Executive Summary

Informations
Name MS02-023 First vendor Publication N/A
Vendor Microsoft Last vendor Modification N/A
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

15 May 2002 Cumulative Patch for Internet Explorer (Q321232)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:19
 
Oval ID: oval:org.mitre.oval:def:19
Title: IE Cross-Site Scripting
Description: Cross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability.
Family: windows Class: vulnerability
Reference(s): CVE-2002-0189
 Version: 8
Platform(s): Microsoft Windows 2000
 Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27
 
Oval ID: oval:org.mitre.oval:def:27
Title: IE v5.01 Content Disposition/Type Arbitrary Code Execution
Description: Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability.
Family: windows Class: vulnerability
Reference(s): CVE-2002-0193
 Version: 10
Platform(s): Microsoft Windows 2000
 Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:923
 
Oval ID: oval:org.mitre.oval:def:923
Title: Zone Spoofing through Malformed Web Page Vulnerability
Description: Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability.
Family: windows Class: vulnerability
Reference(s): CVE-2002-0190
 Version: 5
Platform(s): Microsoft Windows 98
Microsoft Windows ME
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
 Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:99
 
Oval ID: oval:org.mitre.oval:def:99
Title: IE v6.0 Content Disposition/Type Arbitrary Code Execution
Description: Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability.
Family: windows Class: vulnerability
Reference(s): CVE-2002-0193
 Version: 10
Platform(s): Microsoft Windows 2000
 Product(s): Microsoft Internet Explorer
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 11

ExploitDB Exploits

id Description
2002-04-02 Microsoft Internet Explorer 5 Cascading Style Sheet File Disclosure Vulnerabi...

OpenVAS Exploits

Date Description
2005-11-03 Name : IE 5.01 5.5 6.0 Cumulative patch (890923)
File : nvt/smb_nt_ms02-005.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
7850 Microsoft IE Malformed Content Header Arbitrary Command Execution
5342 Microsoft IE Malformed Web Page Zone Spoofing
5134 Microsoft IE Reference Local HTML Resource Script Execution
3028 Microsoft IE Content-disposition Header Auto Download/Execute

Microsoft Internet Explorer contains a flaw that allows a remote attacker to force a vulnerable IE browser to download and execute arbitrary files. The flaw is due to the way IE handles a specific Content-Type and Content-disposition header, specifically "audio/x-ms-wma". When the browser handles this content type, it will automatically download a file specified by the attacker and execute it on the local machine.
3005 Microsoft IE WebBrowser Control dialogArguments XSS

Microsoft Internet Explorer contains a flaw that allows attackers to inject code that is run in the context of "Local Machine" zone. The flaw is triggered when an attacker uses the res:// protocol and the dialogArguments property of modal dialog in a malicious HTML document. Due to a seperate vulnerability in the way dialog methods validate the source of dialog frames, IE is vulnerable to a XSS attack using the dialogArguments property.
3002 Microsoft IE File Extension Dot Parsing

Microsoft Internet Explorer could allow a remote attacker to access sensitive information on a victim's system. Due to a flaw in the way IE parses file names, an attacker can call files with "." or " ." appended. This can allow an attacker to create a malicious HTML page that calls a cookie containing embedded script which would be stored on the victim computer. Once stored, the malicious cookie can be used to read other sensitive cookie data.
2970 Microsoft IE cssText Local File Reading

Microsoft Internet Explorer has a flaw that allows a remote attacker to read files from local or remote locations. The issue is due to a problem in the "cssText" property of the "styleSheet" object. Any file that contains a curly-bracket ("{") will be prased by IE's CSS engine which can then trigger the flaw and allow file reading.

Nessus® Vulnerability Scanner

Date Description
2002-02-13 Name : Arbitrary code can be executed on the remote host through the web client.
File : smb_nt_ms02-005.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:44:40
  • Multiple Updates