[8805] in bugtraq

home help back first fref pref prev next nref lref last post

Microsoft Security Bulletin (MS98-020)

daemon@ATHENA.MIT.EDU (aleph1@UNDERGROUND.ORG)
Wed Dec 23 22:14:51 1998

Date: 	Wed, 23 Dec 1998 12:23:55 -0800
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: aleph1@UNDERGROUND.ORG
To: BUGTRAQ@NETSPACE.ORG

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

Microsoft Security Bulletin (MS98-020)
--------------------------------------

Patch Available for "Frame Spoof" Vulnerability

Originally Posted: December 23, 1998

Summary
=======
Microsoft has released a patch that fixes a vulnerability in Microsoft(r)
Internet Explorer(r)  that could allow a malicious web site operator to
impersonate a window on a legitimate web site.   The threat posed by this
vulnerability is that the bogus window could collect information from  the
user and send it back to the malicious site.

A fully supported patch is available for this vulnerability, and Microsoft
recommends that all  customers download and install it to protect their
computers.

Issue
=====
This vulnerability exists because Internet Explorer's cross domain
protection does not extend to  navigation of frames. This makes it possible
for a malicious web site to insert content into a  frame within another web
site's window. If done properly, the user might not be able to tell that
the frame contents were not from the legitimate site, and could be tricked
into providing  personal data to the malicious site. Non-secure (HTTP) and
secure (HTTPS) sites are equally at  risk from this vulnerability.

While there have not been any reports of customers being adversely affected
by these problems,  Microsoft is releasing a patch to address any risks
posed by this issue.

Affected Software Versions
==========================
 - Microsoft Internet Explorer versions 3.X, 4.0, 4.01,
   4.01 Service Pack 1 for Windows 95
 - Microsoft Internet Explorer versions 4.01 Service
   Pack 1 for Windows 98
 - Microsoft Internet Explorer versions 3.X, 4.0, 4.01,
   4.01 Service Pack 1 for Windows NT 4.0
 - Microsoft Internet Explorer versions 3.X, 4.0, 4.01
   for Windows 3.1
 - Microsoft Internet Explorer versions 3.X, 4.0, 4.01
   for Windows NT 3.51
 - Microsoft Internet Explorer versions 3.X, 4.X for Macintosh
 - Microsoft Internet Explorer version 4 for UNIX on HPUX
 - Microsoft Internet Explorer version 4 for UNIX on
   Sun Solaris

No other products or versions of Internet Explorer are affected

What Microsoft is Doing
=======================
Microsoft has released a patch that fixes the problem identified. This patch
is available for  download from the sites listed below in What Customers
Should Do.

Microsoft has sent this security bulletin to customers subscribing
to the Microsoft Product Security Notification Service (see
http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service).

Microsoft has published the following Knowledge Base (KB) article on this
issue:
 - Microsoft Knowledge Base (KB) article Q167614,
   Update Available For "Frame Spoofing" Security Issue,
   http://support.microsoft.com/support/kb/articles/q167/6/14.asp
   (Note: It might take 24 hours from the original posting of
   this bulletin for the updated KB article to be visible in
   the Web-based Knowledge Base.)

What Customers Should Do
========================
Microsoft highly recommends that all affected customers download the updated
patch to protect  their computers. The complete URL for each affected
software version is given below.

NOTE: The patch for the "Frame Spoof" Vulnerability also includes two
previously-released  patches, for the "Untrusted Scripted Paste" and "Cross
Frame Navigate" vulnerabilities. Customers  who have not yet downloaded and
installed these two patches need only download and apply the  patch for the
"Frame Spoof" Vulnerability. Customers who have applied either or both of
patches  should apply the patch for the "Frame Spoof" Vulnerability to
ensure that they have the latest  protection against all three
vulnerabilities.

Windows 98
----------
Windows 98 customers can obtain the updated patch using Windows Update. To
obtain this patch  using Windows Update, launch Windows Update from the
Windows Start Menu and click "Product  Updates." When prompted, select 'Yes'
to allow Windows Update to determine whether this patch and  other updates
are needed by your computer. If your computer does need this patch, you will
find  it listed under the "Critical Updates" section of the page.

Internet Explorer 3.X and 4.0
-----------------------------
Internet Explorer 3.X and 4.0 users must first upgrade to Internet
Explorer 4.01 with Service Pack 1, which is available at
http://www.microsoft.com/windows/ie/download/. After installing
the upgrade, apply the Internet Explorer 4.01 patch as discussed below.

Internet Explorer 4.01
----------------------
Customers using Internet Explorer 4.01 (with or without Service
Pack 1) can obtain the patch from the Internet Explorer Security
web site, (http://www.microsoft.com/windows/ie/security/spoof.asp).
The patches for the Macintosh, HPUX and Solaris versions will be
slightly delayed. When they are available, a notice will be posted
on http://www.microsoft.com/ie/security/.

More Information
================
Please see the following references for more information related to this
issue.
 - Microsoft Security Bulletin 98-020, Patch Available for "Frame
   Spoof" Vulnerability (the Web-posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms98-020.asp.
 - Microsoft Knowledge Base (KB) article Q167614,
   Update Available For "Frame Spoof" Security Issue,
   http://support.microsoft.com/support/kb/articles/q167/6/14.asp.

Acknowledgements
================
Microsoft wishes to acknowledge Juan Carlos Garcia Cuartango of Spain for
his continued  assistance and input regarding variants of the Untrusted
Scripted Paste Issue.

Obtaining Support on this Issue
===============================
This is a supported patch. If you have problems installing
this patch or require technical assistance with this patch,
please contact Microsoft Technical Support. For information
on contacting Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Revisions
=========
 - December 23, 1998: Bulletin Created


For additional security-related information about Microsoft products,
please visit http://www.microsoft.com/security


----------------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING  LIMITATION MAY NOT APPLY.

(c) 1998 Microsoft Corporation. All rights reserved. Terms of Use.

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

home help back first fref pref prev next nref lref last post