[SECURITY-L] Novas vulnerabilidades no IE e lancamento do Patch Acumulativo

Daniela Regina Barbetti Silva daniela em ccuec.unicamp.br
Ter Abr 2 11:28:05 -03 2002 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Novas vulnerabilidades no IE e lancamento do Patch
 Acumulativo
To: <rnp-alerta em cais.rnp.br>, <rnp-seg em cais.rnp.br>
Date: Tue, 2 Apr 2002 08:59:53 -0300 (EST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta da Microsoft, "Microsoft Security
Bulletin MS02-015", que trata da identificacao de duas novas
vulnerabilidades no navegador Internet Explorer e da disponibilizacao do
patch acumulativo.

A primeira vulnerabilidade esta' relacionada `a elevacao de privilegios.
Um atacante que consiga explorar tal vulnerabilidade sera' capaz de
executar remotamente scripts HTML de um site web como se eles fossem
executados localmente, no sistema do usuario. Os scripts podem fazer com
que sejam executadas acoes arbitrarias no sistema. Obviamente, estas acoes
estarao limitadas aos privilegios associados a tal usuario.

A segunda vulnerabilidade esta' relacionada `a execucao remota de
programas residentes na maquina de um usuario.

Em ambos os casos, o atacante pode se valer de tecnicas de engenharia
social para que usuarios desavisados naveguem por paginas
intencionalmente mal-formadas que permitam a exploracao de tais
vulnerabilidades, ou ainda este conteudo HTML malicioso pode ser enviado
via e-mail.

Ressalta-se que o patch divulgado e' acumulativo, ou seja, uma vez
instalado, elimina todas as vulnerabilidades divulgadas anteriormente e
que afetam o IE 5.01, 5.5 e 6, alem das duas novas tratadas neste alerta.

Sistemas Afetados:

	. Microsoft Internet Explorer 5.01
	. Microsoft Internet Explorer 5.5
	. Microsoft Internet Explorer 6.0

Correcoes disponiveis:

	http://www.microsoft.com/windows/ie/downloads/critical/Q319182/default.asp

Maiores informacoes:

	http://www.microsoft.com/technet/security/bulletin/ms02-015.asp

Identificadores do CVE (http://cve.mitre.org):

	. CAN-2002-0077 e CAN-2002-0078


O CAIS recomenda fortemente aos administradores de sistemas Windows que
mantenham seus sistemas atualizados.


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

- ----------------------------------------------------------------------
Title:      28 March 2002 Cumulative Patch for Internet Explorer
Date:       28 March 2002
Software:   Internet Explorer
Impact:     Two vulnerabilities, the most serious of which
            would allow script to run in the Local Computer Zone.
Max Risk:   Critical
Bulletin:   MS02-015

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-015.asp.
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and IE 6. In addition,
it eliminates the following two newly discovered vulnerabilities:

 - A vulnerability in the zone determination function that could
   allow a script embedded in a cookie to be run in the Local
   Computer zone. While HTML scripts can be stored in cookies,
   they should be handled in the same zone as the hosting site
   associated with them, in most cases the Internet zone. An
   attacker could place script in a cookie that would be saved
   to the user's hard disk. When the cookie was opened by the
   site the script would then run in the Local Computer zone,
   allowing it to run with fewer restrictions than it would
   otherwise have.

 - A vulnerability in the handling of object tags that could
   allow an attacker to invoke an executable already present
   on the user's machine. A malicious user could create HTML
   web page that includes this object tag and cause a local
   program to run on the victim's machine.

Mitigating Factors:
====================
Cookie-based Script Execution:

 - The script would run with the same rights as the user.
   The specific privileges the attacker could gain through
   this vulnerability would therefore depend on the
   privileges accorded to the user. Any limitations on a
   user's account, such as those applied through Group
   Policies, would also limit the actions of any script
   executed by this vulnerability.

Local Executable Invocation via Object tag:

 - The vulnerability would not enable the attacker to pass
   any parameters to the program. Microsoft is not aware of
   any programs installed by default in any version of
   Windows that, when called with no parameters, could be
   used to compromise the system.

 - An attacker could only execute a file on the victim's
   local machine. The vulnerability could not be used to
   execute a program on a remote share or web site.

 - The vulnerability would not provide any way for an
   attacker to put a program of his choice onto another
   user's system.

 - An attacker would need to know the name and location
   of any executable on the system to successfully invoke it.

 - Outlook 98 and 2000 (after installing the Outlook Email
   Security Update), Outlook 2002, and Outlook Express 6 all
   open HTML mail in the Restricted Sites Zone. As a result,
   customers using these products would not be at risk from
   email-borne attacks.

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-015.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Andreas Sandblad, Sweden for reporting the Cookie-based Script
   Execution issue

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION
OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.


*******************************************************************










-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBPKmdSekli63F4U8VAQEFRAQAskOOLi4dlNydZMDlMMbB7VdDkBLwTqvj
4No9qQmTX/DCdhN8PVF2vfcqGSAzPrPubl8s7zXsv0G2et5iJmL7LDISkkdlnRtG
+lbW9fMd9yvrsjhAoSIN+fnA0GNuThyW6qw7h9mu/rQA0EJOxVMDotdKKoxiKGfu
xaprKhtZ9l4=
=AhDl
-----END PGP SIGNATURE-----



----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L