Microsoft Security Bulletin MS03-040 - 828750

  • Thread starter Thread starter Jerry Bryant [MSFT]
  • Start date Start date
J

Jerry Bryant [MSFT]

Title: Cumulative Patch for Internet Explorer Execution (828750)
Date: October 3, 2003
Software:
Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice.
Maximum Severity Rating: Critical
Bulletin: MS03-040

The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-040

What Is It?
The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-040 which concerns a vulnerability in Internet Explorer.
Customers are advised to review the information in the bulletin, test and
deploy the patch immediately in their environments, if applicable.

More information is now available at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

If you have any questions regarding the patch or its implementation after
reading the above listed bulletin you should contact Product Support
Services in the United States at 1-866-PCSafety (1-866-727-2338).
International customers should contact their local subsidiary.



--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.
 
This may sound harsh.

It is meant to sound harsh.

I just re-read it.

I am still posting it.

Pardon me, but don't you think you could have EXPLAINED the meaning and
importance of this (AND the other critical fix just issued)? What does
MSFT, MSCE, or MCDBA mean if YOU are allow to put it after your name? Not
much, evidently.

Take into account the users who are asking questions on these newsgroups.

Take into account that they all are worried about the flood of infected,
fake Microsoft security bulletins that USE EXACTLY THE SAME LANGUAGE as what
you just posted.

Pardon me, but do you have ANY idea how foolish your post is? Why did you
do it? Was ANY thought involved?

I am appalled. Do you have a keeper? Does Microsoft know what you are
doing?

And cross-posted too, just like the 'swen' worm posts to newsgroups!



Please, could some responsible adult at Microsoft cancel the top of this
thread.... quickly, before more damage is done? Except, of course, for the
newsgroup that does not resolve!



--
Invisible Dance, (e-mail address removed)
normally I've posted using a different e-mail address and name: Phil Weldon,
and something close to p well done in mindjump, but I'll get any e-mail sent
to the e-mail address above (probably more reliably because THAT mailbox
does not yet get 1800 infected e-mails each day.)
 
Yes, I know what the MS website looks like. Yes, I already had the patches.
Yes, I know a bad post when I see one. Look down to the thread started by
Larry Samuels MS-MVP XP (Shell/User) <[email protected]> for a look at how TO
do it.
 
Hey, Phil...........Calm down. Click on the links to Microsoft for the
Security Bulletin and other very useful information. You do know what the
Microsoft website looks like, don't you? Just trying to help.
charlie R


This may sound harsh.

It is meant to sound harsh.

I just re-read it.

I am still posting it.

Pardon me, but don't you think you could have EXPLAINED the meaning and
importance of this (AND the other critical fix just issued)? What does
MSFT, MSCE, or MCDBA mean if YOU are allow to put it after your name? Not
much, evidently.

Take into account the users who are asking questions on these newsgroups.

Take into account that they all are worried about the flood of infected,
fake Microsoft security bulletins that USE EXACTLY THE SAME LANGUAGE as what
you just posted.

Pardon me, but do you have ANY idea how foolish your post is? Why did you
do it? Was ANY thought involved?

I am appalled. Do you have a keeper? Does Microsoft know what you are
doing?

And cross-posted too, just like the 'swen' worm posts to newsgroups!



Please, could some responsible adult at Microsoft cancel the top of this
thread.... quickly, before more damage is done? Except, of course, for the
newsgroup that does not resolve!



--
Invisible Dance, (e-mail address removed)
normally I've posted using a different e-mail address and name: Phil Weldon,
and something close to p well done in mindjump, but I'll get any e-mail sent
to the e-mail address above (probably more reliably because THAT mailbox
does not yet get 1800 infected e-mails each day.)
 
Thank you and FYI, I rely on these postings you provide in such a timely manner.
It makes it easier for me and main reason I subscribe to this group.

mae
-------------------------------------------------------------
| Title: Cumulative Patch for Internet Explorer Execution (828750)
| Date: October 3, 2003
| Software:
| Internet Explorer 5.01
| Internet Explorer 5.5
| Internet Explorer 6.0
| Internet Explorer 6.0 for Windows Server 2003
| Impact: Run code of attacker's choice.
| Maximum Severity Rating: Critical
| Bulletin: MS03-040
|
| The Microsoft Security Response Center has released Microsoft Security
| Bulletin MS03-040
|
| What Is It?
| The Microsoft Security Response Center has released Microsoft Security
| Bulletin MS03-040 which concerns a vulnerability in Internet Explorer.
| Customers are advised to review the information in the bulletin, test and
| deploy the patch immediately in their environments, if applicable.
|
| More information is now available at
| http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
|
| If you have any questions regarding the patch or its implementation after
| reading the above listed bulletin you should contact Product Support
| Services in the United States at 1-866-PCSafety (1-866-727-2338).
| International customers should contact their local subsidiary.
|
|
|
| --
| Regards,
|
| Jerry Bryant - MCSE, MCDBA
| Microsoft IT Communities
|
| Get Secure! www.microsoft.com/security
|
|
| This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
 
Phil;
Why are you posting "It is meant to sound harsh"?
This is a newsgroup.
One purpose is to exchange of information.
Jerry gave information about an important Critical Update.
How much more of an explanation is needed.
Instead of wasting bandwidth, Jerry posted the relevant link, click
it, the link works.

"fake Microsoft security bulletins that USE EXACTLY THE SAME LANGUAGE"
Not at all, Jerry's post did not have an attachment, instead it had a
valid Microsoft link.
Or you could try Windows Update.

This patch fixes issues many people have commented about in the
various newsgroups, so Yes, cross posting may be appropriate.

If you want to know what the acronyms mean:
http://www.acronymfinder.com/

This quote applies to you Phil:
"Pardon me, but do you have ANY idea how foolish your post is?"

Now, sit down, relax and read the whole post this time instead of
letting your imagination go wild again.
 
Hi Mae,

I also appreciate bulletins like this. I just wanted to make you aware that
Microsoft also has Email updates that you can subscribe to:
http://www.microsoft.com/security/security_bulletins/decision.asp

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site :-)
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.


Thank you and FYI, I rely on these postings you provide in such a timely
manner.
It makes it easier for me and main reason I subscribe to this group.

mae
-------------------------------------------------------------
| Title: Cumulative Patch for Internet Explorer Execution (828750)
| Date: October 3, 2003
| Software:
| Internet Explorer 5.01
| Internet Explorer 5.5
| Internet Explorer 6.0
| Internet Explorer 6.0 for Windows Server 2003
| Impact: Run code of attacker's choice.
| Maximum Severity Rating: Critical
| Bulletin: MS03-040
|
| The Microsoft Security Response Center has released Microsoft Security
| Bulletin MS03-040
|
| What Is It?
| The Microsoft Security Response Center has released Microsoft Security
| Bulletin MS03-040 which concerns a vulnerability in Internet Explorer.
| Customers are advised to review the information in the bulletin, test and
| deploy the patch immediately in their environments, if applicable.
|
| More information is now available at
| http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
|
| If you have any questions regarding the patch or its implementation after
| reading the above listed bulletin you should contact Product Support
| Services in the United States at 1-866-PCSafety (1-866-727-2338).
| International customers should contact their local subsidiary.
|
|
|
| --
| Regards,
|
| Jerry Bryant - MCSE, MCDBA
| Microsoft IT Communities
|
| Get Secure! www.microsoft.com/security
|
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
 
Since "Jerry Bryant [MSFT] massively cross-posted (the same technique the
'swen' worm uses in posting to newsgroups), this is somewhat difficult to
explain, so I'll append an example of the same information that was posted
to microsoft.public.security.virus (not cross-posted as the 'swen' worm
cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have
valid hot-links to appropriate Microsoft websites, it's just that they also
have a malformed header and an infected attachment]) in a much better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to insure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at (but be
very, very sure that you have all necessary Microsoft security patches and
Service Packs installed AND have an antivirus program with the latest virus
definitions scanning all operations of your computer before looking) the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT


The post generated by the 'swen' worm has a malformed header AND has the ~
106,000 byte infectious attachment. Open this attached file and, without
up-to-date antivirus protection on your Windows 98 and up operating system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----


--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -


_______________
Quote Ends
 
Since "Jerry Bryant [MSFT] massively cross-posted (the same technique the
'swen' worm uses in posting to newsgroups), this is somewhat difficult to
explain, so I'll append an example of the same information that was posted
to microsoft.public.security.virus (not cross-posted as the 'swen' worm
cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have
valid hot-links to appropriate Microsoft websites, it's just that they also
have a malformed header and an infected attachment]) in a much better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to ensure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at (but be
very, very sure that you have all necessary Microsoft security patches and
Service Packs installed AND have an antivirus program with the latest virus
definitions scanning all operations of your computer before looking) the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT


The post generated by the 'swen' worm has a malformed header AND has the ~
106,000 byte infectious attachment. Open this attached file and, without
up-to-date antivirus protection on your Windows 98 and up operating system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----


--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -


_______________
Quote Ends
--
Invisible Dance, (e-mail address removed)


--
Invisible Dance, (e-mail address removed)
Jonathan Maltz said:
Hi Mae,

I also appreciate bulletins like this. I just wanted to make you aware that
Microsoft also has Email updates that you can subscribe to:
http://www.microsoft.com/security/security_bulletins/decision.asp

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site :-)
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.


Thank you and FYI, I rely on these postings you provide in such a timely
manner.
It makes it easier for me and main reason I subscribe to this group.

mae
-------------------------------------------------------------
| Title: Cumulative Patch for Internet Explorer Execution (828750)
| Date: October 3, 2003
| Software:
| Internet Explorer 5.01
| Internet Explorer 5.5
| Internet Explorer 6.0
| Internet Explorer 6.0 for Windows Server 2003
| Impact: Run code of attacker's choice.
| Maximum Severity Rating: Critical
| Bulletin: MS03-040
|
| The Microsoft Security Response Center has released Microsoft Security
| Bulletin MS03-040
|
| What Is It?
| The Microsoft Security Response Center has released Microsoft Security
| Bulletin MS03-040 which concerns a vulnerability in Internet Explorer.
| Customers are advised to review the information in the bulletin, test and
| deploy the patch immediately in their environments, if applicable.
|
| More information is now available at
| http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
|
| If you have any questions regarding the patch or its implementation after
| reading the above listed bulletin you should contact Product Support
| Services in the United States at 1-866-PCSafety (1-866-727-2338).
| International customers should contact their local subsidiary.
|
|
|
| --
| Regards,
|
| Jerry Bryant - MCSE, MCDBA
| Microsoft IT Communities
|
| Get Secure! www.microsoft.com/security
|
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
 
I am viewing this thread through the Microsoft servers and I do see a
difference.
Perhaps you need to read more posts.
People often point out that this information does not get enough
publicity in these newsgroups.
Now Microsoft posts this very information to the newsgroups and people
complain.
Microsoft will lose no matter what they do.
Some of the patches need massive exposure.
In a 2 hour time frame, I saw the information about this patch from at
least 4 different methods.
This is what it is sometimes necessary to do.

You can pick all you want, the point is the information is getting out
in a non threatening way.
There are NO attachments.
If you would like to panic over a legitimate post, what did you do
when all the viruses were here?

I obviously realize a lot more than you think, a point that should be
obvious to you if you only look.

--
Jupiter Jones [MVP]
An easier way to read newsgroup messages:
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
http://dts-l.org/index.html


Invisible Dance said:
Since "Jerry Bryant [MSFT] massively cross-posted (the same technique the
'swen' worm uses in posting to newsgroups), this is somewhat difficult to
explain, so I'll append an example of the same information that was posted
to microsoft.public.security.virus (not cross-posted as the 'swen' worm
cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have
valid hot-links to appropriate Microsoft websites, it's just that they also
have a malformed header and an infected attachment]) in a much better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to insure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at (but be
very, very sure that you have all necessary Microsoft security patches and
Service Packs installed AND have an antivirus program with the latest virus
definitions scanning all operations of your computer before looking) the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT


The post generated by the 'swen' worm has a malformed header AND has the ~
106,000 byte infectious attachment. Open this attached file and, without
up-to-date antivirus protection on your Windows 98 and up operating system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------ ----
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ------------------------------------------------------------------ ----

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.


- ------------------------------------------------------------------ ---

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----


--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -


_______________
Quote Ends
--
Invisible Dance, (e-mail address removed)

Jupiter Jones said:
Phil;
Why are you posting "It is meant to sound harsh"?
This is a newsgroup.
One purpose is to exchange of information.
Jerry gave information about an important Critical Update.
How much more of an explanation is needed.
Instead of wasting bandwidth, Jerry posted the relevant link, click
it, the link works.
 
Jupiter, so, it's ok to mass post... Let e'r rip...

With MS03-040 M$ released a 6% fix with some good descriptions of what to
change with IE
security setting.

What I can not figure out is what exactly this is supposed to fix.
Trojan.QHosts? Something other kind of Trojan/virus/worm. The technical
details and FAQs have a lot of wording about this and that - all good stuff.
But it looks like it all comes down to two fixes (three if you include the
Media player update):

a.. Object Tag vulnerability in Popup Window: CAN-2003-0838
b.. Object Tag vulnerability with XML data binding: CAN-2003-0809

The odd thing is the two "CAN-xxxx-xxxx" links don't work in the security
bulletin. If I try to match it up to the 31 IE vulnerabilities listed on
"http://www.pivx.com/larholm/unpatched" then it looks like M$ fixed 2 of the
31 (6%) leaving us with 29 (94%) IE vulnerabilities to go.

Still waiting for the other 94% of the IE fixes...

Jupiter Jones said:
I am viewing this thread through the Microsoft servers and I do see a
difference.
Perhaps you need to read more posts.
People often point out that this information does not get enough
publicity in these newsgroups.
Now Microsoft posts this very information to the newsgroups and people
complain.
Microsoft will lose no matter what they do.
Some of the patches need massive exposure.
In a 2 hour time frame, I saw the information about this patch from at
least 4 different methods.
This is what it is sometimes necessary to do.

You can pick all you want, the point is the information is getting out
in a non threatening way.
There are NO attachments.
If you would like to panic over a legitimate post, what did you do
when all the viruses were here?

I obviously realize a lot more than you think, a point that should be
obvious to you if you only look.

--
Jupiter Jones [MVP]
An easier way to read newsgroup messages:
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
http://dts-l.org/index.html


Invisible Dance said:
Since "Jerry Bryant [MSFT] massively cross-posted (the same technique the
'swen' worm uses in posting to newsgroups), this is somewhat difficult to
explain, so I'll append an example of the same information that was posted
to microsoft.public.security.virus (not cross-posted as the 'swen' worm
cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have
valid hot-links to appropriate Microsoft websites, it's just that they also
have a malformed header and an infected attachment]) in a much better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to insure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at (but be
very, very sure that you have all necessary Microsoft security patches and
Service Packs installed AND have an antivirus program with the latest virus
definitions scanning all operations of your computer before looking) the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT


The post generated by the 'swen' worm has a malformed header AND has the ~
106,000 byte infectious attachment. Open this attached file and, without
up-to-date antivirus protection on your Windows 98 and up operating system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------ ----
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ------------------------------------------------------------------ ----

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.


- ------------------------------------------------------------------ ---

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----


--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -


_______________
Quote Ends
--
Invisible Dance, (e-mail address removed)

Jupiter Jones said:
Phil;
Why are you posting "It is meant to sound harsh"?
This is a newsgroup.
One purpose is to exchange of information.
Jerry gave information about an important Critical Update.
How much more of an explanation is needed.
Instead of wasting bandwidth, Jerry posted the relevant link, click
it, the link works.
 
"mass post" "cross post" same thing...

My basic question is: Does MS03-040 fix the Trojan.Qhosts bug??? Do we just
guess or wait for Symantec to tell us??

Thanks

Me2 said:
Jupiter, so, it's ok to mass post... Let e'r rip...

With MS03-040 M$ released a 6% fix with some good descriptions of what to
change with IE
security setting.

What I can not figure out is what exactly this is supposed to fix.
Trojan.QHosts? Something other kind of Trojan/virus/worm. The technical
details and FAQs have a lot of wording about this and that - all good stuff.
But it looks like it all comes down to two fixes (three if you include the
Media player update):

a.. Object Tag vulnerability in Popup Window: CAN-2003-0838
b.. Object Tag vulnerability with XML data binding: CAN-2003-0809

The odd thing is the two "CAN-xxxx-xxxx" links don't work in the security
bulletin. If I try to match it up to the 31 IE vulnerabilities listed on
"http://www.pivx.com/larholm/unpatched" then it looks like M$ fixed 2 of the
31 (6%) leaving us with 29 (94%) IE vulnerabilities to go.

Still waiting for the other 94% of the IE fixes...

Jupiter Jones said:
I am viewing this thread through the Microsoft servers and I do see a
difference.
Perhaps you need to read more posts.
People often point out that this information does not get enough
publicity in these newsgroups.
Now Microsoft posts this very information to the newsgroups and people
complain.
Microsoft will lose no matter what they do.
Some of the patches need massive exposure.
In a 2 hour time frame, I saw the information about this patch from at
least 4 different methods.
This is what it is sometimes necessary to do.

You can pick all you want, the point is the information is getting out
in a non threatening way.
There are NO attachments.
If you would like to panic over a legitimate post, what did you do
when all the viruses were here?

I obviously realize a lot more than you think, a point that should be
obvious to you if you only look.

--
Jupiter Jones [MVP]
An easier way to read newsgroup messages:
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
http://dts-l.org/index.html


Invisible Dance said:
Since "Jerry Bryant [MSFT] massively cross-posted (the same technique the
'swen' worm uses in posting to newsgroups), this is somewhat difficult to
explain, so I'll append an example of the same information that was posted
to microsoft.public.security.virus (not cross-posted as the 'swen' worm
cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have
valid hot-links to appropriate Microsoft websites, it's just that they also
have a malformed header and an infected attachment]) in a much better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to insure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at (but be
very, very sure that you have all necessary Microsoft security patches and
Service Packs installed AND have an antivirus program with the latest virus
definitions scanning all operations of your computer before looking) the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT


The post generated by the 'swen' worm has a malformed header AND has the ~
106,000 byte infectious attachment. Open this attached file and, without
up-to-date antivirus protection on your Windows 98 and up operating system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------ ----
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ------------------------------------------------------------------ ----

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.


- ------------------------------------------------------------------ ---

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----


--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -


_______________
Quote Ends
--
Invisible Dance, (e-mail address removed)

Phil;
Why are you posting "It is meant to sound harsh"?
This is a newsgroup.
One purpose is to exchange of information.
Jerry gave information about an important Critical Update.
How much more of an explanation is needed.
Instead of wasting bandwidth, Jerry posted the relevant link, click
it, the link works.
 
Me2 said:
"mass post" "cross post" same thing...

My basic question is: Does MS03-040 fix the Trojan.Qhosts bug??? Do
we just guess or wait for Symantec to tell us??

It is a fix for the hole that Qhosts attempts to use.
 
Invisible Dance wrote:

[snip]

We realise you are upset but copying and pasting the same post over and over
does not improve your chances of getting anyones sympathy. If you feel your
point is valid then its valid in one post, it doesn't need another 5 copies.
 
Invisible Dance said:
Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to insure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

I would expect that after receiving "a thousand or more each day" you would
spot the difference in a heartbeat.

One. There was no attachment - all Swen messages have attachments.

Two. It was plain text. All Swen are html.

Three. All you have to do is look at the message headers to see that it is a
genuine message from Microsoft. It was sent from WITHIN MICROSOFT ITSELF
(NNTP-Posting-Host: tide159.microsoft.com 207.46.225.243)

Four. I have not seen a single Swen posted by somebody using [MSFT] in their
name, or an (e-mail address removed) address.

--
Install the latest IE cumulative patch for protection against QHost:
http://www.microsoft.com/security/security_bulletins/ms03-040.asp
More information about QHosts can be found here:
http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
________________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer
 
I agree with the statements below...

Brian

--
Brian Gaff....
graphics are great, but the blind can't hear them
Email: (e-mail address removed)
____________________________________________________________________________
__________________________________


| This may sound harsh.
|
| It is meant to sound harsh.
|
| I just re-read it.
|
| I am still posting it.
|
| Pardon me, but don't you think you could have EXPLAINED the meaning and
| importance of this (AND the other critical fix just issued)? What does
| MSFT, MSCE, or MCDBA mean if YOU are allow to put it after your name? Not
| much, evidently.
|
| Take into account the users who are asking questions on these newsgroups.
|
| Take into account that they all are worried about the flood of infected,
| fake Microsoft security bulletins that USE EXACTLY THE SAME LANGUAGE as
what
| you just posted.
|
| Pardon me, but do you have ANY idea how foolish your post is? Why did you
| do it? Was ANY thought involved?
|
| I am appalled. Do you have a keeper? Does Microsoft know what you are
| doing?
|
| And cross-posted too, just like the 'swen' worm posts to newsgroups!
|
|
|
| Please, could some responsible adult at Microsoft cancel the top of this
| thread.... quickly, before more damage is done? Except, of course, for
the
| newsgroup that does not resolve!
|
|
|
| --
| Invisible Dance, (e-mail address removed)
| normally I've posted using a different e-mail address and name: Phil
Weldon,
| and something close to p well done in mindjump, but I'll get any e-mail
sent
| to the e-mail address above (probably more reliably because THAT mailbox
| does not yet get 1800 infected e-mails each day.)
|
| | > Title: Cumulative Patch for Internet Explorer Execution (828750)
| > Date: October 3, 2003
| > Software:
| > Internet Explorer 5.01
| > Internet Explorer 5.5
| > Internet Explorer 6.0
| > Internet Explorer 6.0 for Windows Server 2003
| > Impact: Run code of attacker's choice.
| > Maximum Severity Rating: Critical
| > Bulletin: MS03-040
| >
| > The Microsoft Security Response Center has released Microsoft Security
| > Bulletin MS03-040
| >
| > What Is It?
| > The Microsoft Security Response Center has released Microsoft Security
| > Bulletin MS03-040 which concerns a vulnerability in Internet Explorer.
| > Customers are advised to review the information in the bulletin, test
and
| > deploy the patch immediately in their environments, if applicable.
| >
| > More information is now available at
| > http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
| >
| > If you have any questions regarding the patch or its implementation
after
| > reading the above listed bulletin you should contact Product Support
| > Services in the United States at 1-866-PCSafety (1-866-727-2338).
| > International customers should contact their local subsidiary.
| >
| >
| >
| > --
| > Regards,
| >
| > Jerry Bryant - MCSE, MCDBA
| > Microsoft IT Communities
| >
| > Get Secure! www.microsoft.com/security
| >
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| >
| >
|
|
 
Rob,

I don't know about "attempts to use" when Trojan.Qhosts actually DOES use
something. The infection is not nice...

Rhetorical questions: Why doesn't Microsoft post information about current
Trojans/viruses/worms like Trojan.Qhosts??? Does it take hundreds of
thousands or millions of infections to warrant a note??? Is thousands (or
tens of thousands) not merely enough??? The www.microsoft.com/security page
"Technical Virus Alerts" lists a massive 26 entries from Nov 26 2001
(badtrans) through Sep 18 2003 (swen). Does the Trojan.Qhosts warrant a fix
(ms03-040) but not an entry on this list?

I know that M$ is just kinda waking up to the reality that they are directly
responsible for the security of millions of users and organizations that
rely on their software (and trust?), but is it too much to ask to be kept
informed - directly from M$ - about a Trojan that is compromising
security??? The security bulletins about installing a fix are good (and
parentaly required) but it would also be nice to get a warning from M$ that
a new xyz bug is now a problem and this is what you should do to prevent
infection. I think that this is what they are doing with the "please set IE
security to high" and disable HTML in email, untill M$ releases the IE
patches beyond MS03-040.

Yes, I know, how can M$ be held responsible for a users security... When
it's nearly impossible to buy a computer without M$ software - that's when.
When you buy a car, does Toyota give you small little window to read a huge
legal document in and a check box that basically says "click here to start
the car". Oh, by the way, when you clicked the little box, we [Toyota] are
not responsible for the seat belts, breaks, door locks, bumpers, engine etc
working - didn't you read that in the little window [one time] before you
started the car? How nice...

<rant end>
 
I would expect that after receiving "a thousand or more each day" you would
spot the difference in a heartbeat.

One. There was no attachment - all Swen messages have attachments.

Two. It was plain text. All Swen are html.

Three. All you have to do is look at the message headers to see that it is a
genuine message from Microsoft. It was sent from WITHIN MICROSOFT ITSELF
(NNTP-Posting-Host: tide159.microsoft.com 207.46.225.243)

Four. I have not seen a single Swen posted by somebody using [MSFT] in their
name, or an (e-mail address removed) address.

Sandy, it's like talking to the wind.
All you have written above is true, known to each person able to
browse to MS's website and click on the links and it's useless
altogether.
If solving a problem would be such easy no one ever will open an
attachment unproved, no one will use the outlook default settings (a
part MS is - at least partly - responsible for), no one will be
surfing the internet without virus scan engine, firewall.
One thing we all may have to accept is: There are users outside with
no or half breed knowledge about computers, internet (usenet) which
are unable to put the pieces together.
This is why we have a job in the computer business (a well paid (I
hope) and an interesting one (most of the time)).
Such things like here will happen each time a bug will spread malware.
A lot of users doesn't have the skills we all want.

And I have to say: I don't think that it will be ultimately solved by
technical solutions.


Ciao, Walter
 
Me2 said:
Rob,

I don't know about "attempts to use" when Trojan.Qhosts actually DOES
use something. The infection is not nice...

"Attempts to use" was meant in the sense that it would fail once the patch
is applied. Nothing more. Apologies for any confusion or if you felt I
wasn't taking this seriously.
Rhetorical questions: Why doesn't Microsoft post information about
current Trojans/viruses/worms like Trojan.Qhosts??? Does it take
hundreds of thousands or millions of infections to warrant a note???
Is thousands (or tens of thousands) not merely enough??? The
www.microsoft.com/security page "Technical Virus Alerts" lists a
massive 26 entries from Nov 26 2001 (badtrans) through Sep 18 2003
(swen). Does the Trojan.Qhosts warrant a fix (ms03-040) but not an
entry on this list?

Good question. Even with the purchase of RAV, Microsoft obviously don't see
themselves currently as in the antivirus business. There are several viruses
and the like "discovered" daily.. yes every day, and even those companies
that are in the antivirus business don't make a big song and dance about any
except those they think are going to be a serious problem.

Leaving aside QHosts specifically for the moment, and asking a general
question of my own, if I may. If Microsoft and the antivirus companies made
as big a fuss about even the trivial stuff as they do about the serious
stuff, do you think that would heighten awareness? Or would it be more
likely to confuse people and cause them to "switch off" and not listen to
the warnings?

I suspect there isn't a single "right" answer to that question.


Regards,
--
 
Back
Top