SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
(Vendor Issues Fix) Re: Microsoft Internet Explorer May Disclose Local Files to Remote Users Via the dragDrop() Method
SecurityTracker Alert ID:  1008153
SecurityTracker URL:  http://securitytracker.com/id/1008153
CVE Reference:   CVE-2003-0823   (Links to External Site)
Updated:  Feb 3 2004
Original Entry Date:  Nov 11 2003
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.01, 5.5, 6, 6 SP1
Description:   A vulnerability was reported in Microsoft Internet Explorer. A remote user can create malicious code that will effect the dragging and dropping of arbitrary HTML.

Jelmer reported a vulnerability in the dragDrop() method. According to the report, a remote user can create malicious HTML that, when activated by the target user with the mouse down action ("handleOnmousedown()"), will drop arbitrary text into an HTML upload control [CVE: CVE-2003-0823]. This reportedly allows a remote user to read or write arbitrary specified files to/from the target user's system with the privileges of the target user.

A demonstration exploit page is available at:

http://kuperus.xs4all.nl/security/ie/xfiles.htm

On November 11, 2003, Microsoft issued a fix that appeared to address this flaw reported by Jelmer.

On November 16, 2003, Liu Die Yu reported that a remote user can invoke method caching (i.e., "SaveRef") to tranform a click event (e.g., mousedown, mouseup) to a drag-and-drop event (e.g., mousedown, mousemove, mouseup) even if the MS03-048 patch is applied [CVE: CVE-2003-1027].

Impact:   A remote user can read arbitrary specified files on the target user's system if the target user clicks on an apparent link.

A remote user can place a file containing arbitrary contents on the target user's system when the user clicks on a link.

Solution:   Microsoft issued a fix to address the flaw discovered by Jelmer. However, Liu Die Yu reported on November 16, 2003 that a variation of the exploit will still work even after MS03-048 is applied.

[Editor's note: On February 2, 2004, Microsoft issued MS04-004 that supercedes MS03-48. See the Message History for information on MS04-004.]

Microsoft has issued the following fixes as part of MS03-048:

Internet Explorer 6 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9D8543E9-0E2B-46C9-B6C6-12DE03860465&displaylang=en

Internet Explorer 6 Service Pack 1 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=35F99CF5-3629-4E0E-BF60-24845D2D20C9&displaylang=en

Internet Explorer 6 Service Pack 1 for Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=7D0D02DD-8940-48E0-B163-3FCDCB558F21&displaylang=en

Internet Explorer 6 Service Pack 1 for Windows Server 2003 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=8BEFA1EC-0C48-4B65-989D-58B0CE1E6F95&displaylang=en

Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4C4D22F0-FBF7-4EA6-9CC2-27D104D4198E&displaylang=en

Internet Explorer 5.5 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E438AFD4-DF70-448C-8925-1075C8BE6C5E&displaylang=en

Internet Explorer 5.01 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C15E2DB3-14E2-43A4-A1A1-676374B66517&displaylang=en

Internet Explorer 5.01 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?FamilyId=F4853D8F-F66C-4D8A-9979-3B4F540F90A8&displaylang=en

Internet Explorer 5.01 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=221616D4-5893-4DA4-A223-B0DE548D6D83&displaylang=en


This cumulative update replaces the cumulative update that was described in MS03-040.

This update also sets the kill bit on the some ActiveX controls, including the Windows Trouble Shooter (Tshoot.ocx), the Symantec RuFSI Registry Information Class (Rufsi.dll), and the RAV Online Scanner (Ravonine.cab). See the advisory for the CLSID numbers.

See the Microsoft advisory for a list of workarounds and a description of installation options:

http://www.microsoft.com/technet/security/bulletin/MS03-048.asp

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-048.asp (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 3 2003 Microsoft Internet Explorer May Let Remote Users Read or Write Files Via the dragDrop() Method



 Source Message Contents

Subject:  MS03-048



http://www.microsoft.com/technet/security/bulletin/MS03-048.asp

Microsoft Security Bulletin MS03-048

Cumulative Security Update for Internet Explorer (824145)

Issued: November 11, 2003
Version: 1.0

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

CVE: CAN-2003-0814, CAN-2003-0815, CAN-2003-0816, CAN-2003-0817, CAN-2003-0823

Affected Versions:

             * Internet Explorer 6 Service Pack 1
             * Internet Explorer 6 Service Pack 1 (64-Bit Edition)
             * Internet Explorer 6 Service Pack 1 for Windows Server 2003
             * Internet Explorer 6 Service Pack 1 for Windows Server 2003 (64-Bit Edition)
             * Internet Explorer 6
             * Internet Explorer 5.5 Service Pack 2
             * Internet Explorer 5.01 Service Pack 4
             * Internet Explorer 5.01 Service Pack 3
             * Internet Explorer 5.01 Service Pack 2


Affected Operating Systems:

             * Microsoft Windows 98
             * Microsoft Windows 98 Second Edition
             * Microsoft Windows Millennium Edition
             * Microsoft Windows NT Server 4.0 Service Pack 6a
             * Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
             * Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
             * Microsoft Windows XP, Microsoft Windows XP Service Pack 1
             * Microsoft Windows XP 64-Bit Edition
             * Microsoft Windows XP 64-Bit Edition Version 2003
             * Microsoft Windows Server 2003, 64-Bit Edition


Microsoft issued a cumulative security update for Internet Explorer 5.01, 5.5, and 6.0. 
The advisory included five new vulnerabilities:

             * ExecCommand Cross Domain Vulnerability: CAN-2003-0814
             * Function Pointer Override Cross Domain Vulnerability: CAN-2003-0815
             * Script URLs Cross Domain Vulnerability: CAN-2003-0816
             * XML Object Vulnerability: CAN-2003-0817
             * Drag-and-Drop Operation Vulnerability: : CAN-2003-0823


Microsoft has issued the following fixes:

Internet Explorer 6 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9D8543E9-0E2B-46C9-B6C6-12DE03860465&displaylang=en

Internet Explorer 6 Service Pack 1 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=35F99CF5-3629-4E0E-BF60-24845D2D20C9&displaylang=en

Internet Explorer 6 Service Pack 1 for Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=7D0D02DD-8940-48E0-B163-3FCDCB558F21&displaylang=en

Internet Explorer 6 Service Pack 1 for Windows Server 2003 (64-Bit Edition):

http://www.microsoft.com/downloads/details.aspx?FamilyId=8BEFA1EC-0C48-4B65-989D-58B0CE1E6F95&displaylang=en

Internet Explorer 6:

http://www.microsoft.com/downloads/details.aspx?FamilyId=4C4D22F0-FBF7-4EA6-9CC2-27D104D4198E&displaylang=en

Internet Explorer 5.5 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E438AFD4-DF70-448C-8925-1075C8BE6C5E&displaylang=en

Internet Explorer 5.01 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C15E2DB3-14E2-43A4-A1A1-676374B66517&displaylang=en

Internet Explorer 5.01 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?FamilyId=F4853D8F-F66C-4D8A-9979-3B4F540F90A8&displaylang=en

Internet Explorer 5.01 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=221616D4-5893-4DA4-A223-B0DE548D6D83&displaylang=en


This cumulative update replaces the cumulative update that was described in MS03-040.

This update also sets the kill bit on the some ActiveX controls, including the Windows 
Trouble Shooter (Tshoot.ocx), the Symantec RuFSI Registry Information Class (Rufsi.dll), 
and the RAV Online Scanner (Ravonine.cab).  See the advisory for the CLSID numbers.

See the Microsoft advisory for a list of workarounds and a description of installation 
options:

http://www.microsoft.com/technet/security/bulletin/MS03-048.asp




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC