virtually
Gebruiker
- Lid geworden
- 16 mrt 2002
- Berichten
- 540
Microsoft Security Bulletin MS03-020 Print
Cumulative Patch for Internet Explorer (818529)
Originally posted: June 4, 2003
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Allow an attacker to execute code on a user’s system
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch immediately
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-020.asp.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 for Windows Server 2003
Technical details
Technical description:
This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates two newly discovered vulnerabilities:
A buffer overrun vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a web server. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker’s website, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML email that attempted to exploit this vulnerability.
A flaw that results because Internet Explorer does not implement an appropriate block on a file download dialog box. It could be possible for an attacker to exploit this vulnerability to run arbitrary code on a user's system. If a user simply visited an attacker’s website, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML email that attempted to exploit this vulnerability.
In order to exploit these flaws, the attacker would have to create a specially formed HTML email and send it to the user. Alternatively an attacker would have to host a malicious web site that contained a web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site.
As with the previous Internet Explorer cumulative patches released with bulletins MS03-004 and MS03-015, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch.
Mitigating factors: The following mitigating factors apply to both vulnerabilities discussed in this bulletin:
By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks these attacks. If Internet Explorer Enhanced Security Configuration has been disabled, the protections put in place that prevent these vulnerabilities from being exploited would be removed.
In the Web based attack scenario, the attacker would have to host a web site that contained a web page used to exploit these vulnerabilities. An attacker would have no way to force users to visit a malicious web site outside of the HTML email vector. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.
Code that executed on the system would only run under the privileges of the logged in user.
En hierbij de download link, wel eerst de gewenste taal selecteren
http://www.microsoft.com/windows/ie/downloads/critical/818529/default.asp
Hij is trouwens ook via de reguliere update te halen
http://v4.windowsupdate.microsoft.com/nl/default.asp
Groetjes
Cumulative Patch for Internet Explorer (818529)
Originally posted: June 4, 2003
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Allow an attacker to execute code on a user’s system
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch immediately
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-020.asp.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 for Windows Server 2003
Technical details
Technical description:
This is a cumulative patch that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5 and 6.0. In addition, it eliminates two newly discovered vulnerabilities:
A buffer overrun vulnerability that occurs because Internet Explorer does not properly determine an object type returned from a web server. It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker’s website, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML email that attempted to exploit this vulnerability.
A flaw that results because Internet Explorer does not implement an appropriate block on a file download dialog box. It could be possible for an attacker to exploit this vulnerability to run arbitrary code on a user's system. If a user simply visited an attacker’s website, it would be possible for the attacker to exploit this vulnerability without any other user action. An attacker could also craft an HTML email that attempted to exploit this vulnerability.
In order to exploit these flaws, the attacker would have to create a specially formed HTML email and send it to the user. Alternatively an attacker would have to host a malicious web site that contained a web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site.
As with the previous Internet Explorer cumulative patches released with bulletins MS03-004 and MS03-015, this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after applying this patch.
Mitigating factors: The following mitigating factors apply to both vulnerabilities discussed in this bulletin:
By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks these attacks. If Internet Explorer Enhanced Security Configuration has been disabled, the protections put in place that prevent these vulnerabilities from being exploited would be removed.
In the Web based attack scenario, the attacker would have to host a web site that contained a web page used to exploit these vulnerabilities. An attacker would have no way to force users to visit a malicious web site outside of the HTML email vector. Instead, the attacker would need to lure them there, typically by getting them to click on a link that would take them to the attacker's site.
Code that executed on the system would only run under the privileges of the logged in user.
En hierbij de download link, wel eerst de gewenste taal selecteren
http://www.microsoft.com/windows/ie/downloads/critical/818529/default.asp
Hij is trouwens ook via de reguliere update te halen
http://v4.windowsupdate.microsoft.com/nl/default.asp
Groetjes
Laatst bewerkt:
maar dat kan je toch ook gewoon simpel aanzetten door rechts op deze computer te klikken en eigenschappen en het dan bij tab update aan te zetten?
