Reported May 16, 2002, by Microsoft.
- Microsoft Internet Explorer (IE) 6.0, 5.5, and 5.01
Six newly discovered vulnerabilities exist in IE 6.0, 5.5, and 5.01:
The first vulnerability concerns a cross-site scripting problem in a local HTML resource. The vulnerability in the local HTML file lets an attacker execute a script as if the user were running it, causing the script to run in the local computer zone. An attacker can craft a Web page that exploits this vulnerability and either host this page on a Web server or send it as HTML email. When the user views the Web page and the script runs, the script injects itself into the local resource, where it runs in the local computer zone.
· The second vulnerability concerns information disclosure related to the use of an HTML object that supports Cascading Style Sheets (CSS). This vulnerability lets an attacker read data on the local system. The attacker can craft a Web page that exploits this vulnerability and either host this page on a Web server or send it as HTML email. When the user views the Web page, the page executes and invokes the HTML element. To successfully exploit this vulnerability, the attacker needs to know the exact location on the user's system of the file that the user intends to read The intended file must also contain a single, particular ASCII character.
· The third vulnerability concerns an information disclosure related to the handling of script within cookies that lets one site read the cookies of another site. An attacker can build a special cookie containing script and then construct a Web page that delivers the cookie to the user's system and invokes it the script. The attacker can then send that Web page as mail or post it on a server. When the user views the Web page, the page executes and invokes the script in the cookie, which lets the script read or alter cookies of another site. To successfully exploit this vulnerability, the attacker must know the exact name of the cookie as stored on the local file system to successfully read the cookie.
· The fourth vulnerability is a zone-spoofing problem that lets an attacker incorrectly handle a Web page in the intranet zone, or in some cases, the Trusted Sites zone. An attacker can construct a Web page exploiting this vulnerability and attempt to get the user to visit the Web page.
· The last two vulnerabilities are two new variants of the "Content Disposition" vulnerability discussed in Microsoft Security Bulletin MS01-058 that affect how IE handles downloads when an attacker intentionally constructs malformed headers in a downloadable file's Content-Disposition and Content-Type headers. In such a case, the attacker can cause IE to accept a file as a type safe for automatic handling, when in fact the file is executable content.
The vendor, Microsoft, has released Security Bulletin MS02-023 to address these vulnerabilities and recommends that affected users apply the appropriate cumulative patch listed in the bulletin. This cumulative patch includes the functionality of all previous patches for these versions of IE.
Discovered by Jani Laatikainen, Yuu Arai, Cistobal Bielza Lino, and Juan Carlos G. Cuartango.