<<< Security Bulletin 04-004 >>> Internet explorer security patch CRITICAL

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 02/02/04 

Date: Mon, 02 Feb 2004 10:16:00 -0800

This is an "out of band security bulletin" so heads up people....

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-004.asp

· A vulnerability that involves the incorrect parsing of URLs
that contain special characters. When combined with a misuse of the
basic authentication feature that has "username:password@" at the
beginning of a URL, this vulnerability could result in a
misrepresentation of the URL in the address bar of an Internet Explorer
window. To exploit this vulnerability, an attacker would have to host a
malicious Web site that contained a Web page that had a
specially-crafted link. The attacker would then have to persuade a user
to click that link. The attacker could also create an HTML e-mail
message that had a specially-crafted link, and then persuade the user to
view the HTML e-mail message and then click the malicious link. If the
user clicked this link, an Internet Explorer window could open with a
URL of the attacker's choice in the address bar, but with content from a
Web Site of the attacker's choice inside the window. For example, an
attacker could create a link that once clicked on by a user would
display http://www.tailspintoys.com <http://www.tailspingtoys.com/> in
the address bar, but actually contained content from another Web Site,
such as http://www.wingtiptoys.com <http://www.wingtiptoys.com/>. (Note:
these web sites are provided as an example only, and both redirect to
http://www.microsoft.com <http://www.microsoft.com/>.)

What You Should Know About the Windows Security Update for February 2004:
http://www.microsoft.com/security/security_bulletins/20040202_windows.asp 

-- 
http://www.sbslinks.com/really.htm

Relevant Pages

  • [NT] IE Chromeless Window Vulnerabilities (More Examples)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Beyond Security in Canada ... A window without a frame, title bar, toolbars or scroll bars is known as a ... 'chromeless' window. ...
    (Securiteam)
  • Re: How to get menu items to appear in toolbar?
    ... The behavior of the new IE window can be coded by the web site author to open said window in many different configurations, depending on his wishes. ... A sometimes work-around to this issue is to right click the link in question, then choose "Copy Shortcut", then paste that into the address bar in an already-opened IE window. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: My microsoft word window cant be minimized.
    ... note the panel at the top right of the window which has ... If you cannot see the edges, click and drag the title bar until ... Word MVP web site http://word.mvps.org ...
    (microsoft.public.word.docmanagement)
  • Address bar?
    ... I do not find address on browser wherein I can type the ... web site I want to bring up on window. ... address bar? ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • [NT] 28 March 2002 Cumulative Patch for Internet Explorer
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * A vulnerability in the zone determination function that could allow a ... script embedded in a cookie to be run in the Local Computer zone. ... attacker to invoke an executable already present on the user's machine. ...
    (Securiteam)