|
|
|
|
| |
Credit:
The information has been provided by Microsoft Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-020.mspx
|
| |
Vulnerable Systems:
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Review the FAQ section of this bulletin for details about these operating systems.
Immune Systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Windows XP Professional x64 Edition
Flash Player Vulnerability - CVE-2006-0024:
A remote code execution vulnerability exists in Macromedia Flash Player from Adobe because of the way that it handles Flash Animation (SWF) files. An attacker could exploit the vulnerability by constructing a specially crafted Flash Animation (SWF) file that could potentially allow remote code execution if a user visited a Web site containing the specially crafted SWF file or viewed an e-mail message containing the specially crafted SWF file as an attachment. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Flash Player Vulnerability - CVE-2006-0024:
* Customers that have followed the guidance in Adobe Security Bulletin APSB06-03 are not at risk from the vulnerability.
* By default, Microsoft Windows 2000 Service Pack 4, Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 do not ship with a vulnerable version of Flash Player installed. However, customers that have installed a version of Flash Player 7.0.62.0 or 8.0.22.0 or earlier on these versions of Windows are encouraged to follow the guidance in the Adobe Security Bulletin APSB06-03.
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
* An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
* The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario described previously.
* By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
Workarounds for Flash Player Vulnerability - CVE-2006-0024:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for Windows XP Service Pack 2
You can help protect against this vulnerability by temporarily preventing the Flash Player ActiveX control from running in Internet Explorer. On Windows XP Service Pack 2 use the Internet Explorer Manage Add-ons feature to disable the ActiveX control.
1. Start Internet Explorer.
2. On the Tools menu, click Manage Add-ons.
3. Locate and click on Shockwave Flash Object .
4. To disable the add-on, click Disable, and then click OK.
Note If you cannot locate the ActiveX control then use the drop-down box to switch from Add-ons currently being used in Internet Explorer to Add-ons that have been used by Internet Explorer and follow steps 3 and 4. If the ActiveX control is not present in this list you either have not used the ActiveX control before or it is not present on your system. See the workaround Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for additional information.
For more information on the Internet Explorer Manage Add-ons feature in Windows XP Service Pack 2, see Microsoft Knowledge Base Article 883256.
Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.
To regain functionality you need to use the Internet Explorer Manage Add-ons feature to enable the ActiveX control.
* Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer
Temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer by setting the kill bit for the control.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
We recommend that you back up the registry before you edit it.
Use the following text to create a .reg file that temporarily prevents attempts to instantiate the Flash Player ActiveX control in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
Close Internet Explorer, and reopen it for the changes to take effect.
For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Flash Player ActiveX control from running in Internet Explorer.
Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.
To regain functionality you need to undo the kill bits for the Flash Player ActiveX control remove the registry keys added to temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer.
Modify the Access Control List on the Flash Player ActiveX control to temporarily prevent it from running in Internet Explorer
To modify the Access Control List (ACL) on the Flash Player ActiveX control to be more restrictive, follow these steps:
1. Click Start, click Run, type "cmd" (without the quotation marks), and then click OK.
2. Type the following commands at a command prompt. Make a note of the current files ACL s, including inheritance settings. You may need this list if you have to undo these modifications:
cacls %windir%\system32\Macromed\Flash\flash.ocx
cacls %windir%\system32\Macromed\Flash\swflash.ocx
3. Type the following command at a command prompt to deny the everyone group access to this file:
echo y|cacls %windir%\system32\Macromed\Flash\flash.ocx /d everyone
echo y|cacls %windir%\system32\Macromed\Flash\swflash.ocx /d everyone
4. Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.
To regain functionality you need to undo the modifications to the Access Control List on the ActiveX control you have on your system.
Un-register the Flash Player ActiveX Control
To un-register the Flash Player ActiveX control, follow these steps:
1. Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\flash.ocx" (without the quotation marks), and then click OK.
2. A dialog box confirms that the un-registration process has succeeded. Click OK to close the dialog box.
3. Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\swflash.ocx" (without the quotation marks), and then click OK.
4. A dialog box confirms that the unregistration process has succeeded. Click OK to close the dialog box.
5. Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.
To reregister the Flash Player ActiveX control, follow these steps:
1. Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\flash.ocx" (without the quotation marks), and then click OK.
2. A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.
3. Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\swflash.ocx" (without the quotation marks), and then click OK.
4. A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.
5. Close Internet Explorer, and reopen it for the changes to take effect.
* Restrict access to the Macromedia Flash folder by using a Software Restriction Policy
To restrict access to the Macromedia Flash folder (%windir%\system32\Macromed\Flash\) on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Flash Player ActiveX control.
For more information about Group Policy, visit the following Microsoft Web sites:
* Step-by-Step Guide to Understanding the Group Policy Feature Set
* Windows 2000 Group Policy
* Group Policy in Windows Server 2003
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
We recommend that you back up the registry before you edit it.
Use the following text to create a .reg file to restrict access to the Macromedia Flash folder. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"TransparentEnabled"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{2742f840-c2d8-4eb3-a486-0a9d0879f29f}]
"LastModified"=hex(b):10,c3,8a,19,c6,e3,c5,01
"Description"="Block Macromedia Flash"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,61,00,63,00,72,00,6f,\
00,6d,00,65,00,64,00,5c,00,66,00,6c,00,61,00,73,00,68,00,5c,00,2a,00,00,00
Change your Internet Explorer settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet security zone and in the Local intranet security zone
You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:
1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.
Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:
Restrict Web sites to only your trusted Web sites.
After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.
To do this, follow these steps:
1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
5. Repeat these steps for each site that you want to add to the zone.
6. Click OK two times to accept the changes and return to Internet Explorer.
Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.
* Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls in these zones
You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.
To raise the browsing security level in Microsoft Internet Explorer, follow these steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.
Note If no slider is visible, click Default Level, and then move the slider to High.
Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.
Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:
* Remove the Flash Player from your system
If you want to remove Flash Player, refer to the Adobe Flash Player Support FAQ for instructions.
To regain functionality you need install the Flash Player ActiveX control from the Adobe Web site
FAQ for Flash Player Vulnerability - CVE-2006-0024.
What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability?
An unchecked buffer in Flash Player.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability?
An attacker could host a Web site containing the specially crafted SWF file that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition users are critically affected by this vulnerability. The security updates for Flash Player 6 are available for download only from the Windows Update Web site. Visit the Adobe website for updates to Flash Player 7 and higher. For more information about severity ratings, visit the following Web site.
What does the update do?
The update removes the vulnerabilities by modifying the way that the Flash Player handles Flash Animation (SWF) files.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This vulnerability is also discussed in Adobe Security Bulletin APSB06-03.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Flash Player Vulnerability - CVE-2005-2628:
A remote code execution vulnerability exists in Macromedia Flash Player from Adobe because of the way that it handles Flash Animation (SWF) files. An attacker could exploit the vulnerability by constructing a malicious Flash Animation (SWF) file that could potentially allow remote code execution if a user visited a Web site containing the specially crafted SWF file or viewed an e-mail message containing the specially crafted SWF file as an attachment. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Flash Player Vulnerability - CVE-2005-2628:
* Customers that have followed the guidance in Macromedia Security Bulletin MPSB05-07 are not at risk from the vulnerability.
* By default, Microsoft Windows 2000 Service Pack 4, Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 do not ship with a vulnerable version of the Flash Player installed. However, customers that have installed a version of Flash Player 7.0.61.0 or 8.0.22.0 or earlier on these versions of Windows are encouraged to follow the guidance in the Adobe Security Bulletin APSB06-03.
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
* An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
* The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario described previously.
* By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
Workarounds for Flash Player Vulnerability - CVE-2005-2628
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for Windows XP Service Pack 2
You can help protect against this vulnerability by temporarily preventing the Flash Player ActiveX control from running in Internet Explorer. On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 use the Internet Explorer Manage Add-ons feature to disable the ActiveX control.
1. Start Internet Explorer.
2. On the Tools menu, click Manage Add-ons.
3. Locate and click on Shockwave Flash Object .
4. To disable the add-on, click Disable, and then click OK.
Note If you cannot locate the ActiveX control then use the drop-down box to switch from Add-ons currently being used in Internet Explorer to Add-ons that have been used by Internet Explorer and follow steps 3 and 4. If the ActiveX control is not present in this list you either have not used the ActiveX control before or it is not present on your system. See the workaround Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for additional information.
For more information on the Internet Explorer Manage Add-ons feature in Windows XP Service Pack 2, see Microsoft Knowledge Base Article 883256.
Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.
To regain functionality you need to use the Internet Explorer Manage Add-ons feature to enable the ActiveX control.
* Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer
Temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer by setting the kill bit for the control.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
We recommend that you back up the registry before you edit it.
Use the following text to create a .reg file that temporarily prevents attempts to instantiate the Flash Player ActiveX control in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
Close Internet Explorer, and reopen it for the changes to take effect.
For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Flash Player ActiveX control from running in Internet Explorer.
Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.
To regain functionality you need to undo the kill bits for the Flash Player ActiveX control remove the registry keys added to temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer.
* Modify the Access Control List on the Flash Player ActiveX control to temporarily prevent it from running in Internet Explorer
To modify the Access Control List (ACL) on the Flash Player ActiveX control to be more restrictive, follow these steps:
1. Click Start, click Run, type "cmd" (without the quotation marks), and then click OK.
2. Type the following commands at a command prompt. Make a note of the current files ACL s, including inheritance settings. You may need this list if you have to undo these modifications:
cacls %windir%\system32\Macromed\Flash\flash.ocx
cacls %windir%\system32\Macromed\Flash\swflash.ocx
3. Type the following command at a command prompt to deny the everyone group access to this file:
echo y|cacls %windir%\system32\Macromed\Flash\flash.ocx /d everyone
echo y|cacls %windir%\system32\Macromed\Flash\swflash.ocx /d everyone
4. Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.
To regain functionality you need to undo the modifications to the Access Control List on the ActiveX control you have on your system.
* Unregister the Flash Player ActiveX Control
To unregister the Flash Player ActiveX control, follow these steps:
1. Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\flash.ocx" (without the quotation marks), and then click OK.
2. A dialog box confirms that the unregistration process has succeeded. Click OK to close the dialog box.
3. Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\swflash.ocx" (without the quotation marks), and then click OK.
4. A dialog box confirms that the unregistration process has succeeded. Click OK to close the dialog box.
5. Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.
To reregister the Flash Player ActiveX control, follow these steps:
1. Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\flash.ocx" (without the quotation marks), and then click OK.
2. A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.
3. Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\swflash.ocx" (without the quotation marks), and then click OK.
4. A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.
5. Close Internet Explorer, and reopen it for the changes to take effect.
* Restrict access to the Macromedia Flash folder by using a Software Restriction Policy
To restrict access to the Macromedia Flash folder (%windir%\system32\Macromed\Flash\) on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Flash Player ActiveX control.
For more information about Group Policy, visit the following Microsoft Web sites:
* Step-by-Step Guide to Understanding the Group Policy Feature Set
* Windows 2000 Group Policy
* Group Policy in Windows Server 2003
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
We recommend that you back up the registry before you edit it.
Use the following text to create a .reg file to restrict access to the Macromedia Flash folder. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"TransparentEnabled"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{2742f840-c2d8-4eb3-a486-0a9d0879f29f}]
"LastModified"=hex(b):10,c3,8a,19,c6,e3,c5,01
"Description"="Block Macromedia Flash"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,61,00,63,00,72,00,6f,\
00,6d,00,65,00,64,00,5c,00,66,00,6c,00,61,00,73,00,68,00,5c,00,2a,00,00,00
* Change your Internet Explorer settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet security zone and in the Local intranet security zone
You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:
1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.
Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:
Restrict Web sites to only your trusted Web sites.
After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.
To do this, follow these steps:
1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
5. Repeat these steps for each site that you want to add to the zone.
6. Click OK two times to accept the changes and return to Internet Explorer.
Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). These are the sites that will host the update, and it requires an ActiveX control to install the update.
* Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls in these zones
You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.
To raise the browsing security level in Microsoft Internet Explorer, follow these steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.
Note If no slider is visible, click Default Level, and then move the slider to High.
Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.
Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:
* Remove Flash Player from your system
If you want to remove Flash Player, refer to the Adobe Flash Player Support FAQ for instructions.
To regain functionality you need install the Flash Player ActiveX control from the Adobe Web site
FAQ for Flash Player Vulnerability - CVE-2005-2628:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability?
An unchecked buffer in Flash Player.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability?
An attacker could host a Web site containing the specially crafted SWF file that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition users are critically affected by this vulnerability. The security updates for Flash Player 6 are available for download only from the Windows Update Web site. Visit the Adobe website for updates to Flash Player 7 and higher. For more information about severity ratings, visit the following Web site.
What does the update do?
The update removes the vulnerabilities by modifying the way that the Flash Player handles Flash Animation (SWF) files.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. The vulnerability had previously been addressed in Macromedia Security Bulletin MPSB05-07. It has been assigned Common Vulnerability and Exposure number CVE-2005-2628. This issue was also discussed in Microsoft Security Advisory (910550).
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
|
|
|
|
|
