M$ patch can lock users out of Web sites
Results 1 to 5 of 5

Thread: M$ patch can lock users out of Web sites

  1. #1
    Member
    Join Date
    Jan 2003
    Posts
    73

    M$ patch can lock users out of Web sites

    Hey All,

    A recent Microsoft Corp. security patch for Internet Explorer (IE) can lock users out of certain Web sites and Microsoft's own MSN e-mail service, Microsoft said late Wednesday.

    The issue affects the cumulative patch for IE versions 5.01, 5.5 and 6.0 released on Feb. 5 and rated "critical" by Microsoft. The software maker released a software fix to correct the bug, according to the revised MS03-004 security bulletin. http://www.microsoft.com/technet/sec...n/MS03-004.asp
    Full story Here

    I havnt personally experienced any problems myself , but just in case any of you have I thought this may be of some use when i read it

  2. #2
    I wonder what websites they blocked *cough*opensource.org*cough*

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yeah, I haven't seen this issue pop up yet either.

    Here is another site reporting this issue:

    http://www.entmag.com/news/article.a...torialsID=5698
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    686
    Yeah really, something like that from Microsoft doesn't sound like it wans't planned. They probably just had someone complain about it, and rather than looking like @$$es they said... "Oh it must be a problem with the software, we'll get a patch out ASAP". Oh god, that is almost so funny it should be in the tech humor section!
    [shadow]There is no right and wrong, only fun and boring...
    Formatting my server because someone hacked into it sounds pretty boring to me...
    That\'s why it\'s all about AntiOnline.com!
    [/shadow]

  5. #5
    Member GandalfTheGray's Avatar
    Join Date
    Jan 2003
    Posts
    96
    This may be the MS patch to address the issue.

    - ----------------------------------------------------------------------
    Title: Cumulative Patch for Internet Explorer (810847)
    Released: 5 February 2003
    Revised: 12 February 2003(version 2.0)
    Software: Microsoft Internet Explorer 5.01
    Microsoft Internet Explorer 5.5
    Microsoft Internet Explorer 6.0
    Impact: Allow an attacker to execute commands on a user's
    system.
    Max Risk: Critical
    Bulletin: MS03-004

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/sec...n/MS03-004.asp
    http://www.microsoft.com/security/se...s/ms03-004.asp
    - ----------------------------------------------------------------------

    Reason for Revision:
    ====================
    Subsequent to the initial release of this bulletin, a non-security
    issue was discovered with this patch that could affect some users -
    primarily consumers - under certain conditions. Specifically, the
    issue could cause some users to be unable to authenticate to
    certain Internet web sites such as subscription based sites, or MSN
    e-mail. This issue has been resolved, and a hot fix (813951) issued
    to correct it. It is important to note that this hot fix corrects a
    very specific non-security issue, and that the security patch
    discussed in this Security Bulletin was, and still is, effective in
    removing the vulnerabilities discussed later in this bulletin. More
    information, including details of how to obtain the hot fix are
    available at:
    http://www.microsoft.com/windows/ie/...l/813951/defau
    lt.asp and in the Frequently Asked Questions section of this
    bulletin.

    Issue:
    ======

    This is a cumulative patch that includes the functionality of all
    previously released patches for IE 5.01, 5.5, 6.0. In addition, it
    eliminates two newly discovered vulnerabilities involving Internet
    Explorer's cross-domain security model - which keeps windows of
    different domains from sharing information. These flaws results in
    Internet Explorer because incomplete security checking causes
    Internet Explorer to allow one website to potentially access
    information from another domain when using certain dialog boxes.
    In order to exploit this flaw, an attacker would have to host a
    malicious web site that contained a web page designed to exploit
    this particular vulnerability and then persuade a user to visit
    that site. Once the user has visited the malicious web site, it
    would be possible for the attacker to run malicious script by
    misusing a dialog box and cause that script to access information
    in a different domain. In the worst case, this could enable the web
    site operator to load malicious code onto a user's system. In
    addition, this flaw could also enable an attacker to invoke an
    executable that was already present on the local system.

    A related cross-domain vulnerability allows Internet Explorer's
    showHelp() functionality to execute without proper security
    checking. showHelp() is one of the help methods used to display an
    HTML page containing help content. showHelp() allows more types of
    pluggable protocols than necessary, and this could potentially
    allow an attacker to access user information, invoke executables
    already present on a user's local system or load malicious code
    onto a user's local system.

    The requirements to exploit this vulnerability are the same as for
    the issue described above: an attacker would have to host and lure
    a user to a malicious web site. In this scenario, the attacker
    could open a showHelp window to a known local file on the visiting
    user's local system and gain access to information from that file
    by sending a specially crafted URL to a second showHelp window. The
    attacker could also potentially access user information or run code
    of attacker's choice.

    This cumulative patch will cause window.showHelp( ) to cease to
    function. When the latest HTML Help update - which is being
    released via Windows Update with this patch - is installed,
    window.showHelp( ) will function again, but with some limitations
    (see the caveats section later in this bulletin). This has been
    necessary in order to block the attack vector that might allow a
    web site operator to invoke an executable that was already present
    on a user's local system.

    Mitigating Factors:
    ====================
    - -The attacker would have to host a web site that contained a
    web page used to exploit either of these cross-domain
    vulnerabilities.
    - -The attacker would have no way to force users to visit the
    site. Instead, the attacker would need to lure them there,
    typically by getting them to click on a link that would take them
    to the attacker's site.
    - -By default, Outlook Express 6.0 and Outlook 2002 open HTML
    mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000
    open HTML mail in the Restricted Sites Zone if the Outlook Email
    Security Update has been installed. Customers who use any of these
    products would be at no risk from an e-mail borne attack that
    attempted to exploit this vulnerability unless the user clicked a
    malicious link in the email.
    - -Internet Explorer 5.01 users are not affected by the first
    vulnerability.

    Risk Rating:
    ============
    - Critical

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletins at
    http://www.microsoft.com/technet/sec...n/ms03-004.asp
    http://www.microsoft.com/security/se...s/ms03-004.asp
    for information on obtaining this patch.

    Acknowledgment:
    ===============
    - Microsoft thanks Andreas Sandblad, Sweden for reporting the
    cross domain vulnerability using showHelp and for working with us
    to protect customers.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
    ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
    OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
    EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
    ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
    CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
    MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
    OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
    SO THE FOREGOING LIMITATION MAY NOT APPLY.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •