Microsoft says in the Security Bulletin that it is difficult to exploit this vulnerability, which can take place through a Web page or by opening an HTML e-mail. There is also a flaw in the SmartCard Enrollment feature, but this will not delete or alter the information on the card even if one is inserted at the time of the attack. Various combinations of newer software and new and older operating systems may have default installations that open HTML e-mail and Web sites in security zones that will block this attack. Details are included in the bulletin, but the versions are still vulnerable if the default installation is altered, so the patch is still recommended if you are managing a number of different client systems. Cumulative Patch for Internet Explorer
Because this patch covers so many different problems, going back as far as MS02-015, it wouldn't really be practical to discuss all the mitigating factors here. I will simply refer you to Security Bulletin MS02-047 for details. Buffer Overrun in TSAC
This problem poses no threat to servers hosting the services. It's a threat only if the TSAC control was installed by an IIS server that hosts the service. Further, this component is not installed by default on any system. Users of Outlook 98 and 2000 with the Outlook E-mail Security Update are not vulnerable. Neither are users of Outlook Express 6 or Outlook 2002. Unchecked Buffer in Network Share Provider
Some mitigating factors are detailed in the Security Bulletin for this problem, but they involve turning off important file sharing and print services so are not applicable to most network installations. You can also turn off anonymous access to block some threat vectors, but that won't prevent the exploitation of this vulnerability by legitimate users. Unsafe Functions in Office Web Components
This flaw entails various complex sets of mitigating factors, which are detailed in the MS02-044 bulletin. Fixes Digital certificate deletion
A patch is available that replaces this ActiveX component with a repaired version, but it can be applied only to IE 5 or later. In addition, Webmasters who use Certificate Enrollment Control on their sites must also make some changes to accommodate the new component. Another flaw, found only in XP and Windows 2000, relates to SmartCard Enrollment and is also fixed with this patch. See MS02-048 for specific patch information and links. Cumulative Patch for Internet Explorer
Read MS02-047 carefully before applying these patches, because some earlier problems must be addressed before installation. In particular, you may need to install the patches described in MS02-022 and MS02-046 if you haven't done so already. Buffer Overrun in TSAC
Apply the patch or set the kill bit manually following the instructions given in MS02-046. The fix just repairs the way the TSAC ActiveX control handles input data checking. Unchecked Buffer in Network Share Provider
See MS02-045 for links to specific version patches. This fix will be included in Windows 2000 Service Pack 4 and Windows XP Service Pack 1. Unsafe Functions in Office Web Components
Install Office XP SP2 from Office Product Updates. Install general and/or specific patches or updates as detailed in MS02-044. The long-awaited patch As mentioned above, Microsoft initially crafted a response that downplayed the SSL threat and repeated the contention that it is difficult to exploit. Microsoft outlined three reasons for this claim:
- The attacker must be able to spoof a Web site.
- The attacker could be caught.
- Users would see the attack because it can be discovered by carefully checking the digital certificate every time you move to a different page.
Have your say instantly, in the Tech Update forum.
For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.
Find out what's where in the new Tech Update with our Guided Tour.
Tell us what you think in the Mailroom.
