Following the release of the cumulative MS02-066 patch from the previous week, Microsoft has released yet another cumulative patch for Internet Explorer - MS02-068, which can be found at http://www.microsoft.com/technet/security/bulletin/MS02-068.asp The sole vulnerability that MS02-068 patches is the "external object caching" vulnerability discovered by GreyMagic Software. The rater surprising aspects of this bulletin is the extensive downplaying of severity and the incorrect mitigating factors. Microsoft has given this vulnerability a maximum severity rating of "Moderate". Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft. Moving on to the technical description, we see yet more inaccuracies. The entire first paragraph is a falsum: "Exploiting the vulnerability could enable an attacker to read, but not change, any file on the user's local computer. In addition, the attacker could invoke an executable that was already present on the local system. The attacker would need to know the exact location of the executable, and would not be able to pass parameters to it. Microsoft is not aware of any executable that ships by default as part of Windows and, when run without parameters, could be dangerous. " Allow me to rephrase: Exploiting the vulnerability could enable an attacker to perform any action on the local computer that the user being exploited can perform. This includes, but is not limited to, reading and changing any file on the user's local computer, forcefully placing arbitrary files on the system in any location and invoking any executable on the system both with and without parameters. Further down we find yet more inaccuracies: "Without the ability to pass parameters, it's unlikely that an attacker could do much. For instance, although the attacker could run the command prompt, he couldn't pass a command (e.g., format c:) to it. " "This vulnerability provides no way for an attacker to transfer a program of their choice to the user's system. " Since we can already create and execute arbitrary command scripts on the machine, I fail to see how the above can be remotely accurate. Accomplishing this is as simple as creating and executing an automated FTP script, or merely recreating an EXE file from an embedded string in the HTML. Microsoft are very much aware of this, and even modified the MS02-066 bulletin (following the post from GreyMagic on Bugtraq) to provide assistance in mitigating how the HTML Help control can execute commands in the local zone. It seems like Microsoft are deliberately downplaying the severity of their vulnerabilities in an attempt to gain less bad press. It sure would look bad to release 2 critical cumulative updates in just 2 weeks, but that is exactly what has been done. As it stands now, the bulletin is released and most journalists willing to comment have already noticed the "Moderate" label and the extensive list of (incorrect) mitigating factors, and quite likely will not write anything on just how severe this really is. I doubt most people care to read the revisions to the bulletin that will come later. There are currently 18 unpatched publicly known vulnerabilities in Internet Explorer, of which I have labelled 6 as severe. http://www.pivx.com/larholm/unpatched/ Regards Thor Larholm, Security Researcher PivX Solutions, LLC Strike Now, StrikeFirst! http://www.pivx.com/sf.html
