MustangWorks.com : Ford Forums - Did anyone else hear about this?

> > Good Afternoon Folks,
> > Just got this about 10 minutes ago. Pretty serious stuff. My advice is
to
> > get this patch ASAP. If you're not sure how to tell which version of
> > Internet Explorer you have:
> > 1- Open up your browser (Internet Explorer)
> > 2-Click on the "Help" section found up at the top of the browser.
> > 3-Click on "About Internet Explorer"
> > You'll find out what the version number of Internet Explorer you have.
>
> --------------------------------------------------------------------------
> >
> > Buffer Overflow in Microsoft Internet Explorer
> >
> > Original release date: February 25, 2002
> > Last revised: --
> > Source: CERT/CC
> >
> > Systems Affected
> >
> > * Microsoft Internet Explorer
> > * Microsoft Outlook and Outlook Express
> > * Other applications that use the Internet Explorer HTML
rendering
> > engine
> >
> >
> > Overview
> >
> > Microsoft Internet Explorer contains a buffer overflow
vulnerability
> > in its handling of embedded objects in HTML documents.
This
> > vulnerability could allow an attacker to execute arbitrary code on
the
> > victim's system when the victim visits a web page or views an
HTML
> > email message.
> >
> >
> > I. Description
> >
> > Internet Explorer supports the <EMBED> directive, which can be used
to
> > include arbitrary objects in HTML documents. Common types of
embedded
> > objects include multimedia files, Java applets, and ActiveX
controls.
> > The SRC attribute specifies the source path and filename of an
object.
> > For example, a MIDI sound might be embedded in a web page with
the
> > following HTML code:
> >
> > <EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true">
> >
> > Internet Explorer uses attributes of the <EMBED> directive and
MIME
> > information from the web server to determine how to handle an
embedded
> > object. In most cases, a separate application or plugin is used.
> >
> > A group of Russian researchers, SECURITY.NNOV, has reported
that
> > Internet Explorer does not properly handle the SRC attribute of
the
> > <EMBED> directive. An HTML document, such as a web page or HTML
email
> > message, that contains a crafted SRC attribute can trigger a
buffer
> > overflow, executing code with the privileges of the user viewing
the
> > document. Microsoft Internet Explorer, Outlook, and Outlook
Express
> > are vulnerable. Other applications that use the Internet Explorer
HTML
> > rendering engine, such as Windows compiled HTML help (.chm) files
and
> > third-party email clients, may also be vulnerable.
> >
> > The CERT/CC is tracking this vulnerability as VU#932283,
which
> > corresponds directly to the "buffer overrun" vulnerability
described
> > in Microsoft Security Bulletin MS02-005.
> >
> > This vulnerability has been assigned the CVE identifier
CAN-2002-0022.
> >
> >
> > II. Impact
> >
> > By convincing a user to view a malicious HTML document, an
attacker
> > can cause the Internet Explorer HTML rendering engine to
execute
> > arbitrary code with the privileges of the user who viewed the
HTML
> > document. This vulnerability could be exploited to distribute
viruses,
> > worms, or other malicious code.
> >
> >
> > III. Solution
> >
> > Apply a patch
> >
> > Microsoft has released a cumulative patch for Internet Explorer
that
> > corrects this vulnerability and several others. For more
information
> > about the patch and the vulnerabilities, please see Microsoft
Security
> > Bulletin MS02-005:
> >
> > http://www.microsoft.com/technet/sec...n/MS02-005.asp
> >
> > Disable ActiveX Controls and Plugins
> >
> > In Internet Explorer, plugins may be used to view, play, or
otherwise
>
> > process embedded objects. The execution of embedded objects
is
> > controlled by the "Run ActiveX Controls and Plugins" security
option.
> > Disabling this option will prevent embedded objects from
being
> > processed, and will therefore prevent exploitation of
this
> > vulnerability.
> >
> > According to MS02-005:
> >
> > The vulnerability could not be exploited if the "Run
ActiveX
> > Controls and Plugins" security option were disabled in the
Security
> > Zone in which the page was rendered. This is the default
condition
> > in the Restricted Sites Zone, and can be disabled manually in
any
> > other Zone.
> >
> > At a minimum, disable the "Run ActiveX Controls and Plugins"
security
> > option in the Internet Zone and the zone used by Outlook or
Outlook
> > Express. The "Run ActiveX Controls and Plugins" security option
is
> > disabled in the "High" zone security setting. Instructions
for
> > configuring the Internet Zone to use the "High" zone security
setting
> > can be found in the CERT/CC Malicious Web Scripts FAQ:
> >
> > http://www.cert.org/tech_tips/malici...FAQ.html#steps
> >
> > Apply the Outlook Email Security Update
> >
> > Another way to effectively disable the processing of ActiveX
controls
> > and plugins in Outlook is to install the Outlook Email
Security
> > Update. The update configures Outlook to open email messages in
the
> > Restricted Sites Zone, where the "Run ActiveX Controls and
Plugins"
> > security option is disabled by default. In addition, the
update
> > provides further protection against malicious code that attempts
to
> > propagate via Outlook.
> >
> > * Outlook 2002 and Outlook Express 6
> > The functionality of the Outlook Email Security Update is
included
> > in Outlook 2002 and Outlook Express 6.
> > * Outlook 2000
> > http://office.microsoft.com/download.../Out2ksec.aspx
> > * Outlook 98
> > http://office.microsoft.com/download.../Out98sec.aspx
>
> --------------------------------------------------------------------------
> --
> > --------------------
> > That's all the information I've gotten so far. If anything else comes
up,
> > I'll drop you nice people types email on that.
> >
> > Circle the wagons folks, looks like it's going to be a bumpy night,
> > DJ
> >
> > DJ Weininger
> > Webmaster/Internet Security Coordinator
> > Road Runner