Specifications
SAFER – Vol. 3, Issue 6 35 © 2000 The Relay Group
Microsoft Security Bulletin (MS00-033)
Released May 17, 2000
Affects Microsoft Internet Explorer 4.0, 4.01, 5.0, 5.01
Reference http://www.microsoft.com/technet/security/bulletin/fq00-033.asp
Problem
- The bulletin is related with three security vulnerabilities unrelated to each other except by the fact
that they all occur in the same .dll.
- "Frame Domain Verification" vulnerability. When a web server opens a frame within a window, the
IE security model should only allow the parent window to access the data in the frame if they are
in the same domain. However, two functions available in IE do not properly perform domain
checking, with the result that the parent window could open a frame that contains a file on the local
computer, then read it. This could allow a malicious web site operator to view files on the computer
of a visiting user. The web site operator would need to know (or guess) the name and location of
the file, and could only view file types that can be opened in a browser window.
- "Unauthorized Cookie Access" vulnerability. By design, the IE security model restricts cookies so
that they can be read only by sites within the originator's domain. However, by using an especially
malformed URL, it is possible for a malicious web site operator to gain access to another site's
cookie and read, add or change them. A malicious web site operator would need to entice a
visiting user into clicking a link in order to access each cookie, and could not obtain a listing of the
cookies available on the visitor's system. Even after recovering a cookie, the type and amount of
personal information would depend on the privacy practices followed by the site that placed it
there.
- "Malformed Component Attribute" vulnerability. The code used to invoke ActiveX components in IE
has an unchecked buffer and could be exploited by a malicious web site operator to run code on
the computer of a visiting user. The unchecked buffer is only exposed when certain attributes are
specified in conjunction with each other.
SAFER
- The patch also eliminates a new variant of the previously addressed WPAD Spoofing vulnerability.
FreeBSD Security Advisory SA-00:08 revised: Lynx ports contain numerous buffer overflows
Released May 17, 2000
Affects lynx prior to version 2.8.3pre.5
Reference http://www.freebsd.org/
Problem
- Versions of the lynx software prior to version 2.8.3pre.5 were written in a very insecure style and
contain numerous potential and several proven security vulnerabilities (publicized on the BugTraq
mailing list) exploitable by a malicious server.
- A malicious server that is visited by a user with the lynx browser can exploit the browser security
holes in order to execute arbitrary code as the local user.
SAFER
- Upgrade to lynx or lynx-current after the correction date.
TurboLinux Security Announcement TLSA2000010-1: OpenLDAP 1.2.9 and earlier
Released May 17, 2000
Affects TurboLinux 6.0.2 and earlier
Reference http://www.turbolinux.com/
Problem
- OpenLDAP follows symbolic links when creating files. The default location for these files is
/usr/tmp, which is a symlink to /tmp, which in turn is a world-writable directory.
- Local users can destroy the contents of any file on any mounted filesystem.
SAFER
- Update the packages.