As most administrators are probably aware, Microsoft instituted a once-a-month patch system in October 2003. If you’re managing a network with Windows and Internet Explorer, then you probably also know that many IT professionals expected Microsoft to release a patch in January for some major holes in IE that were reported back in November. Apparently some users got so impatient with these patch delays that they attempted to take a page out of the open source movement’s book by producing and releasing their own patch for these flaws.
However, Microsoft finally released an applicable patch on February 2, 2004. That has resulted in a somewhat confusing and dangerous situation for IT professionals to manage.
Patch from openwares.org
Openwares.org published the original patch and then a second one after the first was discovered to contain flaws. The original patch filtered URL addresses containing suspicious characters but, according to a report in ZDNet, produced a buffer overrun condition when addresses of 256 or more characters were encountered. There were more than 22,000 downloads the first week the updated patch was published on Openwares.org’s site, but the patch was only getting a “fair” rating from the site’s users.
Needless to say, IT professionals are not thrilled about this development. Administrators, in particular, need to be aware that some of their users might have individually downloaded and installed this potentially dangerous patch.
The patch may work fine and the people who developed it may be entirely trustworthy, but there’s just no way to know this. Anyone who is concerned about downloading patches from Microsoft because of the occasional bug in the patches should be frantic about the possibility that a user on their network has installed a third-party patch, if only because in the best-case scenario the next patch from Microsoft may interact in unpredictable ways with this outside code.
Microsoft’s early release of Security Bulletin MS04-004, before the regularly scheduled monthly update, comes in the nick of time since users were beginning to install the Openwares.org patch in greater numbers. The vulnerabilities have been specifically identified as:
- Cross Domain Vulnerability CAN-2003-1026
- Function Pointer Drag and Drop Vulnerability CAN-2003-1027
- Improper URL Canonicalization Vulnerability CAN-2003-1025
MS04-004 provides a cumulative update for Internet Explorer 5.01, 5.5, and 6.0, and includes fixes for a couple of additional threats:
- A cross-domain vulnerability that lets an attacker access any files or run arbitrary code on a vulnerable machine, either through interaction with a malicious Web site or through an HTML e-mail message
- A vulnerability allowing a file to be downloaded without any warning to the user during a drag-and-drop operation, due to a flaw in the way IE handles Dynamic HTML events
Also addressed is the incorrect parsing of URLs containing the @ symbol. The fix for this threat will cause problems for some users and developers because the patch will alter the way URLs are parsed. The fix chosen by Microsoft involves the elimination of the following type of URL as a permissible syntax:
That is, URLs containing the @ character will no longer be valid in IE browsers after the patch is applied. You can learn more about this in Microsoft Knowledge Base Article 834489.
The patch also causes the window.showHelp( ) control to fail if the HTML Help update (Knowledge Base article 811630) hasn’t been applied. This isn’t a new problem and has occurred with every recent IE patch.
- Internet Explorer 5.01
- Internet Explorer 5.5
- Internet Explorer 6
This vulnerability could allow a malicious site owner to trick visitors into apparently downloading a PDF or another reasonably safe file, but actually have the browser download and run an executable file.
Secunia rates this vulnerability as Moderately Critical.
You can download the patch individually from the Microsoft Download Center (do a search for “security_patch”) or you download it via Windows Update. The Security Bulletin also contains links to the various versions of the patch for the different versions of IE
Secunia has published a test to let you know if your browser is vulnerable.
The implications of this freelance patching for Microsoft applications are potentially staggering, but perhaps nothing will come of it—especially since the Openwares’ patch followed in the Microsoft tradition of patching and then re-patching when the original patch was found to be flawed.
Obviously, you want to keep your users away from the Openwares patch and you should deploy the IE patch from Microsoft as soon as possible, or you could also consider using some of the Workarounds listed in Security Bulletin MS04-004.
Also watch for…
The Department of Homeland Security has decided to get into the business of warning about new security threats by initiating a color-coded warning system (sound familiar?) managed by CERT. Beginning on January 28, 2004, CERT began offering three different levels of reporting. The first, Cyber Security Alert, is for non-technical home users. A second, Cyber Security Tips, is for non-security professionals. The third, Cyber Security Bulletins, is intended for technical experts. Click here to sign up for a subscription to the e-mail alerts.
The Checkpoint Firewall-1/VPN-1 is vulnerable to the H.323 error that has already been reported by CERT in CA-2004-1 and others (and already patched by Microsoft in MS04-001). This is independent of the operating system and is likely to affect everyone who uses a Checkpoint firewall, even on Linux/UNIX platforms.