QFE: MS03-048: Cumulative Security Update for Internet Explorer (824145)

Brief Description

This update addresses QFE: MS03-048: Cumulative Security Update for Internet Explorer (824145)

Overview

This is the Microsoft Windows XP Embedded with Service Pack 1 component update to address MS03-048: Cumulative Security Update for Internet Explorer (824145).

This is a cumulative update that includes the functionality of all the previously-released updates for Internet Explorer 5.01, Internet Explorer 5.5, and Internet Explorer 6.0. Additionally, it eliminates the following five newly-discovered vulnerabilities:

- Three vulnerabilities that involve the cross-domain security model of Internet Explorer, which keeps windows of different domains from sharing information. These vulnerabilities could result in the execution of script in the My Computer zone. To exploit one of these vulnerabilities, an attacker would have to host a malicious Web site that contains a Web page that is designed to exploit the particular vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message that designed to exploit one of these vulnerabilities and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who exploited one of these vulnerabilities could access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system. This code would run in the security context of the currently logged on user.

- A vulnerability that involves the way that zone information is passed to an XML object within Internet Explorer. This vulnerability could allow an attacker to read local files on a user's system. To exploit this vulnerability, an attacker would have to host a malicious Web site that contains a Web page that is designed to exploit the particular vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message that is designed to exploit this vulnerability and persuade the user to view the HTML e-mail message. After the user visits the malicious Web site or views the malicious HTML e-mail message, the user would then be prompted to download an HTML file. If the user accepts the download of this HTML file, an attacker could read local files that are in a known location on the user's system.

- A vulnerability that involves performing a drag-and-drop operation during dynamic HTML (DHTML) events in Internet Explorer. This vulnerability could allow a file to be saved in a target location on the user's system if the user clicks a link. No dialog box would request that the user approve this download. To exploit one of these vulnerabilities, an attacker would have to host a malicious Web site that contains a Web page that has a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that has a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, code of the attacker's choice could be saved on the user's computer in a targeted location.

As with the previous Internet Explorer cumulative updates that were released with bulletins MS03-004, MS03-015, MS03-020, MS03-032, and MS03-040, this cumulative update causes the window.showHelp( ) control to no longer work if you have not applied the HTML Help update. If you have installed the updated HTML Help control from Knowledge Base article 811630, you will still be able to use HTML Help functionality after you apply this update.

Windows NT Embedded with Service Pack 6a

For information on NT Embedded devices, click here for update details.

Windows NT Embedded with Service Pack 6 and Windows NT Embedded with Service Pack 5

Important Note:

The original release of Windows NT Embedded 4.0, included Windows NT Embedded with Service Pack 5. If you have made no updates to your device, this is the version of Windows NT Embedded that you have. If you are an end user of a device running either of these operating systems, you can follow the step-by-step directions described in Help Protect Windows NT Embedded-based Devices by Upgrading to Windows NT Service Pack 6a.

Product Support
If you have any issues regarding application of this patch:

Contact Support.
Get information and support from peers from the Microsoft Newsgroups.
For more information on the patch, visit the Microsoft.com Security site.

YOU MAY NOT PROVIDE THIS UPDATE OR THE LOCATION (URL) OF THIS UPDATE TO ANY THIRD PARTIES.

Top of page

System Requirements

Supported Operating Systems: Windows Server 2003; Windows XP; Windows XP Embedded

Requires the English Version of Windows XP Embedded with Service Pack 1. See the Windows XP Embedded System Requirements for details.

Top of page

Instructions

Important: This QFE requires Repository look-up may cause incorrect files to be copied (Q811279) be installed prior to this fix.

Download Q824145_XPE_SP2_x86_ENU.exe from this page.
Execute Q824145_XPE_SP2_x86_ENU.exe on a machine with the Windows XP Embedded with Service Pack 1 tools installed.

This package will automatically import updated and new .sld files into the current database specified in Component Database Manager. It will also copy new binaries into the Windows XP Embedded with Service Pack 1 QFE Repository folder.

Some of the .sld files may also require importing new repository objects. The new repositories will be created on the repository root holding the main Windows XP Embedded with Service Pack 1 repository. For information on moving repositories to other locations, see Moving a Repository in your Windows Embedded Studio documentation.

Updated Components: