COMMAND

    "Frame Domain Verification", "Unauthorized Cookie Access" and "Malformed Component Attribute"

SYSTEMS AFFECTED

    Microsoft Internet Explorer 4.0, 4.01, 5.0 and 5.01

PROBLEM

    Following is a  based on a  Security Bulletin from  the Microsoft.
    The three  security vulnerabilities  eliminated by  this patch are
    unrelated to each other  except by the fact  that they all   occur
    in the  same .dll.   We have  packaged them  together for customer
    convenience.  The vulnerabilities are:

    - "Frame Domain  Verification" vulnerability.   When a web  server
      opens a  frame within  a window,  the IE  security model  should
      only allow  the parent  window to  access the  data in the frame
      if  they  are  in  the  same  domain.   However,  two  functions
      available in IE  do not properly  perform domain checking,  with
      the  result  that  the  parent  window  could  open a frame that
      contains a file on the local computer, then read it.  This could
      allow  a  malicious  web  site  operator  to  view  files on the
      computer of a visiting user.   The web site operator would  need
      to know (or guess) the name and location of the file, and  could
      only view  file types  that can  be opened  in a browser window.
      This was reported by Mead & Company's Andrew Nosenko.

    - "Unauthorized Cookie Access"  vulnerability.  By design,  the IE
      security model restricts cookies so  that they can be read  only
      by sites within  the originator's domain.   However, by using  a
      specially-malformed  URL,  it  is  possible  for a malicious web
      site operator to gain access to another site's cookie and  read,
      add or change  them.  A  malicious web site  operator would need
      to  entice  a  visiting  user  into  clicking a link in order to
      access  each  cookie,  and  could  not  obtain  a listing of the
      cookies  available  on   the  visitor's  system.    Even   after
      recovering a cookie, the type and amount of personal information
      would depend on the privacy practices followed by the site  that
      placed it there.  This was reported by Marc Slemko.

    - "Malformed Component Attribute" vulnerability.  The code used to
      invoke  ActiveX  components  in  IE  has an unchecked buffer and
      could be exploited by a malicious web site operator to run  code
      on the  computer of  a visiting  user.   The unchecked buffer is
      only  exposed   when  certain   attributes  are   specified   in
      conjunction with each  other.  This  was reported by  UNYUN, the
      Shadow Penguin Security Research Group of Japan.

SOLUTION

    Patch availability:

        http://www.microsoft.com/windows/ie/download/critical/patch6.htm

    The patches require IE 4.01 Service Pack 2 or IE 5.01 to  install.
    Customers  using  versions  prior  to  these may receive a message
    reading  "This  update  does  not  need  to  be  installed on this
    system".     This  message  is  incorrect.   More  information  is
    available in KB article Q262509.

    The  patch  also  eliminates  a  new  variant  of  the  previously
    addressed WPAD Spoofing vulnerability