JmanB
Premium,VIP
join:2003-08-27
Redmond, WA
 ·Vonage
|  Microsoft Security Bulletin(s) for 2/2/2004
Today Microsoft released the following Security Bulletin(s).
Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.
Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.
Bulletin Summaries:
Windows : »www.microsoft.com/technet/securi···eb04.asp
Critical Bulletins:
MS04-004 - Cumulative Security Update for Internet Explorer (832894)
»www.microsoft.com/technet/securi···-004.asp
This DOES NOT represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.
If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
--
Jerry Bryant - Microsoft IT Communities. This posting is provided "AS IS" with no warranties, and confers no rights. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | Thanks jb! |
|
Tablet
Premium
join:2003-01-15
Czech | reply to JmanB
I've just installed the Internet Explorer Cumulative Update and everything works as expected after restart. Running WinXP Pro fully patched + IE60 SP1.
Thanks for heads-up! |
|
sheepexplode
Premium
join:2002-06-02
Duality
clubs:
| reply to JmanB
Technical Details
This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following three newly-discovered vulnerabilities:
* A vulnerability that involves the cross-domain security model of Internet Explorer. The cross domain security model of Internet Explorer keeps windows of different domains from sharing information. This vulnerability could result in the execution of script in the Local Machine zone. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited this vulnerability could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user.
* A vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice would not be executed, but could be saved on the user's computer in a targeted location.
* A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display »www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as »www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to »www.microsoft.com.)
As with the previous Internet Explorer cumulative updates that were released with bulletins MS03-004, MS03-015, MS03-020, MS03-032, MS03-040, and MS03-048, this cumulative update causes the window.showHelp( ) control to no longer work if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you will still be able to use HTML Help functionality after you apply this update.
This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software update:
http(s)://username:password@server/resource.ext
For more information about this change, please see Microsoft Knowledge Base article 834489.
Additionally, this update will disallow navigation to "username:password@host.com" URLs for XMLHTTP.
Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP and we will provide more information in this bulletin when the update becomes available.
The update also refines a change made in Internet Explorer 6 Service Pack 1, which prevents web pages in the Internet Security zone from navigating to the local computer zone. This is discussed further in the "Frequently Asked Questions" section of this bulletin.
--
»Security »I think my computer is infected or hijacked. What should I do? |
|
atangel
Now What??
Premium
join:2002-02-18
Bronx, NY
| The Bulletin lists IE5/6 and many current Windows OSs, doesn't mention Win 98SE or ME, but there was an update waiting for me for my Win 98SE box too!.
Also loved the section on suggested workarounds from M$, like prompt for all Active X and read e-mail in plain text! |
|
madylarian
The curmudgeonly
Premium
join:2002-01-03
Parkville, MD | reply to JmanB
Hey, it looks like it fixed that problem with the scroll bar too!
mady
--
Honi soit qui mal y pense |
|
JollyStomper
The Funky Feel One
Premium
join:2003-03-16
Right 'Dere
 ·Comcast Formerly ..
| I just updated all of my computers with this fix, and all is well. I thought that's what it was! 
I had posted about the fix here.
--
"As I was sayin' buster, this planet ain't big enough for the two of us so... OFF YA GO!" Daffy Duck |
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | reply to JmanB
And the "phishing" exploit is gone! YAY!
--
WedgeAntilles250 |
|
Michael
Premium
join:2001-05-06
Canada
| reply to madylarian
said by madylarian  :
Hey, it looks like it fixed that problem with the scroll bar too!
Awesome! I will download this patch as soon as I can.
Thanks very much for the post JmanB
--
Team Discovery |
|
Daemon
Premium
join:2003-06-29
San Francisco, CA
·Comcast
| i have to admire MS for releasing the bulletin today, even though the monthly release schedule would have put the patch at a normal release only about a week from now.
thanks!
--
-Ryan
The more you know the more you know how little you know,you know? |
|
Jim Gurd
Premium
join:2000-07-08
Plymouth, MI
 ·AT&T DSL Service
·Comcast
| reply to madylarian
said by madylarian :
Hey, it looks like it fixed that problem with the scroll bar too!
mady
What exactly is the scroll bar problem? I keep hearing about it but can't figure out what the problem is. I don't notice anything unusual with scroll bars. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  reply to Daemon
said by Daemon :
i have to admire MS for releasing the bulletin today, even though the monthly release schedule would have put the patch at a normal release only about a week from now.
I think this was an URGENT update that needed to be released ASAP which isn't surprising.
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
madylarian
The curmudgeonly
Premium
join:2002-01-03
Parkville, MD
| reply to Jim Gurd
said by Jim Gurd :
What exactly is the scroll bar problem? I keep hearing about it but can't figure out what the problem is. I don't notice anything unusual with scroll bars.
It was caused by an update back in November. One of the threads about can be found here. Before the update you could mouse-click anywhere in a blank part of the scrollbar and the page would advance or reverse one screen at a time. After the update clicking there would either move something like 2 1/2 pages or just take you to the bottom of the page and then "break" the scroll bar altogether. If you didn't notice the problem then it probably didn't affect you or you don't use your scrollbar that way. But for those of us who did, it was a real pain in the butt.
mady
--
Honi soit qui mal y pense |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to madylarian
said by madylarian :
Hey, it looks like it fixed that problem with the scroll bar too!
mady
I confirm I no longer have the scrollbar problem after installing the cumulative patch. |
|
Coolsights
join:2003-02-22
Lewisville, TX | This is for those that said I was full of it when I posted the problem along time ago...
I said when you click no the bloody stuff installs anyway...
I was told I was full of it
HAHAHAHAHAHAHA |
|
JRBlood
Premium
join:1999-12-28
Syracuse, NY
clubs:
| reply to madylarian
YES! Phishing and scroll-bar fixed! Made my day!
said by madylarian :
But for those of us who did, (the scroll-bar bug) was a real pain in the butt.
Don't you know it! |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to JmanB
I thought Microsoft was supporting W98 for two more years? So where is the patch for IE5.5SP2 on W98SE? There is NONE. The patch for IE5.5SP2 is ONLY for WME! I cannot run IE6 on my W98SE box...I've tried and had to go back to IE5.5. Lots of folks have had to do that. So, where is our patch???? Is Microsoft supporting W98 or not???
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning |
|
OZO
Premium
join:2003-01-17
| reply to JmanB
This patch removes support for autologin feature with using format:
http(s)://user@password@domainname
While I disagree that the fix is necessary to avoid problem with misinterpreting spoofed links in IE Address Bar (using 0x01 characters, for example) instead of fixing the real problem and making proper parsing of domain names, I like that sense of humor of editors of the KB834489 page.
m$ suggests two workarounds for users who used to use that feature:
•Do not include user information in HTTP or HTTPS URLs.
•Instruct users not to include their user information when they type HTTP or HTTPS URLs.
I think it's ridiculous to offer such workarounds... But I've seen it not just once.
We all know that that autologin feature is not the best way to make a secure login, but it's useful in many cases. For example by this way I'm connecting to router from inside small LAN. I do not need to enter very secure password here, neither do I want to give up a simple passwording too. It's a matter of good balance between security and your time spending on that security (including entering long and complex passwords). Every way has its own place...
There is a place for encoded email commpunication and a place for regular unsecure (in any way) e-mails. There should be a place for different ways to make secure connections with defferent level of security too...
One thing I don't get is though - why fixing a bug should lead to removing sometimes needed functionality? |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to Mele20
Hi Mele -
From: »www.microsoft.com/technet/securi···-004.asp and »www.microsoft.com/downloads/deta···ylang=en
System Requirements
Supported Operating Systems: Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows 98, Windows 98 Second Edition, Windows ME, Windows NT
This update applies to Internet Explorer 5.5 Service Pack 2 (SP2) with the following operating systems:
Windows Millennium Edition (Windows Me)
Windows 2000 SP2
Windows 2000 SP3
Windows 2000 SP4
Windows 98 SE
Windows 98
Windows NT® 4.0 SP6A
DL available here also:
»v4.windowsupdate.microsoft.com/e···ault.asp |
|
beefy
It's A Dog's Life
join:2001-02-04
Burlington, ON
1 edit | reply to Mele20
disregard |
|
