|
|
|
|
| |
Credit:
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
|
| |
Affected Software:
* Microsoft Windows XP Service Pack 1 running Microsoft Data Access Components 2.7 Service Pack 1 - Download the update
* Microsoft Windows XP Service Pack 2 running Microsoft Data Access Components 2.8 Service Pack 1 Download the update
* Microsoft Windows XP Professional x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2 - Download the update
* Microsoft Windows Server 2003 running Microsoft Data Access Components 2.8 - Download the update
* Microsoft Windows Server 2003 Service Pack 1 running Microsoft Data Access Components 2.8 Service Pack 2 - Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems running Microsoft Data Access Components 2.8 - Download the update
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems running Microsoft Data Access Components 2.8 Service Pack 2 - Download the update
* Microsoft Windows Server 2003 x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2 - Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Affected Components:
* Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.5 Service Pack 3 installed - Download the update
* Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.7 Service Pack 1 installed - Download the update
* Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 installed - Download the update
* Windows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 Service Pack 1 installed - Download the update
* Windows XP Service Pack 1 with Microsoft Data Access Components 2.8 installed - Download the update
Note: The Affected Software section applies to MDAC that shipped with a Microsoft Windows operating system. The Affected Components section applies to MDAC that was downloaded and installed onto a Microsoft Windows operating system.
Microsoft strongly recommends that all customers who currently use a version of Windows that does not have Microsoft Data Access Components 2.7 Service Pack 1 or higher upgrade immediately to Microsoft Data Access Components 2.8 Service Pack 1 or another supported version. The only exception to this notice is customers who currently use Windows 2000 Service Pack 4 running Microsoft Data Access Components 2.5 Service Pack 3. See Knowledge Base Article 915387 for more information.
The security updates for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 also apply to Microsoft Windows Server 2003 R2.
Mitigating Factors for Microsoft Windows MDAC Vulnerability - CVE-2006-0003:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability in the e-mail vector because reading e-mail messages in plain text is the default configuration for Outlook Express. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.
Workarounds for Microsoft Windows MDAC Vulnerability - CVE-2006-0003:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Disable the RDS.Dataspace ActiveX control from running within Internet Explorer
Disable attempts to instantiate the RDS.Dataspace ActiveX control in Internet Explorer by setting the kill bit for the control.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
For example, to set the kill bit for a CLSID for this object, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD96C556-65A3-11D0-983A-00C04FC29E36}]"Compatibility Flags"=dword: 00000400
Note For more information about how to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow the procedure that this article provides to create a Compatibility Flags value in the registry. By doing this, you will prevent the RDS.Dataspace ActiveX control from being instantiated in Internet Explorer.
Impact of Workaround: Any Web-based application that requires the RDS control to be instantiated within Internet Explorer will no longer function correctly.
* Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls in these zones
You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.
To raise the browsing security level in Microsoft Internet Explorer, follow these steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.
Note If no slider is visible, click Default Level, and then move the slider to High.
Repeat steps 1 through 3 for the Local intranet security zone by clicking on the Local intranet icon.
Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.
Impact of Workaround: User will be prompted prior to running ActiveX controls unless the Web site is in the user s list of trusted sites.
* Configure Internet Explorer to prompt before running ActiveX controls or disable ActiveX controls in the Internet and Local intranet security zone
You can help protect against this vulnerability by changing your settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet and Local intranet security zone. To do this, follow these steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.
Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls.
FAQ for Microsoft Windows MDAC Vulnerability - CVE-2006-0003:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability?
Under certain conditions, the RDS.Dataspace ActiveX control fails to ensure that it interacts safely when it is hosted on a Web page.
What is Remote Data Services (RDS)?
Remote Data Service (RDS) is a feature of ADO. You can use RDS to move data from a server to a client application or to a Web page, to manipulate the data on the client, and to return updates to the server in a single round trip.
Who could exploit the vulnerability?
An attacker could create an e-mail message that is specially crafted to try to exploit this vulnerability. An attacker could exploit the vulnerability by sending this specially crafted e-mail message to a user of a server that is running an affected software application. An attacker could then persuade the user to click a link in the e-mail message. In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user is logged on and reading e-mail messages or is visiting Web sites for any malicious action to occur. Therefore, any systems where e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.
What does the update do?
The update removes the vulnerability by applying additional restrictions to the behavior of the RDS.Dataspace ActiveX control when it is hosted on a Web page.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
|
|
|
|
|
