Cumulative Security Update for Internet Explorer (889293, MS04-040)
2 Dec. 2004
Summary
This update resolves a newly-discovered publicly reported vulnerability. A vulnerability exists in Internet Explorer that could allow remote code execution on an affected system.
If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
Microsoft recommends that customers install the update immediately.
Affected Software:
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me) Review the FAQ section of this bulletin for details about these operating systems.
Non-Affected Software:
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
Affected Components:
* Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1: Download the update
* Internet Explorer 6 Service Pack 1 on Microsoft Windows NT Server 4.0 Service Pack 6a, on Microsoft Windows NT Server 4.0 Terminal Service Edition Service Pack 6, on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Me: Download the update
* Internet Explorer 6 for Windows XP Service Pack 1 (64-Bit Edition): Download the update
Non-Affected Components:
* Internet Explorer 5.01 Service Pack 3 on Windows 2000 SP3
* Internet Explorer 5.01 Service Pack 4 on Windows 2000 SP4
* Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Me
* Internet Explorer 6 for Windows Server 2003
* Internet Explorer 6 for Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003
* Internet Explorer 6 for Windows XP Service Pack 2
HTML Elements Vulnerability:
A remote code execution vulnerability exists in Internet Explorer that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a malicious Web Page that could potentially allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for HTML Elements Vulnerability
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
* An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
* By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed. The Restricted sites zone helps reduce attacks that could attempt to exploit this vulnerability.
The risk of attack from the HTML e-mail vector can be significantly reduced if you meet all the following conditions:
* Install the update that is included with Microsoft Security Bulletin MS03-040 or a later Cumulative Security Update for Internet Explorer.
* Use Microsoft Outlook 98 and Outlook 2000 with the Microsoft Outlook E-mail Security Update installed
* Use Microsoft Outlook Express 6 or later or Microsoft Outlook 2000 Service Pack 2 or later in their default configuration.
The following software is not affected by this vulnerability.
* Internet Explorer 5.01 Service Pack 3
* Internet Explorer 5.01 Service Pack 4
* Internet Explorer 5.5 Service Pack 2
* Internet Explorer 6 on Windows Server 2003
* Internet Explorer 6 on Windows XP Service Pack 2
Workarounds for HTML Elements Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
* Install the Outlook E-mail Security Update if you are using Outlook 2000 SP1 or earlier.
By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been applied.
Customers who use any of these products could be at a reduced risk from an e-mail-borne attack that tries to exploit this vulnerability unless the user clicks a malicious link in the e-mail message.
What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
What causes the vulnerability?
An unchecked buffer in Internet Explorer processing of certain HTML elements such as FRAME and IFRAME elements.
What are IFRAME elements?
Inline Floating Frames (IFRAME) is a technology that allows Web authors to have increased control of the design and interaction of their Web pages. For more information about IFRAME elements, visit this Microsoft Developer Network (MSDN) Web site.
How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by creating a malicious Web page and persuading the user to visit the page. When the user has visited the page, the attacker could access information from other Web sites, access local files on the system, or cause malicious code to run as the locally logged on user.
What systems are primarily at risk from the vulnerability?
This vulnerability requires a user to view Web sites for malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as users workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit Web sites, such as most server systems, are at a reduced risk.
It should be noted that FRAME and IFRAME elements are not rendered in the restricted zone, which is the zone where Outlook Express and Outlook by default open HTML email messages. Exploitation of this vulnerability through e-mail therefore requires user interaction in the form of a malicious link in the e-mail message. See the Workarounds Section in this bulletin for more information about this.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site. For more information about severity ratings, visit this Microsoft Web site.
What does the update do?
The update removes the vulnerability by modifying the way that Internet Explorer validates the length of a message while processing HTML elements.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CAN-2004-1050.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.
