this vulnerability.

What does the patch do?

The patch addresses the vulnerabilities by ensuring that Internet Explorer performs proper checks when it receives an HTTP response.

Workarounds

Are there any workarounds that can be used to block exploitation of this vulnerability while I test the patch?

Yes. It should be noted that these workarounds should be considered temporary measures as they just help block paths of attack rather than correcting the underlying vulnerability. Microsoft encourages installing the patch at the earliest opportunity.

The following sections are intended to provide you with information to help protect your computer from attack.

Prompt before running of ActiveX controls in the Internet and Intranet zones:

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX components. To do this, perform the following steps:

• In Internet Explorer, select Tools, Internet Options
• Click on the Security tab
• Highlight the Internet icon and click on the Custom Level button
• Scroll through the list to the Active X controls and plug-ins section
• Under Run ActiveX controls and plug-ins click Prompt
• Click OK
• Highlight the Local Intranet icon and click on the Custom Level button
• Scroll through the list to the Active X controls and plug-ins section
• Under Run ActiveX controls and plug-ins click Prompt
• Click OK; then click OK again to return to Internet Explorer

Restrict Web sites to only your trusted Web sites

After requiring a prompt before running ActiveX in the Internet and Intranet zone, you can add sites that you trust into Internet Explorer’s Trusted sites. This will allow you to continue using trusted Web sites exactly as you do today, while protecting you from this attack on untrusted sites. Microsoft recommends that you only add sites that you trust to the trusted sites zone.

To do this, perform the following steps:

• In Internet Explorer, select Tools, then Internet Options. Click the Security tab.
• In the box labeled Select a Web content zone to specify its current security settings, click Trusted Sites, then click Sites
• If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
• In the box labeled Add this Web Site to the zone, type the URL of a site that you trust, then click the Add button.

  Repeat for each site that you want to add to the zone.

• Click OK twice to accept the changes and return to Internet Explorer. Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is “*.windowsupdate.microsoft.com” (without the quotes). This is the site that will host the patch, and it requires the use of an ActiveX control to install the patch.

If you are using Outlook 2002 or Outlook Express 6.0SP1 or higher, to help protect yourself from the HTML email attack vector, read email in plain text format.

Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied Service Pack 1 and or higher can enable a feature to view all non-digitally-signed e-mail or non-encrypted e-mail messages in plain text only.

Digitally signed e-mail or encrypted e-mail messages are not affected by the setting and may be read in their original formats. Information on enabling this setting in Outlook 2002 can be found in the following Knowledge Base article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;307594

Information on enabling this setting in Outlook Express 6.0 can be found in the following Knowledge Base article:

http://support.microsoft.com/?kbid=291387

Are there any side-effects to prompting before running of ActiveX components?

Yes. Many Web sites on the Internet use ActiveX to provide additional functionality. For instance, an online e-commerce site or banking site might use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting for all Internet and Intranet sites. You will be prompted frequently when you enable this work-around. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX components. If you do not want to be prompted for all of these sites, you can instead use the “Restrict Web sites to only your trusted Web sites” workaround.

Are there any side effects to restricting Web sites from my trusted Web sites?

Yes. For those sites you have not configured to be in your Trusted sites zone, their functionality will be impaired if they require ActiveX controls to function properly. Adding sites to your Trusted sites zone will allow them to be able to download the ActiveX control required to function correctly. However you should only add Web sites you trust to the Trusted sites zone.

Are there any side-effects to reading email in plain text format?

Yes. E-mail viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. In addition:

• The changes are applied to the preview pane and open messages.
• Pictures become attachments to avoid loss.
• Since the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text or HTML format in the mail store.

Installation platforms:
The patch can be installed on:

• Internet Explorer 5.01 running on Windows 2000 systems with Service Pack 3 or Service Pack 4 installed.
• The Internet Explorer 5.5 patch can be installed on systems running Internet Explorer 5.5 Service Pack 2.
• The Internet Explorer 6.0 patch can be installed on Windows XP systems running IE 6.0 Gold or systems running Internet Explorer 6.0 Service Pack 1.

Inclusion in future service packs:
The fix for these issues will be included in Windows 2000 Service Pack 5, Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.

Reboot needed: Yes - After reboot, an administrator logon is required for:

• Internet Explorer 5.01 on Microsoft Windows 2000.
• Internet Explorer 5.5 on Microsoft Windows 2000

Patch can be uninstalled: Yes.

Superseded patches: This patch supersedes the one provided in Microsoft Security Bulletin MS03-032 which is itself a cumulative patch.

Verifying patch installation:

• To verify that the patch has been installed on the machine, open Internet Explorer, select Help, then select About Internet Explorer and confirm that Q828750 is listed in the Update Versions field.

  Note that you can not use this method on Windows Server 2003 or Windows XP 64-Bit Edition Version 2003, as the Update Versions field is not updated by the package for these operating systems.

• To verify the individual files, use the patch manifest provided in Knowledge Base article 828750.

Caveats:
If you have not installed the updated HTML Help control from Knowledge Base article 811630, you will not be able to use some HTML Help functionality after applying this update. In order to restore that functionality, users need to download the updated HTML Help control (811630). Users should also note that when the latest version of HTML Help is installed, the following limitations will occur when a help file is opened with the showHelp method:

• Only supported protocols can be used with showHelp to open a web page or help (.chm) file.
• The shortcut function supported by HTML Help will be disabled when the help file is opened with showHelp This will not affect the shortcut functionality if the same CHM file is opened by the user manually by double-clicking on the help file, or by through an application on the local system using the HTMLHELP( ) API.

Localization:
Localized versions of this patch are available at the locations discussed in “Patch Availability”.

Obtaining other security patches:
Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site