Microsoft Security Bulletin MS04-004

Cumulative Security Update for Internet Explorer (832894)

Issued: February 2, 2004 Version: 1.0

Summary

Who should read this document: Customers who are using Microsoft® Internet Explorer

Impact of vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Systems administrators should apply the security update immediately.

Security Update Replacement: This update replaces the one that is provided in Microsoft Security Bulletin MS03-048, which is itself a cumulative update.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

• Microsoft Windows NT® Workstation 4.0 Service Pack 6a
• Microsoft Windows NT Server 4.0 Service Pack 6a
• Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
• Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
• Microsoft Windows XP, Microsoft Windows XP Service Pack 1
• Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1
• Microsoft Windows XP 64-Bit Edition Version 2003
• Microsoft Windows Server® 2003
• Microsoft Windows Server 2003, 64-Bit Edition

Tested Microsoft Windows and Office Components:

Affected Components:

• Internet Explorer 6 Service Pack 1: Download the update.
• Internet Explorer 6 Service Pack 1 (64-Bit Edition): Download the update.
• Internet Explorer 6 for Windows Server 2003: Download the update.
• Internet Explorer 6 for Windows Server 2003 (64-Bit Edition): Download the update.
• Internet Explorer 6: Download the update.
• Internet Explorer 5.5 Service Pack 2: Download the update.
• Internet Explorer 5.01 Service Pack 4: Download the update.
• Internet Explorer 5.01 Service Pack 3: Download the update.
• Internet Explorer 5.01 Service Pack 2: Download the update.

The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. Review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and versio

Technical Details

This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following three newly-discovered vulnerabilities:

• A vulnerability that involves the cross-domain security model of Internet Explorer. The cross domain security model of Internet Explorer keeps windows of different domains from sharing information. This vulnerability could result in the execution of script in the Local Machine zone. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited this vulnerability could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user.
• A vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice would not be executed, but could be saved on the user's computer in a targeted location.
• A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)

As with the previous Internet Explorer cumulative updates that were released with bulletins MS03-004, MS03-015, MS03-020, MS03-032, MS03-040, and MS03-048, this cumulative update causes the window.showHelp( ) control to no longer work if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you will still be able to use HTML Help functionality after you apply this update.

This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:

http(s)://username:password@server/resource.ext

For more information about this change, please see Microsoft Knowledge Base article 834489.

Additionally, this update will disallow navigation to "username:[email protected]" URLs for XMLHTTP.

Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP and we will provide more information in this bulletin when the update becomes available.

The update also refines a change made in Internet Explorer 6 Service Pack 1, which prevents web pages in the Internet Security zone from navigating to the local computer zone. This is discussed further in the "Frequently Asked Questions" section of this bulletin.