Results 1 to 10 of 10

Thread: Newest IE Patches

  1. #1
    TechieChick
    Guest

    Newest IE Patches

    Guess we shouldn't be surprised that more holes have been found.

    I truly think that IE is the gift that keeps on giving.


    Microsoft urged Windows users to download a fix for Internet Explorer on Wednesday, following the company's announcement that six new flaws had been found in its Web browser.
    The software giant called three of the flaws critical, but only one of them--a cross-site scripting error that affects only Internet Explorer 6.0--would allow an attacker or a worm to run a program on the victim's computer.

    "Two of them are critical because of the possibility of information disclosure," said Christopher Budd, security program manager for the Microsoft security response team. "But they have steep requirements."

    Read the rest of the story here and get the patches here.

    Windows XP users will be able to download them via windows update.

    TC

  2. #2
    AntiOnline Senior Member
    Join Date
    Oct 2001
    Posts
    514
    Hey TC, I just posted about that earlier. Its ok, I'm sure you just missed it.

    Where I posted: http://www.antionline.com/showthread...hreadid=228070

    Good heads up anyway.

    - ura
    [shadow]uraloony, Founder of Loony Services[/shadow]
    Visit us at
    [gloworange]http://www.loonyservices.com/[/gloworange]

  3. #3
    TechieChick
    Guest
    Yikes, sorry!
    I missed it.

    Would someone please close this thread?

  4. #4
    AntiOnline Senior Member
    Join Date
    Oct 2001
    Posts
    514
    Its no prob TC, as I already said Just a simple mistake.
    [shadow]uraloony, Founder of Loony Services[/shadow]
    Visit us at
    [gloworange]http://www.loonyservices.com/[/gloworange]

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    882
    Just fro the hel&(* of it. I decided to cruise over to windows update using my Tux box. Just to see what would happen. LOL

    Well here is what happened, nothing, absolutely nothing. Have a look.
    The COOKIE TUX lives!!!!
    Windows NT crashed,I am the Blue Screen of Death.
    No one hears your screams.


  6. #6
    TechieChick
    Guest
    I picture windowsupdate.com like Oz. Big room, lots of smoke and noise, lights flashing..and they know all. They know when you hit their site, they know what you need, what you have and if you're running XP, if you're legal or not.
    Now, if you hit windows update with a linux box, all heck breaks loose and chaos prevails till you leave and they can go back to work, while muttering..wow...that was close....but we chased him off.

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Unhappy

    I just recieved this in my inbox.. I have to say that if this is true (and I do not doubt the source) I do love M$ more and more .

    All mail from Bugtraq mailinglist..

    Update and comments on the MS02-023 patch, holes still remain


    --------------------------------------------------------------------------------

    The latest cumulative patch from Microsoft,
    http://www.microsoft.com/technet/sec.../MS02-023.asp, promises
    to eliminate "six newly discovered vulnerabilities", but fails to do so.

    First, we find what MS calls "A cross-site scripting vulnerability in a
    Local HTML Resource". This is obviously a reference to the dialogArguments
    vulnerability, and as such this mislabelling name does not bode well to
    begin with. In fact, MS seems to have misunderstood quite a number of issues
    surrounding this vulnerability. The first such is found in their list of
    mitigating factors:

    "A successful attack requires that a user first click on a hyperlink. There
    is no way to automate an attack using this vulnerability. "

    The above is blatantly untrue, and was repeatedly demonstrated to MS both in
    the initial notification phase and when we worked together to reproduce the
    issue. Nothing in the world stops this vulnerability from being
    automatically exploited.
    Another 'mitigating' factor:

    "Outlook 98 and 2000 (after installing the Outlook Email Security Update),
    Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted
    Sites Zone. As a result, customers using these products would not be at risk
    from email-borne attacks. "

    The above is merely misinformation on their parts. The Restricted Sites Zone
    tries to disable scripting ( a requisite for the dialogArguments
    vulnerability ), but many vulnerabilities allow you to circumvent this
    setting ( one such listed on /unpatched/ ). As such, you can still script in
    the Restricted Sites Zone, and as such "customers using these products" are
    still at risk from email-borne attacks.

    Aside from these misunderstandings it could appear as though Microsoft is
    not actively keeping up with the security community and its publications.
    The dialogArguments issue was originally demonstrated with a ressource file
    only found in Internet Explorer 6- Shortly after being disclosed GreyMagic
    Software highlighted how another ressource file was also vulnerable, which
    existed from IE5 and onwards. Microsoft has fixed the vulnerability in IE6
    _only_.

    I repeat, IE5 and IE5.5 are still vulnerable.

    The same severity rating (Critical) also apply to IE5 and IE5.5, with the
    exception that they still remain unpatched. The demonstration was fixed
    instead of the vulnerability. If you want to convince yourself about this
    (and still use the appareantly unsupported IE5 or IE5.5 browser), try the
    examples in GreyMagics appendix to my advisory at
    http://sec.greymagic.com/adv/gm001-ax/.

    Next, we find that the cssText vulnerability should be patched. Most of my
    systems behave properly and appear to have this vulnerability patched,
    though some still allow local file reading. More testing needed, but likely
    not a job full done. So far it appears patched.

    The "Script within Cookies Reading Cookies" vulnerability also have the same
    incorrect 'mitigating' factor as dialogArguments, and claims that

    "An attacker would have to entice a user to first click on a hyperlink to
    initiate an attempt to exploit this vulnerability. There is no way to
    automate an attack that exploits this vulnerability."

    Of course, this is also untrue since Internet Explorer comes equipped with a
    nice click method on links that a programmer can execute, duplicating an
    actual click (
    http://msdn.microsoft.com/workshop/a...hods/click.asp
    ). As such, nothing stops anyone from exploiting this vulnerability
    automatically.

    The "zone spoofing" vulnerability sounds interesting, but I can find no
    further details (MS is not exactly full disclosure).

    And finally we have two variants of the "Content Disposition" vulnerability.
    The first depends on an unknown thirdparty program (your guess is as good as
    mine). The second depends on an executable being present, and has a
    misinforming mitigating factor:

    "Any attempt to exploit the vulnerability requires that the attacker host a
    malicious executable on a server accessible to the intended victim. If the
    hosting server is unreachable for any reason, such as DNS blocking or the
    server being taken down, the attack would fail. "

    The above seems to discuss an email-borne attack, and as such there is no
    dependancy on external servers. Outlook can easily parse attached
    executables through CID: (Content-ID) and as such this mitigating factor is
    quite minute since the email itself would act as the hosting server.

    Yesterday I hosted a list of 14 publickly known unpatched vulnerabilities,
    today I host a list of 12 such. It can still be found at
    http://jscript.dk/unpatched/


    Just my .02 kroner of comments


    Regards
    Thor Larholm
    Jubii A/S - Internet Programmer
    Next mail and comment about M$ new patch.

    MS02-023 does not patch actual issue!


    --------------------------------------------------------------------------------

    Hello,

    Microsoft released a cumulative patch yesterday, which, among other issues,
    allegedly patches the dialogArguments vulnerability
    (http://jscript.dk/adv/TL002/).

    In their bulletin Microsoft makes several severe errors:

    1. "A cross-site scripting vulnerability in a Local HTML Resource..."

    No, Microsoft, the problem is not plain cross site scripting, the problem is
    that dialogArguments' security restrictions are bypassed and it is passed to
    the dialog even though it shouldn't. Please re-read the advisories.

    2. "A successful attack requires that a user first click on a hyperlink. There
    is no way to automate an attack using this vulnerability."

    This is simply wrong, the user doesn't have to click anything for this issue to
    be exploited, it can run automatically.

    3. Microsoft also claims that this issue only exists in IE6.

    Microsoft obviously doesn't follow Bugtraq. This issue also exists in IE5 and
    IE5.5, as we demonstrated in our GM#001-AX advisory.


    In conclusion, Microsoft did not understand the problem. They only patched a
    symptom of this vulnerability, not its root cause.

    As a result of that incomplete "patch" IE5 and IE5.5 are still very much
    vulnerable to this attack in other resources. For a demonstration see
    http://sec.greymagic.com/adv/gm001-ax/.

    We hope that Microsoft fixes the actual issue this time, and not just the
    resource file.

    Regards,
    - GMS.
    And the final mail this evening.

    [SNS Advisory No.48] Microsoft Internet Explorer Still Download And Execute ANY Program Automatically


    --------------------------------------------------------------------------------

    ----------------------------------------------------------------------
    SNS Advisory No.48
    Microsoft Internet Explorer Still Download And Execute ANY Program Automatically

    Problem first discovered: Wed, 13 Feb 2002
    Published: Mon, 18 Mar 2002
    Revised: Thu, 16 May 2002
    ----------------------------------------------------------------------

    Overview:
    ---------
    Microsoft Internet Explorer contains a vulnerability which allows
    for downloading of a file and its automatic execution under several
    circumstances without the knowledge of the user. If a malicious
    webmaster creates a website containing malicious contents that can
    exploit this problem, and if the user has access to these contents
    using Internet Explorer under specific environments, then arbitrary
    programs specified by the administrator will be automatically
    downloaded and executed on the user's system.

    Problem Description:
    --------------------
    A vulnerability exists in Microsoft Internet Explorer which could
    lead to automatic downloading and execution of a file under several
    environments. This can be achieved when a user views contents
    including the following header in HTTP responses:

    Content-Type: audio/x-ms-wma
    Content-disposition: inline; filename="foo.exe"

    It is important to note that the above-mentioned description is just
    an example and that this vulnerability has been confirmed exploitable
    using other Content-Type: headers, such as Content-Type: audio/midi.

    This vulnerability affects the following environments: (our previous
    advisory stated that only IE 6 was affected by this vulnerability,
    however, it has been confirmed through further investigation that
    IE 5.01 SP2 is also vulnerable to this issue)

    (1) Windows NT 4.0 Workstation + SP6a
    + IE 6 + all available fixes [Japanese version]

    (2) Windows NT 4.0 Workstation + SP6a + Windows Media Player 6.4
    + IE 6 + all available fixes [Japanese version]

    (3) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 6.4
    + IE 6 + all available fixes [Japanese version]

    (4) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 6.4
    + IE 5.01 SP2 + all available fixes [Japanese version]

    (5) Windows 98 + Windows 98 System Update + Windows Media Player 6.4
    + IE 6 + all available fixes [Japanese version]

    (6) Windows 2000 Professional + SP2 + SRP1 + Windows Media Player 7.1
    + IE 6 + Office 2000 SR-1 + all available fixes [Japanese version]

    Note: Windows Media Player 6.4 is installed by default on Windows 2000
    and Windows 98.

    Solution:
    ---------
    This problem can be eliminated by applying a patch based on the
    information provided by Microsoft Security Bulletin MS02-023.

    Microsoft Security Bulletin 02-023:
    http://www.microsoft.com/technet/tre...n/MS02-023.asp

    Discovered by:
    --------------
    Yuu Arai (LAC) y.arai@lac.co.jp

    Acknowledgements:
    -----------------
    Thanks to:

    Microsoft Security Response Center
    Japan PSS Security Response Team of Microsoft Asia Limited

    Disclaimer:
    -----------
    All information in these advisories are subject to change without any advanced
    notices neither mutual consensus, and each of them is released as it is. LAC
    Co.,Ltd. is not responsible for any risks of occurrences caused by applying those
    information.

    ------------------------------------------------------------------
    SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
    Computer Security Laboratory, LAC http://www.lac.co.jp/security/
    Sorry for the long reply..

    ~micael

  8. #8
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Gee michaael, your to fast for me. I wanted to post that the patches were worthless and didn't actually fix all the problems Maybe I will get to be first when someone finds a new vulnerabilty because of the patch....
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  9. #9
    TechieChick
    Guest
    It shouldn't take long Soulman....you know it's a vicious circle.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Originally posted here by souleman
    Gee michaael, your to fast for me. I wanted to post that the patches were worthless and didn't actually fix all the problems Maybe I will get to be first when someone finds a new vulnerabilty because of the patch....
    In a lame attempt to defend myself I have to say that Im an newsletter addict aswell as addicted to AO . souleman if you promise to post faster next time I promise to be quiet a bit longer .

    ~micael

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •