Within hours of Microsoft's release of MS02-023, Israeli-based GreyMagic sent me an e-mail indicating that there were some mistakes in the text of the security bulletin and explaining why the patch only partially fixed one of the problems. New threats
This cumulative patch fixes a number of IE vulnerabilities discovered up to this point and addresses six new threats. The first of the new threats is "Cross-site Scripting in Local HTML Resource" (CAN-2002-0189). Microsoft says that this problem could cause a script to run in the local computer zone as if the user activated it. GreyMagic contradicted Microsoft's statement that this is "a cross-site scripting vulnerability in a Local HTML Resource," explaining that the problem is actually in the way dialogArguments' security settings are bypassed. GreyMagic also pointed out that Microsoft is incorrect in saying that this problem is limited to IE 6 and claims that the same problem is found in IE 5 and IE 5.5. Since this cumulative patch doesn't address the problem in those versions, users are still vulnerable even after applying this patch. GreyMagic reported that "Microsoft did not understand the problem. They only patched a symptom of this vulnerability, not its root cause. As a result of that incomplete 'patch,' IE 5 and IE 5.5 are still very much vulnerable to this attack in other resources." The company has posted a demonstration on its Web site. Another vulnerability is "Local Information Disclosure Through HTML Object" (CAN-2002-0191). This vulnerability in HTML objects' CSSes could allow an attacker to read but not modify or delete data on a user's system. The attack requires that the user visit a Web site or open an HTML e-mail containing the specially crafted exploit code. The "Information Disclosure Vulnerability Cookie Scripts" threat (CAN-2002-0192) could allow a Web site to access cookies it shouldn't have access to. The "Zone Spoofing Through Malformed Web Page" vulnerability (CAN-2002-0190) could, in rare cases, allow malicious Web pages to be treated as if they were in the Trusted Sites zone. The two newly discovered variations of Content Disposition variants (CAN-2002-0193 and CAN-2002-0188) are a new twist on a problem which Microsoft says was addressed in the cumulative patch supplied with MS01-058. The new problems affect the way IE handles downloads when there are intentionally malformed Content-Disposition and Content-Type headers. Note
"CAN" numbers (e.g., CAN-2002-0188) indicate "candidate" status for the vulnerability and means that they are still subject to review by the Mitre CVE Editorial Board. CAN and CVE designations are intended to make it easier to identify specific vulnerabilities and prevent confusion among different threats.