Results 1 to 11 of 11
  1. #1
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Swanzey, New Hampshire, USA
    Posts
    1,707
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Cumulative Patch for IE (all)

    What's the consensus on whether or not to apply the following patch that came out today in a MS Security Update Bulletin?

    Title: 15 May 2002 Cumulative Patch for Internet Explorer (Q321232)
    Date: 15 May 2002
    Software: Internet Explorer
    Impact: Six new vulnerabilities, the most serious of which could allow code of attacker's choice to run.
    Max Risk: Critical
    Bulletin: MS02-023

    Jeff
    Jeff
    simul iustus et peccator

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Cumulative Patch for IE (all)

    I'd give it 48 hours and see if there is a lot of screaming before installing it. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

  3. #3
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Swanzey, New Hampshire, USA
    Posts
    1,707
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    <img src=/S/rofl.gif border=0 alt=rofl width=15 height=15> My thoughts exactly. I was hoping that there would have been something in one of the "Woody's e-zines" about it, as he usually has something to day about Microsoft patches.

    Jeff
    Jeff
    simul iustus et peccator

  4. #4
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    I just can't help myself:

    Most of the vulnerabilities are seemingly prevented using my previously defined strategies -- and that is RESTRICTING the Internet zone, and placing your Email reader in the Restricted sites zone.

    I find these statements rather disconcerting:

    [said by MS02-023]
    --------------------------------------------------------------------------------
    A successful attack requires that a user first click on a hyperlink.

    ...this scenario requires social engineering to make the user choose to visit his site.

    However, a successful attack would require luring the user to the attacker's site.
    --------------------------------------------------------------------------------

    MS keeps implying that as long as you just don't visit any bad web sites and if you just don't click any links, then you will be OK. Isn't that akin to saying "just don't surf the Internet"?? If you knew exactly which pages were safe and which weren't, or if you NEVER wanted to visit ANY new sites, this approach makes sense. Otherwise, I find their comments more annoying than helpful.

    This type of information is equally condescending and unhelpful:

    [said by MS02-023]:
    --------------------------------------------------------------------------------
    Customers who exercise caution in what web sites they visit or who place unknown or untrusted sites in the Restricted Sites zone can potentially protect themselves from attempts to exploit this issue on the web.
    --------------------------------------------------------------------------------

    This type of statement is made numerous times. How ludicrous is this? Just place ALL sites that you don't know in your Restricted site zone.

    Hmmm... let's see. How does one do that? Do you enter **.*.* on to your Restricted Sites list? Otherwise, if a site is "unknown" to you, how do you get it in the Restricted sites zone in the first place? Very interesting concept.

    Doesn't this REALLY mean to say: "RESTRICT YOUR INTERNET ZONE"!!!! Then, place any site you trust into your Trusted sites. Why don't they come out and say this??

    And what the crap is the "particular, individual ASCII character"?? They can't even spell particular correctly half the time (this bulletin is loaded with typos), but they never once come out and say what that character is! Weird. I am going to take a wild guess that it is not one of the numerical or alphabetical characters.

    Equally mysterious is the HTML object that can disclose local information. Does the object have a name, or can it only be referred to as "the object in question"? It is interesting the "the object in question" must call on a file with "the particular character in question". Can we be a little more vague??

    Again we find out the Cookies are not as 'inaccessible' by other web sites as Microsoft always swore they were. The party line was always that "only the site that placed the cookie has access to it". This is the SECOND vulnerability that proves that was bogus! And ONLY after the second vulnerability are cookies moved into the Restricted sites zone. I guess one vulnerability isn't enough.

    Furthermore, the "fifth and sixth vulnerabilities" patches seem to just finish closing holes in the Content-Disposition/Content-Type vulnerability that MS incompletely fixed last time. Are they completely fixed now?? Can we trust MS to finish the job this time? Probably not.

    And, what about frames? Was the Restricted sites not fully 'Restricted' by default AGAIN?? Certainly my Restricted sites is fully disabled -- shouldn't it be? What were they thinking? How can they rationalize anything but a fully disabled Restricted sites?

    Sorry for the rant. I am very happy to see MS fix these vulnerabilities, but many of these should have been fixed long ago. And their condescending attitude -- just don't go to any 'unknown' site -- is very annoying.

  5. #5
    Bronze Lounger
    Join Date
    Feb 2001
    Location
    England
    Posts
    1,306
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    ...good for you, Rick. Not a rant at all, but a perfectly legit complaint.
    Restrict or Suffer...

    Rgds

  6. #6
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    And you thought I was a pessimist: http://jscript.dk/unpatched/MS02-023update.html

    Here is the more of the same view posted elsewhere: http://online.securityfocus.com/archive/1/...13/2002-05-19/0

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    There are some more reports floating around also:
    http://computerworld.com/securitytopics/se...00.html?nlid=AM
    _____________________

    Then, at least one of Thor's points (May 16, 2002) has already forced MS to change the bulletin.

    The original version of MS02-023 said the following regarding the "Cross-Site Scripting Vulnerability in Local HTML Resource":

    "A successful attack requires that a user first click on a hyperlink. There is no way to automate an attack using this vulnerability. "

    [Thor's response:] "The above is blatantly untrue, and was repeatedly demonstrated to MS both in the initial notification phase and when we worked together to reproduce the issue. Nothing in the world stops this vulnerability from being automatically exploited."
    _________________________

    The original version of MS02-023 said the following regarding the "Script within Cookies Reading Cookies" vulnerability:

    "An attacker would have to entice a user to first click on a hyperlink to initiate an attempt to exploit this vulnerability. There is no way to automate an attack that exploits this vulnerability."

    [Thor's response:] "Of course, this is also untrue since Internet Explorer comes equipped with a nice click method on links that a programmer can execute, duplicating an actual click (http://msdn.microsoft.com/workshop/author/...thods/click.asp ). As such, nothing stops anyone from exploiting this vulnerability automatically."

    ____________________

    Microsoft seemingly responded -- by completely removing those paragraphs:

    Revisions:

    V1.0 (May 15, 2002): Bulletin Created.
    V1.1 (May 16, 2002): Bulletin updated to correct erroneous information regarding attack vectors for the Cross-Site Scripting in Local HTML Resource and Script within Cookies Reading Cookies vulnerabilities and the capabilities of locally run scripts.
    ______________________

    If nothing else, this gives Thor a hell of a lot of credibility!

    Microsoft has actually responded to Thor's (and other's) complaints here:
    _________________

    "The bulletin incorrectly says that it would be necessary for an attacker to click a link in order to exploit the vulnerability. This author of the posting is correct - once a user arrived at an attacker's web site, it would be possible for the site to automatically exploit the vulnerability. We have updated the bulletin accordingly."

    "The patch does eliminate the vulnerability discussed in the bulletin. The author of the posting is actually describing an entirely new variant of the vulnerability, which had never previously been reported to Microsoft. We are investigating the newly reported issue."
    _________________________

    Anyone believe that last paragraph? Let's see, Thor's site says:

    Vendor status:
    Microsoft was notified 18 March 2002 and were able to reproduce the issue consistently.
    They are currently (16 April 2002) investigating whether to address this in an upcoming cumulative patch.
    __________________________

    So, someone here is a out and out liar. So far, Thor is looking pretty damn credible...

    Amazingly, Microsoft decides to put the foot in deeper:
    __________________________

    "On 17 May, an additional claim was aired regarding the second vulnerability discussed in the bulletin, which involves an information disclosure vulnerability affecting cascading style sheets. The author of this posting claims that the patch doesn't actually eliminate this vulnerability. However, as in the case discussed above, this appears to be a new variant that had never previously been reported to Microsoft, and we are investigating it."
    __________________________

    Again Microsoft's response is "we never heard of this vulnerability". However, GreyMagic reports:

    Solution:
    Microsoft was first informed on 18 Feb 2002 (44 days ago), they have opened an investigation regarding this issue and will probably release a patch in the near future.
    __________________________

    Again, someone is LYING. Both of these vulnerabilities were reported to BugTraq upon being discovered. So there is really NO excuse for Microsoft to be claiming they 'never heard of these'.

    Their response is quite disheartening

  8. #8
    Silver Lounger Duchess843's Avatar
    Join Date
    Apr 2002
    Location
    Sicklerville, NJ
    Posts
    2,488
    Thanks
    36
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    Pardon me for butting in, but if you want to see more on this issue, go to the Windows 98 forum on Woody's Lounge. That's were I and others made posts on this very subject.. See the thread "Can't view Just One Webpage."
    <img src=/S/coffeetime.gif border=0 alt=coffeetime width=32 height=48>

  9. #9
    5 Star Lounger
    Join Date
    Feb 2001
    Location
    Youngstown, Ohio, USA
    Posts
    705
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    Here's a fresh observation that I believe is related to installing this patch:

    I was running WinME, Office2K (SR1,SP2), and IE6 when I installed the patch. Since then I have been unable to send email from Outlook when it is generated using a "Send To Mail Recipient" command, either through IE, Excel, Windows Explorer or otherwise. The message just remains open with no activity happening at all. This does not appear to be content-related.

    That was at home. At the office, running a nearly identical setup I experienced the exact same problem after installing the patch. Then I experienced a complete meltdown <img src=/S/meltdown.gif border=0 alt=meltdown width=15 height=15> <img src=/S/scream.gif border=0 alt=scream width=15 height=15> that required an fdisk, format, and reinstall. I've restored the system to almost the exact same setup, with the one exception of the IE patch. No problems with "Send To Mail Recipient" have been encountered yet.

    Conclusion? The timing between installing the patch and experiencing this problem seems too coincidental to dismiss. I'll hold off on installing that IE patch for now, thank you very much!

  10. #10
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Swanzey, New Hampshire, USA
    Posts
    1,707
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    Dave,

    It sure is strange how someone can have such disastrous results installing this patch, some particular software, etc., and yet others have no problems whatsoever. There are obviously many different variables that might be the cause. But just to show you what I'm talking about, I went ahead and installed this patch and haven't even experienced a hiccup. Everything is working just dandy.

    Now, this isn't to throw water on your situation or to discredit it in any way. But rather, I only intend to show that what may not work for some people may in fact work just fine for others. And not to belabour the point, before I upgraded from Norton SystemWorks Pro 2000 to 2002 I visited the Norton support boards and read myriad complaints about installation problems. It was rather intimidating to say the least. But since I had been using Norton SystemWorks for several years, I really thought it was worth the "risk". So, following the instructions to a "T", I went ahead and bought the upgrade and installed it and didn't have any problems at all. Go figure? Computers, ain't they great though?!! <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

    Jeff
    Jeff
    simul iustus et peccator

  11. #11
    5 Star Lounger
    Join Date
    Feb 2001
    Location
    Youngstown, Ohio, USA
    Posts
    705
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: Cumulative Patch for IE (all)

    That's the curse of having such a flexible platform - each is almost guaranteed to be unique in some way. Perhaps it was my prior upgrade pattern, or installed components, or who knows what, that gave me the different results... I just know that I'm not going to tempt fate and risk losing a vital tool again. <img src=/S/2cents.gif border=0 alt=2cents width=15 height=15>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •