Microsoft Internet Explorer MS04-038 patch is not installed

ie-ms04038-patch (17651) The risk level is classified as HighHigh Risk

Description:

The patch specified in Microsoft Internet Explorer MS04-038 is not installed, which could allow a remote attacker to exploit the following eight vulnerabilities:

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 could allow a remote attacker to perform malicious actions on a victim's computer without the victim's knowledge. A remote attacker could create a specially-crafted Web page that uses the popup.show method, which would allow the attacker to perform unauthorized actions on the victim's system. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email.

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 are vulnerable to cross-site scripting. A remote attacker could redirect a function to another function with the same name to bypass security restrictions. A remote attacker could create a malicious Web page containing embedded code, which would be executed in the victim's Web browser within the security context of the hosting site, once the Web page is visited.

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 are vulnerable to a denial of service attack. By creating a specially-crafted Web page containing a STYLE tag followed by a comment that is not terminated, a remote attacker can cause Internet Explorer to crash, once the Web page is visited. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a potential victim as an HTML email.

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 could allow a remote attacker to execute arbitrary code on a victim's system, caused by a vulnerability regarding the dragDrop method. A remote attacker could create a malicious file that would be written to the victim's startup folder, if the victim performs a drag and drop action on the malicious file. This would allow the attacker to execute arbitrary code on the vulnerable system, once the system restarts. An attacker could exploit this vulnerability by hosting the malicious file on a Web page or by sending it to a victim as an HTML email.

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 is vulnerable to a heap-based overflow in the InstallEngineCtl Object (asctrls.ocx) ActiveX control. A remote attacker could create a specially-crafted Web page that supplies a long string as the first argument to the SetCifFile method, which would allow the attacker to execute arbitrary code on the victim's system, once the malicious Web page is visited. An attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email.

Microsoft Internet Explorer version 6.0 SP1 within a Double Byte Character Set (DBCS) environment could allow a remote attacker to spoof a trusted Web page by altering the URL that is displayed in the Internet Explorer address bar. A vulnerability is caused when Internet Explorer using DBCS parses special characters in a HTTP URL. A remote attacker could create a specially-crafted Web page, which would display the URL of a trusted Web site in the address bar, but display the content of the malicious Web page, once the victim visits the malicious Web page. The attacker could exploit this vulnerability to obtain sensitive information but must first trick the user into visiting a malicious Web site.

Microsoft Internet Explorer versions 5.01, 5.5, and 6.0 could allow a remote attacker to execute arbitrary code on the system, caused by the way Internet Explorer handles cached contents from SSL protected Web sites. Secure Sockets Layer (SSL) is a protocol used to encrypt Web sessions to increase security, and is indicated by a lock icon in the browser window. If a remote attacker creates a Web site with the same host name as a legitimate site using SSL and redirects navigation to the malicious Web site, the attacker would cause the information to be cached to the local system. Once the victim visits the legitimate site in a second session, the information would be loaded in the context of the legitimate Web site. This could allow the attacker to obtain sensitive information or spoof content on SSL protected Web sites.

Microsoft Internet Explorer versions 5.5 and 6.0 could allow a remote attacker to spoof a trusted Web page by altering the URL that is displayed in the Internet Explorer address bar, caused by improper handling of navigations from plug-ins. A remote attacker could create a specially-crafted Web page, which would display the URL of a trusted Web site, once the victim visits the malicious Web page. An attacker could then use this vulnerability to gain sensitive information from unsuspecting users.


Consequences:

Gain Access

Remedy:

Apply the appropriate patches for your system, as listed in Microsoft Security Bulletin MS04-038. See References.

References:

  • IBM Internet Security Systems X-Force Database: Microsoft Internet Explorer dragDrop allows code execution.
  • IBM Internet Security Systems X-Force Database: Microsoft Internet Explorer popup.show allows attacker to perform actions.
  • IBM Internet Security Systems X-Force Database: Microsoft Internet Explorer function redirect cross-site scripting.
  • IBM Internet Security Systems X-Force Database: Microsoft Internet Explorer STYLE tag comment denial of service.
  • IBM Internet Security Systems X-Force Database: Heartbeat.ocx ActiveX SetupData buffer overflow.
  • IBM Internet Security Systems X-Force Database: Microsoft Internet Explorer InstallEngineCtl SetCifFile buffer overflow.
  • IBM Internet Security Systems X-Force Database: Microsoft Internet Explorer Double Byte Character Set spoof Web site to obtain information.
  • IBM Internet Security Systems X-Force Database: Microsoft Internet Explorer cache from SSL Web sites obtain information.
  • IBM Internet Security Systems X-Force Database: Microsoft Internet Explorer plug-in navigation allows address bar spoofing.
  • Microsoft Security Bulletin MS04-038: Cumulative Security Update for Internet Explorer (834707).
  • BID-10690: Microsoft Internet Explorer Popup.show Mouse Event Hijacking Vulnerability
  • BID-10816: Microsoft Internet Explorer Style Tag Comment Memory Corruption Vulnerability
  • BID-10973: Microsoft Internet Explorer Implicit Drag and Drop File Installation Vulnerability
  • BID-11366: Microsoft Internet Explorer Install Engine ActiveX Control Buffer Overflow Vulnerability
  • BID-11377: Microsoft Internet Explorer Double Byte Character Set Handling Address Bar Spoofing Vulnerability
  • BID-11381: Microsoft Internet Explorer Plug-in Navigations Handling Address Bar Spoofing Vulnerability
  • BID-11383: Microsoft Internet Explorer Secure Sockets Layer Caching Vulnerability
  • CVE-2004-0216: Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.
  • CVE-2004-0727: Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the Similar Method Name Redirection Cross Domain Vulnerability.
  • CVE-2004-0839: Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by wottapoop.html.
  • CVE-2004-0841: Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka HijackClick 3 and the Script in Image Tag File Download Vulnerability.
  • CVE-2004-0842: Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from memory corruption) via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the <STYLE>@;/* string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the CSS Heap Memory Corruption Vulnerability.
  • CVE-2004-0843: Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the Plug-in Navigation Address Bar Spoofing Vulnerability.
  • CVE-2004-0844: Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the Address Bar Spoofing on Double Byte Character Set Systems Vulnerability.
  • CVE-2004-0845: Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.
  • US-CERT VU#431576: Microsoft Internet Explorer vulnerable to address bar spoofing on double byte character set systems
  • US-CERT VU#625616: Microsoft Internet Explorer does not properly handle navigations from plug-ins
  • US-CERT VU#795720: Microsoft Internet Explorer does not properly handle cached HTTPS contents

Platforms Affected:

  • Microsoft Internet Explorer 5.01 SP3
  • Microsoft Internet Explorer 5.01 SP4
  • Microsoft Internet Explorer 5.5 SP2
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 6.0 SP1
  • Microsoft Windows 2000 SP4
  • Microsoft Windows 2000 SP3
  • Microsoft Windows 2003 Server x64
  • Microsoft Windows 2003 Server
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows Me
  • Microsoft Windows NT 4.0 SP6 Terminal Server
  • Microsoft Windows NT 4.0 SP6a Server
  • Microsoft Windows XP 2003 x64
  • Microsoft Windows XP SP1 x64
  • Microsoft Windows XP SP2
  • Microsoft Windows XP SP1
  • Microsoft Windows XP

Reported:

Oct 08, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page