- Quick specs
- Price: Update
- Operating system: Windows 98/2000
- Date added: December 08, 2002
- Total Downloads: 147
- Downloads last week: 1
- See full specifications
- Average user rating: Be the first to rate this product!
Publisher's description
From Microsoft :This is an updated bulletin describing a cumulative patch for Internet Explorer 5.5 and 6.0. The original patch is unchanged and, in addition to including the functionality of all previously released patches for Internet Explorer 5.5 and 6.0, eliminates one additional flaw in Internet Explorer's cross-domain security model. This flaw occurs because the security checks that Internet Explorer carries out when particular object caching techniques are used in web pages are incomplete. This could have the effect of allowing an attacker to execute commands on a user's system.
Exploiting the vulnerability could enable an attacker to invoke an executable that was already present on the local system. It could also allow an attacker to load a malicious executable onto a user's system, or to pass parameters to an executable. However, a registry key setting discussed in Microsoft Knowledge Base Article 810687 disables shortcuts in HTML Help, which significantly reduces the scope of this vulnerability as it removes the ability to load a malicious executable on a user's system or to pass parameters to an executable.
An attacker could exploit the vulnerability by constructing a web page that uses a cached programming technique, and could then either host it on a web site or send it to a user via email. In the case of the web-based attack vector the page could be automatically opened when a user visited the site. In the case of the HTML mail-based attack vector, the page could be opened when the recipient opened the mail or viewed it using the Preview pane.
On December 4, 2002, Microsoft released the original version of this bulletin. Subsequent to that time, Microsoft received a report suggesting that the vulnerability addressed by this bulletin could be exploited to run arbitrary code on a user's machine. Microsoft investigated that report, and was able to develop a demonstration that exploits the vulnerability to run arbitrary code. We have released this updated bulletin to advise customers of our new assessment of the potential impact of the vulnerability, and of its updated severity rating.
The original patch released with this bulletin was and is effective in preventing exploitation of the vulnerability. It is also effective in eliminating all vulnerabilities addressed by prior bulletins that could allow a malicious party to run code on the machine of a user who visited a hostile web site or opened a malicious HTML email message. Microsoft strongly urges all customers to install the patch.
More popular Operating Systems & Updates downloads
- 20,499 downloads 1. DriverMax
- 16,510 downloads 2. CNET TechTracker app
- 7,328 downloads 3. Windows 7 USB/DVD Download Tool
- 6,706 downloads 4. Microsoft Windows XP Home Edition
- 5,747 downloads 5. Windows XP Media Center Edition
- See all Operating Systems & Updates downloads
User reviews
Write your own review Be the first one to review Microsoft Security Bulletin MS02-068 Q324929 and share your experience with the CNET community!
Submit your review
- See more CNET content tagged:
- Microsoft Internet Explorer 5.5,
- attacker,
- bulletin,
- executable,
- vulnerability
