MS03-040: October, 2003, Cumulative Patch for Internet Explorer

Anwendbar auf

Table of Contents

SYMPTOMS

This is a cumulative security patch for Microsoft Internet Explorer that includes the functionality of all previously released patches for Internet Explorer 5.01, 5.5, and 6. Additionally, this security patch eliminates the following newly discovered vulnerabilities: Microsoft has changed the method that Internet Explorer uses to handle Dynamic HTML (DHTML) Behaviors in the Internet Explorer Restricted zone. An attacker who exploits a separate vulnerability could cause Internet Explorer to run script code in the security context of the Internet zone. Additionally, an attacker could use the Microsoft Windows Media Player ability to open Web addresses (or URLs) in the context of the Local Computer zone from a separate zone to construct an attack. An attacker could also create an HTML-based e-mail message that could exploit this behavior.

To exploit these flaws, the attacker would have to create a specially formed HTML–based e-mail message and send the message to you. Or, an attacker could host a malicious Web site that contains a Web page that is designed to exploit these vulnerabilities. The attacker would then have to persuade you to visit that Web site.

As with the previous Internet Explorer cumulative security patch that was released with security bulletinMS03-032 (822925), this cumulative patch causes the window.showHelp method to stop working if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you can still use HTML Help functionality after you apply this security patch. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

811630 HTML Help Update to Limit Functionality When It Is Invoked with the window.showHelp( ) Method

In addition to applying this security patch, Microsoft recommends that you also install the Windows Media Player update that is described in Microsoft Knowledge Base article 828026. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

828026 Update for Windows Media Player Script Commands

This update is available from the Microsoft Windows Update Web site and from the Microsoft Download Center for all supported versions of Windows Media Player. Although it is not a security patch, this update contains a change to the behavior of the Windows Media Player ability to open Web addresses. This change can help to protect against DHTML behavior-based attacks. Specifically, this update restricts the Windows Media Player ability to open Web addresses in the Local Computer zone from other zones.

Mitigating Factors

Notes

RESOLUTION

Download Information

To download and install this update, visit the Microsoft Windows Update Web site, and then install critical update 828750:

http://windowsupdate.microsoft.com

Administrators can download this update from the Microsoft Download Center or from the Microsoft Windows Update Catalog to deploy to multiple computers. If you want to install this update later on one or more computers, search for this article ID number by using the Advanced Search Options feature in the Windows Update Catalog. For additional information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:

323166 HOW TO: Download Windows Updates and Drivers from the Windows Update Catalog

To download this update from the Microsoft Download Center, visit the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

You must be logged on as an administrator to install this update. To download and install this update, visit the Windows Update Web site, and then install critical update 828750:

http://windowsupdate.microsoft.com

To install a downloaded version of this update, run the 828750 critical update package that you downloaded by using the appropriate Setup switches . Administrators can deploy this update by using Microsoft Software Update Services (SUS). For additional information about SUS, click the following article number to view the article in the Microsoft Knowledge Base:

810796 White Paper: Software Update Services Overview White Paper

To verify that this update has been installed, use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about the MBSA tool, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer (MBSA) Version 1.1.1 Is Available

You may also be able to verify that this update has been installed by using any of the following methods:

Prerequisites

Microsoft has tested the versions of Windows and the versions of Internet Explorer that are listed in this article to assess whether they are affected by these vulnerabilities, and to confirm that the update that this article describes addresses these vulnerabilities.

To install the Internet Explorer 6 for Windows Server 2003 versions of this update, you must be running Internet Explorer 6 (version 6.00.3790.0000) on Windows Server 2003 (32-bit or 64-bit) or you must be running Internet Explorer 6 on Windows XP 64-Bit Edition, Version 2003.

To install the Internet Explorer 6 Service Pack 1 (SP1) versions of this update, you must be running Internet Explorer 6 SP1 (version 6.00.2800.1106) on Windows XP 64-Bit Edition, Version 2002; Windows XP SP1; Windows XP; Windows 2000 Service Pack 4 (SP4); Windows 2000 Service Pack 3 (SP3); Windows NT 4.0 Service Pack 6a (SP6a); or Windows Millennium Edition.

To install the Internet Explorer 6 version of this update, you must be running Internet Explorer 6 (version 6.00.2600.0000) on Windows XP.

To install the Internet Explorer 5.5 version of this update, you must be running Internet Explorer 5.5 Service Pack 2 (version 5.50.4807.2300) on Windows 2000 SP4, Windows 2000 SP3, Windows NT 4.0 SP6a, or Windows Millennium Edition.

To install the Internet Explorer 5.01 version of this update, you must be running Internet Explorer 5.01 Service Pack 4 (version 5.00.3700.1000) on Windows 2000 SP4 or you must be running Internet Explorer 5.01 Service Pack 3 (version 5.00.3502.1000) on Windows 2000 SP3.

Note Versions of Windows and versions of Internet Explorer that are not listed in this article are either in the extended phase of the product life cycle or are no longer supported. Although you can install some of the update packages that are described in this article on these versions of Windows and of Internet Explorer, Microsoft has not tested these versions to assess whether they are affected by these vulnerabilities or to confirm that the update that this article describes addresses these vulnerabilities. Microsoft recommends that you upgrade to a supported version of Windows and of Internet Explorer, and then apply the appropriate update. If you are running a version of Windows or of Internet Explorer that is in the extended phase of the product life cycle, and if you have an Extended Support contract, contact your Technical Account Manager (TAM) or your Applications Development Consultant (ADC) for information about an update for your configuration. For additional information about how to determine which version of Internet Explorer you are running, click the following article number to view the article in the Microsoft Knowledge Base:

164539 How to Determine Which Version of Internet Explorer Is Installed

For additional information about support life cycles for Windows components, visit the following Microsoft Web site:

http://www.microsoft.com/windows/lifecycle/desktop/business/components.mspx

For additional information about how to obtain Internet Explorer 6 SP1, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Service Pack for Internet Explorer 6

For additional information about how to obtain the latest service pack for Internet Explorer 5.5, click the following article number to view the article in the Microsoft Knowledge Base:

276369 How to Obtain the Latest Service Pack for Internet Explorer 5.5

For additional information about how to obtain Internet Explorer 5.01 SP3, click the following article number to view the article in the Microsoft Knowledge Base:

267954 How to Obtain the Latest Internet Explorer 5.01 Service Pack

Restart Requirements

For the Internet Explorer 6 versions of this update, you must restart your computer to complete the installation. For the Internet Explorer 5.01 and the Internet Explorer 5.5 versions of this update, you must restart your computer and then log on as an administrator to complete the installation on Windows NT 4.0-based and Windows 2000-based computers.

Previous Update Status

This update replaces the MS03-032: August, 2003, Cumulative Patch for Internet Explorer (822925).

Setup Switches

The Windows Server 2003 versions of this security patch (including Windows XP 64-Bit Edition, Version 2003) support the following Setup switches: For example, to install the Windows Server 2003 32-bit security patch without any user intervention, use the following command:

windowsserver2003-kb828750-x86-enu.exe /u /q

To install this security patch without forcing the computer to restart, use the following command:

windowsserver2003-kb828750-x86-enu.exe /z

Note You can combine these switches in one command.

For information about how to deploy this security patch by using Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/windowsupdate/sus/susoverview.asp

The other update packages for this security patch support the following switches: For example, to install the update without any user intervention and not to force the computer to restart, use the following command:

q828750.exe /q:a /r:n

File Information

The English version of this security patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are installed in the %Windir%\System folder on Windows 98 Second Edition and on Windows Millennium Edition. They are installed in the %Windir%\System32 folder on Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003.
Internet Explorer 6 (32-bit) for Windows Server 2003
   Date         Time   Version      Size       File name
   -------------------------------------------------------
   RTMQFE
   22-Sep-2003  19:11  6.0.3790.89  2,917,888  Mshtml.dll
   22-Sep-2003  19:11  6.0.3790.85  1,394,176  Shdocvw.dll
   22-Sep-2003  19:11  6.0.3790.84    509,440  Urlmon.dll 
   RTMGDR
   22-Sep-2003  19:14  6.0.3790.88  2,917,888  Mshtml.dll
   22-Sep-2003  19:14  6.0.3790.85  1,394,176  Shdocvw.dll
   22-Sep-2003  19:14  6.0.3790.84    509,440  Urlmon.dll 
Internet Explorer 6 (64-bit) for Windows Server 2003 64-bit versions and for Windows XP 64-Bit Edition, Version 2003
   Date         Time   Version      Size       File name     Platform
   ------------------------------------------------------------------
   RTMQFE
   22-Sep-2003  19:06  6.0.3790.89  8,210,944  Mshtml.dll    IA-64
   22-Sep-2003  19:06  6.0.3790.89  3,359,232  Shdocvw.dll   IA-64
   22-Sep-2003  19:06  6.0.3790.87  1,271,808  Urlmon.dll    IA-64
   22-Sep-2003  19:11  6.0.3790.89  2,917,888  Wmshtml.dll   x86
   22-Sep-2003  19:11  6.0.3790.85  1,394,176  Wshdocvw.dll  x86
   22-Sep-2003  19:11  6.0.3790.84    509,440  Wurlmon.dll   x86
   RTMGDR
   22-Sep-2003  19:10  6.0.3790.88  8,210,944  Mshtml.dll    IA-64
   22-Sep-2003  19:10  6.0.3790.85  3,359,744  Shdocvw.dll   IA-64
   22-Sep-2003  19:10  6.0.3790.87  1,271,808  Urlmon.dll    IA-64
   22-Sep-2003  19:14  6.0.3790.88  2,917,888  Wmshtml.dll   x86
   22-Sep-2003  19:14  6.0.3790.85  1,394,176  Wshdocvw.dll  x86
   22-Sep-2003  19:14  6.0.3790.84    509,440  Wurlmon.dll   x86
Internet Explorer 6 SP1 (32-bit) for Windows XP SP1, Windows XP, Windows 2000 SP3, Windows 2000 SP4, Windows NT 4.0 SP6a, Windows Millennium Edition, and Windows 98 Second Edition
   Date         Time   Version        Size       File name
   ---------------------------------------------------------
   18-Sep-2003  22:28  6.0.2800.1264  2,793,984  Mshtml.dll 
   23-May-2003  17:15  6.0.2800.1203  1,338,880  Shdocvw.dll
   13-Jul-2003  20:05  6.0.2800.1226    395,264  Shlwapi.dll
   10-Sep-2003  11:48  6.0.2800.1259    444,928  Urlmon.dll
Internet Explorer 6 SP1 (64-bit) for Windows XP 64-Bit Edition, Version 2002
   Date         Time   Version        Size       File name    Platform
   -------------------------------------------------------------------
   18-Sep-2003  21:16  6.0.2800.1264  9,079,808  Mshtml.dll   IA-64
   23-May-2003  16:39  6.0.2800.1203  3,648,000  Shdocvw.dll  IA-64
   13-Jul-2003  19:27  6.0.2800.1226  1,095,168  Shlwapi.dll  IA-64
   10-Sep-2003  11:51  6.0.2800.1259  1,412,608  Urlmon.dll   IA-64
Internet Explorer 6 (32-bit) for Windows XP
   Date         Time   Version        Size       File name
   ---------------------------------------------------------
   18-Sep-2003  21:51  6.0.2733.1800  2,763,264  Mshtml.dll 
   11-Jul-2003  14:59  6.0.2722.900      34,304  Pngfilt.dll
   05-Mar-2002  00:09  6.0.2715.400     548,864  Shdoclc.dll
   22-May-2003  22:49  6.0.2729.2200  1,336,320  Shdocvw.dll
   11-Jul-2003  14:59  6.0.2730.1200    391,168  Shlwapi.dll
   11-Jul-2003  14:59  6.0.2715.400     109,568  Url.dll    
   10-Sep-2003  11:38  6.0.2733.1000    442,880  Urlmon.dll 
   06-Jun-2002  17:38  6.0.2718.400     583,168  Wininet.dll
Internet Explorer 5.5 SP2 for Windows 2000 SP4, Windows 2000 SP3, Windows NT 4.0 SP6a, Windows Millennium Edition, and Windows 98 Second Edition
   Date         Time   Version         Size       File name
   ----------------------------------------------------------
   18-Sep-2003  21:26  5.50.4933.1800  2,759,952  Mshtml.dll 
   17-Oct-2002  00:01  5.50.4922.900      48,912  Pngfilt.dll
   22-May-2003  23:09  5.50.4929.2200  1,149,200  Shdocvw.dll
   12-Jun-2003  20:24  5.50.4930.1200    300,816  Shlwapi.dll
   05-Mar-2002  01:53  5.50.4915.500      84,240  Url.dll    
   10-Sep-2003  11:31  5.50.4933.1000    408,848  Urlmon.dll 
   06-Jun-2002  21:27  5.50.4918.600     481,552  Wininet.dll
Internet Explorer 5.01 for Windows 2000 SP4 and for Windows 2000 SP3
   Date         Time   Version        Size       File name
   ---------------------------------------------------------
   18-Sep-2003  20:36  5.0.3809.1800  2,282,768  Mshtml.dll 
   12-Jun-2003  23:15  5.0.3806.1200     48,912  Pngfilt.dll
   12-Jun-2003  23:08  5.0.3806.1200  1,099,536  Shdocvw.dll
   12-Jun-2003  23:07  5.0.3806.1200    279,824  Shlwapi.dll
   05-Mar-2002  01:53  5.50.4915.500     84,240  Url.dll    
   10-Sep-2003  11:22  5.0.3809.1000    409,360  Urlmon.dll 
   12-Jun-2003  23:16  5.0.3806.1200    445,200  Wininet.dll
Notes

Removal Information

To remove this update, use the Add or Remove Programs tool (or the Add/Remove Programs tool) in Control Panel. Click Internet Explorer Q828750 , and then click Change/Remove (or click Add/Remove ).

On Windows Server 2003 and on Windows XP 64-Bit Edition, Version 2003, system administrators can use the Spunist.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB828750$\Spuninst folder. This utility supports the following Setup switches: On all other versions of Windows, system administrators can use the Ieuninst.exe utility to remove this update. This security patch installs the Ieuninst.exe utility in the %Windir% folder. This utility supports the following command-line switches: For example, to remove this update quietly, use the following command:

c:\windows\ieuninst /q c:\windows\inf\q828750.inf

Note This command assumes that Windows is installed in the C:\Windows folder.

WORKAROUND

These workarounds are temporary measures because they only help to block paths of attack. These workarounds do not correct the underlying vulnerability. Microsoft encourages you to install the security patch at your earliest opportunity.

The following workarounds are intended to give you information to help to protect your computer from attack.

MORE INFORMATION

For more information about this security patch, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

Known Issues

The information in this article applies to: