Microsoft has released new cumulative patches for Outlook Express and Internet Explorer. Both are rated Critical, but Microsoft Security Bulletin MS03-014 makes it clear that this Outlook Express update is not nearly as important if you have already applied the cumulative patch provided in MS03-004, which was released in February.

The other new Microsoft Security Bulletin, MS03-015, is much more significant because it includes patches for four new vulnerabilities, three of which are rated Critical and one that’s a moderate threat.

MS03-014 details
MS03-014 addresses a vulnerability recently discovered in the MIME Encapsulation of Aggregate HTML (MHTML) URL handler. This flaw could permit text files on the local computer to be opened and embedded scripts to be executed under certain circumstances when the files are rendered as HTML code. The script will execute at a high privilege level since it will open in the Local Computer Zone. This vulnerability is most dangerous where the fix described in MS03-004 has not been applied. That patch will block an attacker from first downloading a text file to the computer. With the MS03-004 patch installed, only files already located on the computer could be used.

MHTML is the standard used to save Web pages on the local computer or to e-mail them. Knowledge Base Article 221787 explains that the MHTML standard is what permits you to embed images in HTML e-mail rather than as an attachment.

MS03-015 details
In addition to all the earlier patches that are included in MS03-015, this cumulative patch for IE 5 and IE 6 addresses the following vulnerabilities:

  • URLMON.DLL is a buffer overrun threat that could allow an attacker to run arbitrary code on the system. Merely visiting a malicious Web site could trigger this event.
  • The Third Party Plugin Rendering vulnerability is caused by IE’s failure to properly check parameters passed to it; thus, an attacker could create a URL that “would inject a script during the rendering of a third-party file format,” causing the script to execute on the local computer with the user’s security privileges. The problem doesn’t lie in any third-party file formats (such as Macromedia Flash) but in the way IE handles the files.
  • Modal Dialog Script Execution is a vulnerability that can give the creator of a Web site access to files stored on the user’s computer without any action on the user’s part other than visiting the site. Microsoft reports that this vulnerability exists because of “an unchecked parameter in the Cascading Style Sheet input parameter for Modal dialogs.” A Modal dialog is supposed to request an action from the user, but that can be bypassed unless this patch is applied to block acceptance of any scripts from the Web site.
  • The File Upload Control Vulnerability can allow an attacker to push a filename into the file upload control and have that file uploaded from the user’s system to a Web server.
  • A fix for IE 6.0 SP1 corrects the way Explorer displays help information. This is not rated since Microsoft reports that the company isn’t aware of any way this could be exploited for an attack.
  • Another fix removes a security vulnerability in the Plugin.ocx ActiveX control. The bulletin warns that this patch, like the one released with MS03-004, will block window.showHelp(), causing it to stop working unless you install the HTML Help control from Windows update. If you upgraded the HTML Help control when you installed the earlier cumulative patch, Microsoft reports that you don’t need to do it again.

Applicability

  • MS03-014 applies to Outlook Express 5.5 and 6.0.
  • MS03-015 applies to IE 5.01 SP3, IE 5.5 SP2, IE 6.0 Gold, and IE 6.0 SP1.

Earlier versions of IE (and OE) aren’t supported and haven’t been evaluated for these vulnerabilities.

Risk level
The risk from the MHTML vulnerability in MS03-014 is rated as Critical because if the cumulative IE patch hasn’t been applied, an attacker exploiting the vulnerability can first download a file and then cause it to execute in the Local Zone.

All risks described in MS03-015 are the same for all versions of IE. The URLMON.DLL is rated Critical, as are the Third Party Plugin Rendering and the Modal Dialog Script Execution vulnerabilities. The File Upload Control vulnerability is rated as a moderate threat.

Mitigating factors
The primary factor mitigating the risk of an attack as described in MS03-014 is that the attack will be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations. It will also be blocked by Outlook 98 and 2000 if the Outlook E-mail Security Update has been applied. In addition, if the cumulative IE patch in MS03-004 has been applied, the only acknowledged method of placing a file on the user’s computer (which could then be launched as HTML) would be blocked. The cumulative patch also blocks the attacker from passing any parameters to an executable program.

The common mitigating factor for all the new vulnerabilities covered by MS03-015 is that, by default, HTML mail is opened in the Restricted Security Zone. As usual with HTML threats, the user has to be enticed to visit a malicious site or open an infected e-mail message.

There are a few other mitigating factors as well. For instance, to exploit the File Upload Control vulnerability, the attacker would have to know the exact name of the file to be uploaded.

Fix—patch
The patch in MS03-014 restricts MHTML from opening any files with extensions other than .MHT or .MHTML. The patch doesn’t require a reboot and can be removed.

The patch for MS03-015 does require a reboot, but it can also be removed. This patch does not include the fix for the HTML “help” problem. That one must be installed separately. However, this does supersede the patch published with MS03-004, so that patch is no longer needed if you haven’t applied it already.