|
|
|
|
| |
Credit:
The information has been provided by Microsoft Security Bulletin MS07-005.
The original article can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-005.mspx
|
| |
Affected Software:
* Step-by-Step Interactive Training when installed on Microsoft Windows 2000 Service Pack 4 - Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows XP Service Pack 2 - Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows XP Professional x64 Edition - Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows Server 2003 x64 Edition - Download the update
Mitigating Factors for Interactive Training Vulnerability - CVE-2006-3448:
* In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. Also, Web sites that accept or host user-provided content or advertisements, and compromised Web sites, may contain malicious content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger message that takes users to the attacker's Web site.
* An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
* The vulnerability could not be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message or must click a link that is provided in an e-mail message.
Workarounds for Interactive Training Vulnerability - CVE-2006-3448:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Disable the handler for Step-by-Step Interactive Training bookmark link files by removing the related registry keys.
Delete these keys to help reduce attacks. This workaround helps reduce attacks by preventing Step-by-Step Interactive Training from automatically opening the affected file types. The content can still be opened from within the Step-by-Step Interactive Training user interface.
Important This bulletin contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Microsoft Knowledge Base Article 256986.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
1. Click Start, click Run, type regedt32, and then click OK.
2. In Registry Editor, locate the following registry:
HKEY_CLASSES_ROOT\.cbl (for Microsoft Press Interactive Training )
HKEY_CLASSES_ROOT\.cbm (for Interactive Training )
HKEY_CLASSES_ROOT\.cbo (for Microsoft Interactive Training )
3. For each subkey that is found, click the subkey, and then click DELETE.
4. In the Confirm Key Delete dialog box, click OK.
These actions can also be performed at a command prompt by using the following commands in the following order:
reg.exe export HKCR\.cbl c:\cbl.reg
reg.exe delete HKCR\.cbl /f
reg.exe export HKCR\.cbm c:\cbm.reg
reg.exe delete HKCR\.cbm /f
reg.exe export HKCR\.cbo c:\cbo.reg
reg.exe delete HKCR\.cbo /f
Impact of Workaround: Step-by-Step Interactive Training bookmark files can no longer be opened. The content can still be opened from within the Step-by-Step Interactive Training user interface.
* Do not open or save Step-by-Step Interactive Training bookmark link files (.cbo, .cbl, .cbm) that you receive from untrusted sources.
This vulnerability could be exploited when a user opens a .cbo, .cbl, or .cbm file. Do not open files that use these file name extensions. This workaround does not cover other vectors of attack such as Web browsing.
* Remove Step-by-Step Interactive Training by using the Add or Remove Programs tool in Control Panel.
To manually remove Step-by-Step Interactive Training from a system, follow these steps.
1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add or Remove Programs.
3. In the Add or Remove Programs dialog box, click the name of the affected program and then click Remove.
Note Affected versions are "Microsoft Press Interactive Training" and "Interactive Training." However, removing these programs may not be a complete workaround, because "Microsoft Interactive Training" does not create an Add or Remove Programs entry. "Microsoft Interactive Training" is based on the Orun32.exe file. Therefore, you must also manually verify that the Orun32.exe file is not present on your system.
* Follow the instructions to complete the removal.
Impact of Workaround: After you remove the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training will fail.
* Remove Step-by-Step Interactive Training.
Removing Step-by-Step Interactive Training will help prevent attacks.To remove Step-by-Step Interactive Training, follow these steps:
1. Click Start, click Run, and type:
%windir%\IsUninst.exe -x -y -a -f"%windir%\orun32.isu"
Note You may have to replace "orun32.isu" with "mrun32.isu" or "lrun32.isu," depending on the version of Step-by-Step Interactive Training that is installed. If you have several of these versions installed, you must remove them all.
Impact of Workaround: After you remove the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training will fail.
* Delete or rename the Step-by-Step Interactive Training .ini program file.
If Step-by-Step Interactive Training cannot be removed by using the methods that are documented in this section of the security bulletin, you may be able to help prevent attacks by deleting or renaming the physical file. Delete or rename the %windir%\Orun32.ini file.
Note You may have to replace "Orun32.ini" with "Lrun32.ini or Mrun32.ini depending on the version of Step-by-Step Interactive Training that is installed.
Impact of Workaround: After you disable the Step-by-Step Interactive Training application, any applications that depend on Step-by-Step Interactive Training may fail.
FAQ for Interactive Training Vulnerability - CVE-2006-3448:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability?
An unchecked buffer in the process that is used by Step-by-Step Interactive Training to validate bookmark link files.
What is a bookmark link file?
Bookmark link files are created by using the Step-by-Step Interactive Training user interface. These files allow a user the ability to quickly and easily link to a particular topic. Bookmark link files are text files that contain the information that is required by Step-by-Step Interactive Training to view a topic.
What is Step-by-Step Interactive Training?
Step-by-Step Interactive Training is used as the engine for hundreds of interactive training titles that are provided by Microsoft Press and other vendors. The list of known titles that contain this software is provided in Microsoft Knowledge Base Article 898458. For more information about other available Microsoft Press titles that may contain this software see the Microsoft Press Web site. This Web site will only document titles that may contain this software. Because of the nature of the distribution of this software by Microsoft, by our manufacturing partners, and by our publishing partners, there is no definitive list of all the titles that may have provided this software or of manufacturers that may have preinstalled this software. We recommend installing the available security update if you believe that this software may be installed on your system. You can also use the information provided in the "How do I know if I have Step-by-Step Interactive Training installed on my system?" frequently asked question to scan your enterprise for the affected files.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
An attacker that could construct a specially crafted file and then persuade a user to visit a malicious Web site that opened this file, or an attacker that could persuade a user to open a specially crafted attachment provided in an e-mail message, could try to exploit this vulnerability.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code.
There are several additional ways that an attacker could try to exploit this vulnerability. However, user interaction is required to exploit this vulnerability in each of these ways. Some examples follow:
* An attacker could exploit the vulnerability by constructing a malicious Step-by-Step Interactive Training bookmark file (a .cbo, cbl, or .cbm file) and then persuade the user to open the file.
* An attacked could send a malicious file as an attachment to a user through e-mail and then convince a user to open the attachment.
* An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also try to compromise a Web site to have it deliver a Web page that contains malicious content to try to exploit this vulnerability. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site or to a Web site that has been compromised by the attacker.
What systems are primarily at risk from the vulnerability?
Any operating system where Step-by-Step Interactive Training is installed is at risk from this vulnerability. Because this software is typically installed only on client systems, servers would typically not be at risk from the vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that Step-by-Step Interactive Training validates the contents of a bookmark file before Step-by-Step Interactive Training copies the content into the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
