microsoft has released a patch which fixes three security issues, one of which is 'url masking' better known as 'philshing' where spoof websites look like the real thing but collect personal details...........

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-004.asp

Notification in full from M$


AFFECTED SOFTWARE:
- Microsoft Windows NT(r) Workstation 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
- Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4

- Microsoft Windows XP, Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server(r) 2003
- Microsoft Windows Server 2003, 64-Bit Edition

AFFECTED COMPONENTS:
- Internet Explorer 6 Service Pack 1
- internet Explorer 6 Service Pack 1 (64-Bit Edition)
- Internet Explorer 6 for Windows Server 2003
- Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)
- Internet Explorer 6
- Internet Explorer 5.5 Service Pack 2
- Internet Explorer 5.01 Service Pack 4
- Internet Explorer 5.01 Service Pack 3
- Internet Explorer 5.01 Service Pack 2

MAXIMUM SEVERITY RATING: Critical

WHAT IS IT?
The Microsoft Security Response Center has released Microsoft Security Bulletin MS04-004 which concerns vulnerabilities in Internet Explorer. Customers are advised to review the information in the bulletin, test and deploy the update immediately in their environments, if applicable.

IMPACT OF VULNERABILITY: Remote Code Execution

TECHNICAL DETAILS:
This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following three newly-discovered vulnerabilities:

- A vulnerability that involves the cross-domain security model of Internet Explorer. The cross domain security model of Internet Explorer keeps windows of different domains from sharing information. This vulnerability could result in the execution of script in the Local Machine zone. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited this vulnerability could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user.

- A vulnerability that involves performing a drag-and-drop operation with function pointers during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicked a link. No dialog box would request that the user approve this download. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice would not be executed, but could be saved on the user's computer in a targeted location.

- A vulnerability that involves the incorrect canonicalization of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)

As with the previous Internet Explorer cumulative updates that were released with bulletins MS03-004, MS03-015, MS03-020, MS03-032, MS03-040, and MS03-048, this cumulative update causes the window.showHelp( ) control to no longer work if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Microsoft Knowledge Base article 811630, you will still be able to use HTML Help functionality after you apply this update.

This Internet Explorer cumulative update also includes a change to the functionality of a Basic Authentication feature in Internet Explorer. The update removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install this software
update:

- http(s)://username:password@server/resource.ext

For more information about this change, please see Microsoft Knowledge Base article 834489.

Additionally, this update will disallow navigation to "username:password@host.com" URLs for XMLHTTP.

Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP. Microsoft is currently creating an update to MSXML that will address this issue specifically for XMLHTTP and will provide more information in the security bulletin when the update becomes available.

The update also refines a change made in Internet Explorer 6 Service Pack 1, which prevents web pages in the Internet Security zone from navigating to the local computer zone. This is discussed further in the "Frequently Asked Questions" section of this bulletin.

MITIGATING FACTORS:

There are three common mitigating factors for both the Cross Domain Vulnerability and Drag-and-Drop Operation Vulnerability:

- By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections that are put in place that prevent these vulnerabilities from being automatically exploited would be removed.

- In the Web-based attack scenario, the attacker would have to host a Web site that contains a Web page that is used to exploit these vulnerabilities. An attacker would have no way to force a user to visit a malicious Web site. Instead, the attacker would have to lure them there, typically by getting them to click a link that takes them to the attacker's site.

- By default, Outlook Express 6.0, Outlook 2002 and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:

- You have applied the update included with Microsoft Security bulletin MS03-040 or MS03-048
- You are using Internet Explorer 6 or later
- You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or later in its default configuration.

- If an attacker exploited these vulnerabilities, they would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges.

Restart required: Yes

Update can be uninstalled: Yes

RELATED KB ARTICLES: 832894

SECURITY BULLETIN LINK: http://www.microsoft.com/technet/security/bulletin/ms04-004.asp
THE URL IS AUTHORITATIVE FOR THIS BULLETIN

PLEASE VISIT http://www.microsoft.com/technet/security FOR THE MOST CURRENT INFORMATION ON THIS ALERT.

If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.

Thank you.

PSS Security



Anyone running a M$ OS that is not affected!?

thanks Tricky

Win98se here & windows update installed the patch as a 'critical'. :)

thanks Tricky
Win98se here & windows update installed the patch as a 'critical'. :)
I thought 'critcal' updates couldnt be uninstalled

I've just been informed my email that a friend of mine installed it last night and now her pc's playing up (Win98). Items missing from taskbar and systray, her 'my computer icon' wont open.

ummmmmmmmmmmm , i have just tried to install the patch and .......... it failed to install , help !!!!!!!!!!!!!!!!!!! , what am i going to do :eek: :eek: :eek: :eek: :eek:

Notification in full from M$



Anyone running a M$ OS that is not affected!?

Download Failed (1)

mwuhahahaha

Sorry, couldn't resist that.

ummmmmmmmmmmm , i have just tried to install the patch and .......... it failed to install , help !!!!!!!!!!!!!!!!!!! , what am i going to do :eek: :eek: :eek: :eek: :eek: No doubt it gave you some vague numerical error message that looks precise but when you research it find out it can mean anything.

mine did not install 1st time just try again m8 and all will be ok

FWIW I just updated both my XP Pro and W98 machines - the XP one stalled ( for the first time ) and IE froze - while it was re-booting, the W98 machine (albeit a bit slowly) d/l the patch - the XP box then took about 10 mins to get the (1 min) d/l -on the same connection - so looks like XP users will just have to be patient.

XP here, download and installation, smooth as you like.:)

microsoft has released a patch which fixes three security issues, one of which is 'url masking' better known as 'philshing' where spoof websites look like the real thing but collect personal details...........

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-004.asp

Thanks for the heads up Kronas.......

Dont have anti wife on computer patch handy do you ? :D

Thanks for the heads up Kronas.......


no problem atleast you were kind enough to say thanks :D


Dont have anti wife on computer patch handy do you ? :D

no why would i want to do that ?

especially with your wife........ :naughty: :naughty: :D :pp