7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.035 Low
EPSS
Percentile
91.5%
Microsoft Internet Explorer does not adequately validate references to cached objects and methods across domains and security zones. The impact is similar to that of a cross-site scripting vulnerability, allowing an attacker to access data in other sites, including the Local Computer zone.
Microsoft Internet Explorer features the ability to process scripts contained in HTML documents. This feature is known as Active scripting, and Internet Explorer supports several scripting languages, including VBScript and JScript. JScript is similar to Netscape’s JavaScript and both languages played some part in the development of ECMAScript (ECMA-262). For security reasons, a script loaded from one site should not be able to access resources on another site, including the local client. In JavaScript, the Same Origin Policy protects clients by ensuring that “when loading a document from one origin, a script loaded from a different origin cannot get or set specific properties of specific browser and HTML objects in a window or frame.” Internet Explorer implements a similar policy, adding the restriction that scripts are not allowed to access properties or objects across security zones.
As reported by GreyMagic Software and Liu Die Yu, Internet Explorer does not adequately validate references to certain cached objects and methods across different domains and security zones. A script from a potentially malicious site executing in one domain and security zone is able to access resources in another domain and zone, including the Local Computer zone, via the DHTML Document Object Model interface.
Outlook, Outlook Express, AOL, MSN, Eudora, Lotus Notes, and any other software that uses the WebBrowser ActiveX control could be affected by this vulnerability.
Note that in order for this vulnerability to be exploited, Active scripting must be enabled in the security zone in which the HTML document is rendered.
More information is available in Microsoft Security Bulletin MS02-068.
By convincing a user to follow a URL or read an HTML email message containing malicious script, and attacker could take any action with the privileges of the user executing the script. This could include opening new browser windows to different sites in different security zones, reading or modifying information in open browser windows, reading files on the local file system, and executing commands that are in a location known to the attacker. An attacker who is able to obtain cookies used for authentication may be able to impersonate a legitimate user and obtain sensitive data such as passwords or credit card information. By leveraging features of the Microsoft HTML Help system (VU#25249), an attacker could execute commands with parameters or cause arbitrary files to be downloaded to a known location on the local system, subject to the user’s privileges.
Apply Patch
Apply the patch referenced in Microsoft Security Bulletin MS03-015.
A number of object and method caching vulnerabilities were addressed by MS02-066. The external method caching vulnerability was addressed by MS02-068, which supersedes MS02-066. As of May 2003, the clipboardData method caching vulnerability has not been addressed. Both the external and clipboardData vulnerabilities affect Internet Explorer version 6.0 SP1.
Disable Active scripting
At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, and any other software that uses Internet Explorer to render HTML. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ.
Apply Outlook Email Security Update
The Outlook Email Security Update configures Outlook 2000 and Outlook 98 to use the Restricted sites zone to open email. By default, Active scripting is disabled in the Restricted sites zone. Outlook Express 6.0 and Outlook 2002 include the functionality provided by the Outlook Security Update.
Outlook 2000:
<http://office.microsoft.com/downloads/2000/Out2ksec.aspx>
Outlook 98:
<http://office.microsoft.com/downloads/9798/Out98sec.aspx>
Restrict HTML Help commands
Restrict the execution of the Shortcut and WinHelp HTML Help commands to specified folders, or disable the commands entirely. This will prevent malicious scripts from downloading arbitrary files and executing arbitrary commands with parameters via HTML Help. It will also limit the ability of HTML Help to open URLs and execute commands.
<http://support.microsoft.com/?kbid=810687>
Microsoft has also released an updated version of HTML Help (811630) that is available via Windows Update:
<http://support.microsoft.com/default.aspx?scid=KB;en-us;q811630>
Filter Script Code
It may be possible to use an application layer filter to detect and block or disable script code within HTML data.
162097
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: December 12, 2002 Updated: June 18, 2003
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please reference Microsoft Security Bulletin MS02-068. As of May 2003, the clipboardData method caching vulnerability has not been addressed.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23162097 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
GreyMagic Software and Liu Die Yu publicly reported multiple instances of this vulnerability.
This document was written by Art Manion.
CVE IDs: | CVE-2002-1262 |
---|---|
Severity Metric: | 34.78 Date Public: |
developer.netscape.com/docs/manuals/js/client/jsguide/sec.htm#1015705
jscript.dk/2002/10/sec/SaveRefLocalFile.html
liudieyuinchina.vip.sina.com/SaveRef/SaveRef-Content.txt
liudieyuinchina.vip.sina.com/SaveRef/SaveRef-MyPage-2.HTM
liudieyuinchina.vip.sina.com/SaveRef/SaveRef-MyPage.HTM
liudieyuinchina.vip.sina.com/SaveRef_DocumentWrite/SaveRef_DocumentWrite-Content.txt
liudieyuinchina.vip.sina.com/SaveRef_DocumentWrite/SaveRef_DocumentWrite-MyPage.htm
msdn.microsoft.com/workshop/author/om/doc_object.asp
msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp
security.greymagic.com/adv/gm012-ie/
support.microsoft.com/?kbid=810687
support.microsoft.com/default.aspx?scid=KB;en-us;q811630
www.iss.net/security_center/static/10433.php
www.microsoft.com/technet/security/bulletin/MS02-066.asp
www.microsoft.com/technet/security/bulletin/MS02-068.asp
www.securityfocus.com/bid/6028
www.w3.org/DOM/