|
|
|
|
| |
Credit:
The information has been provided by Microsoft Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-010.mspx
|
| |
Vulnerable Systems:
* Microsoft Office 2000 Service Pack 3
* PowerPoint 2000 Download the update
Immune Systems:
* Microsoft Office XP Service Pack 3
* PowerPoint 2002
* Microsoft Office 2003 Service Pack 1 or Service Pack 2
* PowerPoint 2003
Mitigating Factors for PowerPoint Temporary Internet Files Information Disclosure Vulnerability - CVE-2006-0004:
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
Workarounds for PowerPoint Temporary Internet Files Information Disclosure Vulnerability - CVE-2006-0004:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Back up and remove the vnd.ms-powerpoint MIME type
Removing the vnd.ms-powerpoint registry key helps protect the affected system from attempts to exploit this vulnerability. To backup and remove the vnd.ms-powerpoint registry key, follow these steps:
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note We recommend backing up the registry before you edit it.
1. Click Start, click Run, type regedit" (without the quotation marks), and then click OK.
2. Expand HKEY_CLASSES_ROOT\MIME\Database\Content Type, and then clickapplication/vnd.ms-powerpoint.
3. Click File, and then click Export.
4. In the Export Registry File dialog box, type a file name in the File Name box, and then click Save.
5. Click Edit, and then click Delete to remove the registry key.
6. In the Confirm Key Delete dialog box, you receive an Are you sure you want to delete this key and all of its subkeys message. Click Yes.
Impact of Workaround: This workaround removes the MIME entry point for PowerPoint.
Configuration of Internet Explorer to open Office documents in the appropriate Office program instead of in Internet Explorer
1. Open My Computer.
2. On the Tools menu (or the View menu), click Folder Options (or click Options).
3. Click the File Types tab.
4. In the Registered file types list, click the specific Office document type (for example, Microsoft Excel Worksheet), and then click Advanced (or click Edit).
5. In the Edit File Type dialog box, click to clear the Browse in same window check box (or click to clear the Open Web documentsin place check box).
6. Click OK.
Note If you are running Terminal Server on Windows 2000 or Windows Server 2003, you may not be able to click Advanced to open the Edit File Type dialog box in step 4 of this procedure. This issue occurs if the NoFileAssociate policy is enabled. Enabling this policy prevents users (including administrators) from changing file type associations for all users. For additional information about this behavior, click the following article number to view the article in the Microsoft Knowledge Base Article 257592.
Impact of Workaround: This workaround configures Internet Explorer to open Office files in the appropriate Office program.
FAQ for PowerPoint Temporary Internet Files Information Disclosure Vulnerability - CVE-2006-0004:
What is the scope of the vulnerability?
This is an Information Disclosure vulnerability. An attacker who successfully exploited this vulnerability could remotely attempt to access objects in the Temporary Internet Files Folder (TIFF) explicitly by name. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce useful information that could be used to try to further compromise the affected system.
What causes the vulnerability?
This issue is caused by the interaction between PowerPoint and Internet Explorer when PowerPoint attempts to render HTML data.
How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site that contains a PowerPoint presentation that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
If the user is enticed into clicking the PowerPoint presentation, the attacker s malicious script will run and can attempt to access objects in the Temporary Internet Files Folder (TIFF) explicitly by name.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
What does the update do?
The update modifies PowerPoint such that, when the user clicks on a PowerPoint presentation on a Web site, PowerPoint warns the user that the presentation about to be opened may be unsafe. In such a case, the user may then cancel opening the presentation.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
