|
PureBytes Links
Trading Reference Links
|
FYI: Just got this notice a few minutes ago.
Richard Chehovin
-----Original Message-----
From: Microsoft Product Security <secnotif@xxxxxxxxxxxxx>
To: MICROSOFT_SECURITY@xxxxxxxxxxxxxxxxxxxxxx
<MICROSOFT_SECURITY@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wednesday, November 18, 1998 11:27 AM
Subject: Update to Microsoft Security Bulletin (MS98-015)
>The following is a Security Bulletin from the Microsoft Product Security
>Notification Service.
>
>Please do not reply to this message, as it was sent from an unattended
>mailbox.
> ********************************
>
>The following is an update to a previously released Microsoft Security
>Bulletin. All customers, including those who read the original version of
>this bulletin and installed the patch, should read the following and take
>the appropriate action.
>
>------------------------------------------------
>
>Update to Microsoft Security Bulletin (MS98-015)
>------------------------------------------------
>
>Update available for "Untrusted Scripted Paste" Issue in
>Microsoft (r) Internet Explorer (r) 4.01
>
>Originally Posted: October 16, 1998
>Last Revised: November 18, 1998
>
>Summary
>=======
>On November 18th Microsoft released an updated version of the patch for
the
>"Untrusted Scripted Paste" vulnerability. This vulnerability, also known
as
>the "Cuartango" vulnerability, could enable a malicious web site operator
>to use scripted paste operations to read a file that resides in a known
>location on a user's system. The updated patch fixes the original
>vulnerability as well as a newly-discovered variant.
>
>Microsoft highly recommends that all affected customers -- including
anyone
>who downloaded the original patch before November 18 -- download and
>install the updated patch to protect their computers.
>
>Issue
>=====
>The "Untrusted Scripted Paste" issue involves a vulnerability in Internet
>Explorer that could allow a malicious web site operator to circumvent
>certain Internet Explorer security safeguards. This vulnerability makes
it
>possible for the operator to read the contents of a file on the user's
>computer if he knows the exact name and path of the targeted file. This
>could also be used to view the contents of a file on the user's network,
if
>the user has access to it and the malicious operation knows its direct
path
>name.
>
>The underlying problem is the ability of a script to use the
>Document.ExecCommand function to paste a filename into the file upload
>intrinsic control. This should only be possible by explicit user action.
>Once the filename has been pasted into the control, a subsequent form
>submission could send the file to a remote web site. If the user has
>disabled the default warning that is displayed when submitting unencrypted
>forms, the file would be sent without any warning to the user. (See
>"Administrative Workaround" below for information on re-enabling this
>functionality).
>
>Although the original patch corrected the problem, another method of
>putting a filename into the file upload intrinsic control was discovered
>subsequently. The updated patch addresses both the original problem and
the
>newly-discovered variant.
>
>Affected Software Versions
>==========================
> - Microsoft Internet Explorer 4.01 and 4.01 SP1
> on Windows NT (r) 4.0, Windows (r) 95
> - Microsoft Windows 98, with integrated Internet Explorer
> - Microsoft Internet Explorer 4.01 for Windows 3.1 and Windows NT 3.51
>
>This vulnerability could also affect software that uses HTML functionality
>provided by Internet Explorer, even if Internet Explorer is not used as
>your default browser. All customers that have affected versions of
Internet
>Explorer on their systems should install this patch, whether or not they
>use Internet Explorer for web browsing.
>
>This vulnerability does not affect Internet Explorer 3.x or 4.0 on any
>platform. This does not affect any Macintosh or UNIX versions of Internet
>Explorer.
>
>What Microsoft is Doing
>=======================
>On November 18th, Microsoft released an updated version of this patch. The
>updated version fixes the original problem, as well as a subsequently
>identified variant. This patch is available for downloading from the sites
>listed below.
>
>Microsoft has sent this security bulletin to customers subscribing
>to the Microsoft Product Security Notification Service (see
>http://www.microsoft.com/security/services/bulletin.asp for more
>information about this free customer service).
>
>Microsoft has published the following Knowledge Base (KB) articles on this
>issue:
> - Microsoft Knowledge Base (KB) article Q169245,
> Update available for "Untrusted Scripted Paste" Issue
> http://support.microsoft.com/support/kb/articles/q169/2/45.asp
>
>(Note: It might take 24 hours from the original posting of this bulletin
>for the updated KB article to be visible in the Web-based Knowledge Base.)
>
>What customers should do
>========================
>Microsoft highly recommends that all affected customers -- including
anyone
>who downloaded the original patch before November 18 -- download the
>updated patch to protect their computers. The complete URL for each
>affected software version is given below.
>
>At this writing, only the 32-bit version of the patch is available. The
>16-bit version will be available shortly.
>
>Windows 98
>----------
>Windows 98 customers can obtain the updated patch using Windows Update. To
>obtain this patch using Windows Update, launch Windows Update from the
>Windows Start Menu and click "Product Updates." When prompted, select
'Yes'
>to allow Windows Update to determine whether this patch and other updates
>are needed by your computer. If your computer does need this patch, you
>will find it listed under the "Critical Updates" section of the page.
>
>Internet Explorer 4.01
>----------------------
>Customers using Internet Explorer 4.01 can obtain the
>patch from the Internet Explorer Security web site,
>http://www.microsoft.com/ie/security/paste.htm
>
>Administrative Workaround
>=========================
>Microsoft strongly encourages customers to apply the patch. However, there
>are additional actions that can be taken to ensure safe computing:
>
>If the user has disabled the default warning that is displayed when
>submitting unencrypted forms, re-enabling this feature can provide
>additional protection. The warning prompt makes sure users are alerted if
a
>script attempts to submit data using forms. Users should be cautious if
>they see this warning when browsing and have not actually chosen to submit
>any data.
>
>To turn on this prompt:
>
>1. From Internet Explorer, choose "Internet Options" from
> the "View" menu.
>2. Click on the tab labeled "Security".
>3. Click on "Internet Zone", then click "Customize Settings".
>4. Scroll to "Submit non-encrypted form data" and click on
> "Prompt".
>
>The same procedure should be followed for the "Restricted Sites" Zone.
>
>Additionally, users who cannot apply the patch immediately can disable
>Active Scripting technologies in Internet Explorer to protect themselves
>from this issue. Please note that the Zones security feature in Internet
>Explorer 4 can be used to disable Active Scripting (VBScript and JScript)
>in untrusted or unknown Internet sites, while still permitting it in
>trusted and known sites.
>
>To turn off Active Scripting for the "Internet" Zone:
>1. From Internet Explorer, choose "Internet Options" from
> the "View" menu.
>2. Click on the tab labeled "Security".
>3. Click on "Internet Zone", then click "Customize Settings".
>4. Scroll to the bottom of the list and click on "Disable"
> under the "Active Scripting" setting.
>
>The same procedure should be followed for the "Restricted Sites" Zone.
>
>Sites that are trusted to use JScript and VBScript can be added to the
>Trusted Zones list. For more information on using Zones, please see the
>Online Help included with Internet Explorer.
>
>More Information
>================
>Please see the following references for more information related to this
>issue.
>
> - Microsoft Security Bulletin MS98-015,
> Update available for "Untrusted Scripted Paste" Issue
> in Microsoft Internet Explorer 4.01, (the Web posted
> version of this bulletin),
> http://www.microsoft.com/security/bulletins/ms98-015.asp
> - Microsoft Knowledge Base (KB) article Q169245,
> Update available for "Untrusted Scripted Paste" Issue
> http://support.microsoft.com/support/kb/articles/q169/2/45.asp
>
>(Note: It might take 24 hours from the original posting of this bulletin
>for the updated KB article to be visible in the Web-based Knowledge Base.)
>
>Obtaining Support on this Issue
>===============================
>This is a supported patch for Internet Explorer. If you have
>problems installing this patch or require technical assistance
>with this patch, please contact Microsoft Technical Support.
>For information on contacting Microsoft Technical Support, please see
>http://support.microsoft.com/support/contact/default.asp
>
>Acknowledgements
>================
>This bug was originally reported to Microsoft by Juan Carlos Garcia
>Cuartango of Spain. Mr. Cuartango also reported the new variant of this
>issue. We are grateful for his assistance.
>
>Revisions
>=========
> - October 16, 1998: Bulletin Created
> - November 18, 1998: Updated bulletin to include
> information on updated patch that fixes variation
> of original issue.
>
>For additional security-related information about Microsoft
>products, please visit http://www.microsoft.com/security
>
>------------------------------------------------------------
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS
>IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
>EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
>FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION
>OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
>INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
>DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED
>OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
>OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
>FOREGOING LIMITATION MAY NOT APPLY.
>
>
>(c) 1998 Microsoft and/or its suppliers. All rights reserved.
>For Terms of Use see
>http://support.microsoft.com/support/misc/cpyright.asp.
>
> *******************************************************************
>You have received this e-mail bulletin as a result of your registration
>to the Microsoft Product Security Notification Service. You may
>unsubscribe from this e-mail notification service at any time by sending
>an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@xxxxxxxxxxxxxxxxxxxxxx
>The subject line and message body are not used in processing the request,
>and can be anything you like.
>
>For more information on the Microsoft Security Notification Service
>please visit http://www.microsoft.com/security/bulletin.htm. For
>security-related information about Microsoft products, please visit the
>Microsoft Security Advisor web site at http://www.microsoft.com/security.
|