|
PureBytes Links
Trading Reference Links
|
<x-html><!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=text/html;charset=iso-8859-1 http-equiv=Content-Type>
<META content='"MSHTML 4.72.3110.7"' name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#000000 size=2>Cancel Subscription</FONT></DIV></BODY></HTML>
</x-html>From ???@??? Fri Oct 16 11:33:49 1998
Received: from list.listserver.com (198.68.191.15)
by mail02.rapidsite.net (RS ver 0.3) with SMTP id 11967
for <neal@xxxxxxxxxxxxx>; Fri, 16 Oct 1998 14:27:48 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by accessone.com (8.8.5/8.8.5/PIH) with SMTP id LAA29678;
Fri, 16 Oct 1998 11:22:09 -0700 (PDT)
Received: from mtiwmhc03.worldnet.att.net (mtiwmhc03.worldnet.att.net [204.127.131.38])
by accessone.com (8.8.5/8.8.5/PIH) with ESMTP id LAA29497
for <RealTraders@xxxxxxxxxxxxxx>; Fri, 16 Oct 1998 11:19:45 -0700 (PDT)
Received: from galactic ([12.74.72.207]) by mtiwmhc03.worldnet.att.net
(InterMail v03.02.03 118 118 102) with SMTP
id <19981016181912.GRQL14133@xxxxxxxx>
for <RealTraders@xxxxxxxxxxxxxx>; Fri, 16 Oct 1998 18:19:12 +0000
Message-Id: <001201bdf931$7e3d4420$cf484a0c@xxxxxxxx>
Date: Fri, 16 Oct 1998 12:19:18 -0600
Reply-To: "Richard Chehovin" <GalacticFXInternational@xxxxxxxxxxxxxxxx>
Sender: owner-realtraders@xxxxxxxxxxxxxx
From: "Richard Chehovin" <GalacticFXInternational@xxxxxxxxxxxxxxxx>
To: RealTraders Discussion Group <realtraders@xxxxxxxxxxxxxx>
Subject: Fw: Microsoft Security Bulletin (MS98-015)
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-To: "RealTraders" <RealTraders@xxxxxxxxxxxxxx>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3115.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
X-Listprocessor-Version: 8.1 -- ListProcessor(tm) by CREN
X-Loop-Detect: 1
Just got this bulletin from MSFT.
FYI,
Richard Chehovin
-----Original Message-----
From: Microsoft Product Security <secnotif@xxxxxxxxxxxxx>
To: MICROSOFT_SECURITY@xxxxxxxxxxxxxxxxxxxxxx
<MICROSOFT_SECURITY@xxxxxxxxxxxxxxxxxxxxxx>
Date: Friday, October 16, 1998 12:16 PM
Subject: Microsoft Security Bulletin (MS98-015)
>The following is a Security Bulletin from the Microsoft Product Security
>Notification Service.
>
>Please do not reply to this message, as it was sent from an unattended
>mailbox.
> ********************************
>
>Microsoft Security Bulletin (MS98-015)
>------------------------------------------------------------
>Update available for "Untrusted Scripted Paste" Issue in
>Microsoft Internet Explorer 4.01
>
>Originally Posted: October 16, 1998
>Last Revised: October 16, 1998
>
>Summary
>=======
>Microsoft has released a patch that fixes a vulnerability involving
scripted
>pastes that has been discovered with Internet Explorer 4.01 on Win32 and
>Win16 platforms. The vulnerability could make it possible for a malicious
>hacker to create a web site that, when visited, is able to use script to
>read a file on the user's system. The file must be in a location known to
>the malicious hacker. This has also been referred to as the "Cuartango"
>vulnerability.
>
>Microsoft highly recommends that users that have affected software
installed
>on their systems should download and install the available patch as soon as
>possible.
>
>Issue
>=====
>The "Untrusted Scripted Paste" issue involves a vulnerability in Internet
>Explorer that could allow a malicious hacker to circumvent certain Internet
>Explorer security safeguards. This vulnerability makes it possible for a
>malicious Web site operator to read the contents of a file on the user's
>computer if the hacker knows the exact name and path of the targeted file.
>This could also be used to view the contents of a file on the user's
network
>to which the user has access, and whose direct path name is known by the
>attacker.
>
>The nature of this problem is that a script is able to use the
>Document.ExecCommand function to paste a filename into the file upload
>intrinsic control, which should only be possible by explicit user action.
As
>a result, a subsequent form submission could send the file to a remote web
>site unbeknownst to the user if the user has disabled the default warning
>that is displayed when submitting unencrypted forms (see "Administrative
>Workaround" below for information on re-enabling this functionality).
>
>While there have not been any reports of customers being adversely affected
>by these problems, Microsoft is releasing a patch to address any risks
posed
>by this issue.
>
>Affected Software Versions
>==========================
> - Microsoft Internet Explorer 4.01 and 4.01 SP1
> on Windows NT 4.0, Windows 95
> - Microsoft Windows 98, with integrated Internet Explorer
> - Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51
>
>This vulnerability could also affect software that uses HTML functionality
>provided by Internet Explorer, even if Internet Explorer is not used as
your
>default browser. All customers that have affected versions of Internet
>Explorer on their systems should install this patch, whether or not they
use
>Internet Explorer for web browsing.
>
>This vulnerability does not affect Internet Explorer 3.x or 4.0 on any
>platform.
>This does not affect any Macintosh or UNIX versions of Internet Explorer.
>
>What Microsoft is Doing
>=======================
>On October 16th Microsoft released a patch that fixes the problem
>identified. This patch is available for download from the sites listed
>below.
>
>Microsoft has sent this security bulletin to customers subscribing to the
>Microsoft Product Security Notification Service (see
>http://www.microsoft.com/security/bulletin.htm for more information about
>this free customer service).
>
>Microsoft has published the following Knowledge Base (KB) articles on this
>issue:
> - Microsoft Knowledge Base (KB) article Q169245,
> Update available for "Untrusted Scripted Paste" Issue
> http://support.microsoft.com/support/kb/articles/q169/2/45.asp
>
>What customers should do
>========================
>Microsoft highly recommends that users that have affected software
installed
>on their systems should download and install the available patch as soon as
>possible. Complete URLs for each affected software version is given below.
>
>Windows 98
>----------
>Windows 98 customers can obtain the patch using Windows Update. To obtain
>this patch using Windows Update, launch Windows Update from the Windows
>Start Menu and click "Product Updates." When prompted, select 'Yes' to
allow
>Windows Update to determine whether this patch and other updates are needed
>by your computer. If your computer does need this patch, you will find it
>listed under the "Critical Updates" section of the page.
>
>Internet Explorer 4.01
>----------------------
>Customers using Internet Explorer 4.01 can obtain the patch from the
>Internet Explorer Security web site,
>http://www.microsoft.com/ie/security/paste.htm
>
>Administrative workaround
>=========================
>Microsoft strongly encourages customers to apply the patch. However, there
>are additional actions that can be taken to ensure safe computing:
>
>If the user has disabled the default warning that is displayed when
>submitting unencrypted forms, re-enabling this feature can provide
>additional protection. This warning prompt makes sure users are aware if a
>script attempts to submit data using forms. Users should be cautious if
they
>see this warning when browsing and have not actually chosen to submit any
>data.
>
>To turn on this prompt:
>1. From Internet Explorer, choose "Internet Options" form the
> "View" menu.
>2. Click on the tab labeled "Security".
>3. Click on "Internet Zone", then click "Customize Settings".
>4. Scroll to "Submit non-encrypted form data" and click on
> "Prompt" (or "Disable" if you prefer).
>
>These same procedures should be followed for the "Restricted Sites" Zone.
>
>Additionally, users who cannot apply the patch immediately can disable
>Active Scripting technologies in Internet Explorer to protect themselves
>from this issue. Customers can use the Zones security feature in Internet
>Explorer 4 to disable Active Scripting (VBScript and JScript) in untrusted
>or unknown Internet sites, while still permitting known and trusted sites
>that use JScript and VBScript to work properly.
>
>To turn off Active Scripting for the "Internet" Zone:
>1. From Internet Explorer, choose "Internet Options" from
> the "View" menu.
>2. Click on the tab labeled "Security".
>3. Click on "Internet Zone", then click "Customize Settings".
>4. Scroll to the bottom of the list and click on "Disable"
> under the "Active Scripting" setting.
>5. These same procedures should be followed for the
> "Restricted Sites" Zone.
>
>Sites that are trusted to use JScript and VBScript can be added to the
>Trusted Zones list. For more information on using Zones, please see the
>Online Help included with Internet Explorer.
>
>More Information
>================
>Please see the following references for more information related to this
>issue.
>
> - Microsoft Security Bulletin MS98-015,
> Update available for "Untrusted Scripted Paste" Issue
> in Microsoft Internet Explorer 4.01, (the Web posted
> version of this bulletin),
> http://www.microsoft.com/security/bulletins/ms98-015.htm
> - Microsoft Knowledge Base (KB) article Q169245,
> Update available for "Untrusted Scripted Paste" Issue
> http://support.microsoft.com/support/kb/articles/q169/2/45.asp
>
>Obtaining Support on this Issue
>===============================
>This is a supported patch for Internet Explorer. If you have problems
>installing this patch or require technical assistance with this patch,
>please contact Microsoft Technical Support. For information on contacting
>Microsoft Technical Support, please see
>http://support.microsoft.com/support/contact/default.asp
>
>Acknowledgements
>================
>This bug was first reported by Juan Carlos Garcia Cuartango from Spain.
>
>Revisions
>=========
> - October 16, 1998: Bulletin Created
>
>For additional security-related information about Microsoft products,
please
>visit http://www.microsoft.com/security
>
>------------------------------------------------------------
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
IS"
>WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
>FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN
>IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
>FOREGOING LIMITATION MAY NOT APPLY.
>
>
>(c) 1998 Microsoft and/or its suppliers. All rights reserved.
>For Terms of Use see
http://support.microsoft.com/support/misc/cpyright.asp.
>
> *******************************************************************
>You have received this e-mail bulletin as a result of your registration
>to the Microsoft Product Security Notification Service. You may
>unsubscribe from this e-mail notification service at any time by sending
>an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@xxxxxxxxxxxxxxxxxxxxxx
>The subject line and message body are not used in processing the request,
>and can be anything you like.
>
>For more information on the Microsoft Security Notification Service
>please visit http://www.microsoft.com/security/bulletin.htm. For
>security-related information about Microsoft products, please visit the
>Microsoft Security Advisor web site at http://www.microsoft.com/security.
|