Microsoft has updated its recent Security bulletin MS01-055 by adding a patch to address all previously known cookie vulnerabilities affecting IE 5.5 Service Pack 2 and IE 6, as well as three new security holes.
Among other things, this updated release of MS01-055 lets customers who were told to disable Active Scripting reactivate it after applying the patch. But the most important aspect of this bulletin is probably the fact that the patch fixes several big holes in IE all at once.
If you’ve been keeping up with the steady stream of Microsoft IE patches, your user systems are exposed to only a few of these vulnerabilities. However, with denial of service and other serious attacks against Microsoft products, such as IIS, along with the low priority that Web surfing rightly has in a lot of offices anyway, many security managers have tended to ignore browser patches.
Installing these patches immediately takes on a special significance as workers begin looking for bargains online to fill holiday wish lists. You can expect a surge of nonbusiness Web browsing in the next month, and that increases the dangers addressed by these patches.
Risk level: High
Microsoft rates each of these threats separately as only moderate, but in my opinion, these flaws—when considered all together—can pose a significant threat to security by allowing third parties to capture and even alter data in cookies.
Microsoft identifies IE 5.5 and up as being vulnerable, but since the company no longer supports earlier versions, the bulletin doesn’t address the question of whether earlier versions contain the same security holes. If you have the initial version of IE that shipped with Windows 2000, for instance, you have only IE version 5.00.x.
The initial release of bulletin MS01-055 recommended deactivating Active Scripting until a patch was released. Applying this patch eliminates one particular threat, allowing you to turn this feature back on if you feel it’s a good idea in the general scheme of things.
Two new threats are related to how IE manages cookies as you move between domains. The underlying problems are not related, but both allow unauthorized access to data held in your cookies.
The third new problem is a variant of the way IE handles dotless IP addresses. This was addressed in MS01-051 and in the Oct. 22, 2001, edition of The Locksmith.
As usual with HTML-based attacks, users are vulnerable to these attacks only if they open an HTML-formatted e-mail or are enticed to visit a Web site where malicious content is posted (it will probably be invisible).
The need to open e-mail from a stranger or visit a new Web site brings these attacks into the realm of social engineering, but we all know just how quickly bored workers with Internet access can switch from doing regular work to doing a bit of quick surfing.
If you installed the latest Outlook e-Mail Security Update or installed Outlook 2002 from Office XP, your users are already protected from HTML e-mail attacks addressed by these patches.
If you have configured Outlook Express on your systems to the Restricted Sites zone, you are protected from some of the vulnerabilities. This setting automatically disables Active Scripting, which lies at the heart of some of the attack scenarios. Restricted Sites is the default setting for Outlook Express 6.0, but you may want to check to confirm that users haven’t altered it.
I’m pretty careful about the Web sites I visit and I avoid HTML e-mail on principle—just wading through text junk mail is bad enough without waiting for all those fancy graphics and colors to load, so I presume that most power users and security experts probably wouldn’t run into any of these vulnerabilities. Neither would any workers who follow best practices involving e-mail and Web usage.
But our concern is the average office user, and if you have ignored a lot of these patches until now, this may be the time to take precautions. In addition to the increased threat from holiday shoppers, there is also a threat from growing numbers of workers who are possibly disgruntled due to layoffs and cutbacks. Departing or recently terminated workers have the most informed entry into your company. What employee wouldn’t automatically open an e-mail or visit a Web site recommended by a longtime coworker who has just departed?
How will you apply this patch for your IE users?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.