Microsoft has recently released Security Bulletin MS02-005, which includes a cumulative patch for IE 5.01 and later. According to Microsoft, this patch addresses all earlier known security vulnerabilities in IE 5.01, IE 5.5, and IE 6.0, as well as six new vulnerabilities.

Although several of these new vulnerabilities in IE are classified as only moderate threats, an HTML buffer overrun flaw could allow attackers to gain user-level access to any computer that connects to a malicious Web site or that opens an HTML e-mail. This represents a critical threat to IE 5.5 and IE 6.0.

A Pandora’s box of flaws
The background on one or more of these threats is pretty vague, but according to security researchers Thor Larholm and Tom Gilder, it appears that Microsoft knew about the critical threat for several months before posting an initial patch on Feb. 10. The researchers also state that this patch and MS02-005 were pulled by Microsoft two hours later. Microsoft didn’t supply details, but according to a ZDNet article, the company implied that it was a technical problem and said that anyone who had downloaded and applied the patch should not encounter any problems.

Despite the patches provided with MS02-005, Larholm and Gilder still contend that there are unpatched vulnerabilities in IE and that an earlier cumulative patch provided in MS01-058 didn’t work. They also say that there are still unpatched vulnerabilities in Windows 95, Windows 98, and XP, which Microsoft has failed to address.

Be that as it may, I was unable to find any claims that the patch currently available as part of MS02-005 causes any harm, and since it does address some critical vulnerabilities, it should be installed even if it turns out that, contrary to Microsoft’s claims, it doesn’t address all known problems.

Threat level—critical
The threat levels of the individual vulnerabilities in MS02-005 range from moderate to critical; however, taken together, these six flaws represent a critical threat. Here are the details for each vulnerability:

  • Buffer Overrun in HTML directive (CAN-2002-0022)—This critical threat can allow an attacker complete access to both servers and client systems if users visit a malicious site or open an HTML e-mail. This is user-level access, so the risk depends on the permissions granted to the particular user. Note that IE 5.01 is not vulnerable to this flaw.
  • GetObject scripting command spoof (CAN-2002-0023)—This is a moderate threat on servers and a critical threat on client systems. It allows an attacker to read files on the vulnerable system either through a malicious Web site or HTML e-mail. It will not allow the attacker to alter files.
  • Download dialog spoofing via content-type and content-id fields (CAN-2002-0024)—This is a moderate threat on servers and client systems. It will cause the wrong filename to appear in a file download dialog box, which could trick users into downloading a malicious file. Microsoft says that this is not the same vulnerability discussed in MS01-058.
  • Application invocation via content-type field (CAN-2002-0025)—This is a moderate threat on both servers and client systems that allows a malicious Web page to cause existing files to execute on a vulnerable system. Although Microsoft lists this as a moderate threat, I consider it critical because it could be used to initiate a reformat on a hard drive, for example.
  • Script execution (CAN-2002-0026)—This is another moderate threat on both servers and client systems. It allows a malicious Web site to cause IE 5.5 and IE 6.0 to bypass protections against running arbitrary scripts. IE 5.01 is not vulnerable to this flaw.
  • Frame domain verification via document.open (CAN-2002-0027)—This is a moderate threat on servers and a critical threat on client systems. It’s a variation of the vulnerability discussed in MS01-058 and poses threats similar to the GetObject scripting spoof, including the ability to read files on vulnerable systems. IE 5.01 is not vulnerable to this flaw.

There are also some mitigating factors for each vulnerability:

  • Buffer Overrun in HTML directive—Outlook 98 or 2000 with the Outlook e-mail security update installed, Outlook 2002, and Outlook Express 6 will block the e-mail attack. For a successful attack to occur, users must have Run ActiveX Controls And Plug-ins enabled. However, this is disabled as part of the default setting for the Internet Zone in IE. The e-mail attack is less dangerous on standard installations because the default settings open HTML e-mail in the Restricted Security Zone, which has ActiveX disabled.
  • GetObject scripting command spoof—This attack can only read a file, and only if the attacker knows the name and location of the file on the user’s system and if the file is not locked in the OS. Microsoft emphasizes that this includes the critical SAM Database, which contains system passwords but is locked by the OS. The same Outlook versions listed above would block an e-mail borne HTML attack of this nature but not a Web site-based attack.
  • Download dialog spoofing via content-type and content-id fields—IE 6.0 has a particularly dangerous default setting that causes files to run rather than to be saved. The patch repairs this flaw, making the default behavior to save files, as with other versions. The patch also forces the dialog box to display the correct filename. In IE 5.01 and IE 5.5, the file is saved by default, but the correct filename and extension are associated with the saved file so users won’t necessarily run a malicious file by mistake—at least not if they are particularly cautious. Of course, many users won’t notice the change or won’t know that files should retain the originally displayed filename.
  • Application invocation via content-type field—Microsoft says that attackers could not download new files to execute and could cause programs to run only if they’re already on the vulnerable computer and the user has permission to execute them. But this is somewhat deceptive because Microsoft also states that the vulnerability does allow an attacker to configure a Web page, which could cause a Word document to be downloaded even if it contained an autoexec macro. At that point, the risk would be moderated if Word was set not to execute macros, but I see no reason why this couldn’t be used to transmit a macro virus.
  • Script execution—In and of itself, this vulnerability doesn’t invalidate basic IE scripting controls, which strive to prevent scripts from causing damage; however, other vulnerabilities allow this, and the vulnerability bypasses scripting limits even when user settings should prevent scripts from running. Microsoft claims that the cumulative patch fixes all known problems involving scripting.
  • Frame domain verification via document.open—Similar to the GetObject spoof vulnerability, this would allow the attacker to open only files that can normally be viewed in a browser window (images, text, or HTML).

Fix—apply patch and block scripts
The patch supplied with this bulletin supersedes the one provided with MS01-058, which was also a cumulative patch. Larholm and Gilder recommend that in addition to installing the patch, users block all scripting until Microsoft introduces further patches.

Final word
I see a major threat in all of these vulnerabilities, especially the buffer overrun flaw, because they don’t require the user to do anything other than visit a Web page and use the standard Microsoft installation for IE. Even well-coached users who won’t open unknown e-mail attachments can often be tricked into visiting a Web page through an e-mail link because they are unaware that simply visiting a Web page can trigger an attack.

If Larholm and Gilder are correct, Microsoft was slow in patching some serious flaws and is misleading users by claiming that they have now patched all known IE vulnerabilities. However, in all fairness, this may be due to different interpretations of the threats and which IE versions Microsoft still supports.