Microsoft recently released three new security bulletins containing critical flaws—MS02-008, MS02-009, and MS02-010. These threats can be described as follows:
- MS02-008—Some XMLHTTP ActiveX controls let attackers access local files. The XMLHTTP ActiveX control is part of XML Core Services (MSXML), which enables data sharing between Web sites and user computers. The vulnerability is due to a design flaw that causes XMLHTTP to ignore the Internet Explorer security zone settings. This flaw could allow attackers to build a Web site that gathers information from any system containing the XMLHTTP control when a user visits the attacker's Web site.
- MS02-009—A flaw in the way Internet Explorer handles some VBScripts that deal with frames lets Web pages access local files on a visitor’s computer. This vulnerability affects all installations using Internet Explorer versions 5.01 or later. VBScript frame scripts should be permitted to access only content from the same site or domain. Microsoft addressed this by creating a domain security model that is supposed to enforce restrictions on scripts. But a flaw in the way VBScript code is validated in the affected Internet Explorer versions allows cross-domain access.
- MS02-010—An unchecked buffer in the ISAPI filter allows attackers to gain control of Commerce Server 2000 installations and run any code of their choice. AuthFilter is one of the tools Commerce Server 2000 uses to provide authentication. An unchecked buffer can allow an attacker to bypass this check and run code with Local System privileges in the Commerce Server. Commerce Server is related to IIS because it uses IIS to provide some essential Web server capabilities but provides additional capabilities including usage monitoring. AuthFilter is a part of Commerce Server 2000 but is not a part of IIS, so IIS servers are not at risk from this vulnerability.
For both of the first two threats, XMLHTTP and VBScripts, the threat level is moderate for Internet and intranet servers but critical for client systems. The Commerce Server vulnerability poses a critical risk for both Internet and intranet servers but includes no threat to client systems.
MS02-008—This is an XMLHTTP issue that affects any systems using Microsoft XML Core Services 2.6, 3.0, and 4.0. XML Core Services ship as part of Windows XP, SQL Server 2000, and Internet Explorer 6.0. Since MSXML can be installed separately from the listed programs, the vulnerability can also affect other systems that haven’t installed these programs. To see if your system is vulnerable, just look in C:\Windows or C:\Winnt for MSXML2.DLL, MSXML3.DLL, and MSXML4.DLL. If you find any of those three, apply the patch. If your system has only the earlier version, MSXML.DLL, the patch isn’t needed.
MS02-009—All installations of Internet Explorer 5.01, 5.5, and 6.0 are affected by this VBScript threat, which can be initiated by visiting a Web site or by opening an HTML e-mail. The vulnerability exists in VBScript.dll, which ships with IE as well as Microsoft Windows Script. The threat could allow attackers to access local files on a user’s systems.
MS02-010—This unchecked buffer in ISAPI AuthFilter applies only to Microsoft Commerce Server 2000.
MS02-008—An attacker wanting to take advantage of this vulnerability would have to trick users into visiting a malicious Web site. This attack could not be initiated through HTML e-mail and doesn’t allow an attacker to alter files or run code on the target system. The attacker can read only local files and to do that, would need to know the precise name and location of the file.
MS02-009—Like MS02-008, this flaw allows attackers to view but not otherwise modify or execute files, and files can be viewed only if the attacker can specify the exact name and location of the file. Although this attack can be initiated via e-mail, it would be blocked if the user downloads e-mail with Outlook 98 or Outlook 2000 and has the Outlook E-mail Security Update installed.
MS02-010—Customers using IIS are not at risk. Well-configured systems will prevent an attack from spreading from the Commerce Server to other systems. The ISAPI filter is installed by default, but it is not enabled by default on a Web site. It must be enabled through the Commerce Server Administration Console. URLScan provides some protection. (For details, see the following section.)
MS02-008—This corrects the problem of the ActiveX control ignoring security settings.
MS02-009—This patch creates domain verification handling for VBScript. However, Microsoft doesn’t support versions of Internet Explorer earlier than IE 5.01 SP2 and makes no statement as to whether they may be vulnerable. Although e-mail attacks would be defeated if you installed the Outlook E-mail Security Update on Outlook 98 or 2000, this would not protect against attacks launched from a Web site, so the IE patch still needs to be applied.
MS02-010—URLScan is a security tool often used to help protect Commerce Server, and if it is installed, it will block attackers from gaining control over the server through this vulnerability. However, it won't prevent a denial of service attack, so the patch should still be applied even at sites that use URLScan.
I haven't listed specific patch locations because there may be changes and updates. The best way to obtain current information on patches is to access them directly through the specific Microsoft Security Bulletins for each vulnerability.