|
Brought to you by:
Suppliers of:
|
|
|
| |
| A remote code execution vulnerability exists in Collaboration Data Objects that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. |
| |
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS05-048.mspx
|
| |
Affected Software:
* Microsoft Windows 2000 Service Pack 4 - Download the update (KB901017)
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update (KB901017)
* Microsoft Windows XP Professional x64 Edition - Download the update (KB901017)
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Download the update (KB901017)
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Download the update (KB901017)
* Microsoft Windows Server 2003 x64 Edition - Download the update (KB901017)
* Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004 - Download the update (KB906780)
Non-Affected Software:
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
* Microsoft Exchange Server 5.5
* Microsoft Exchange Server 2003
* Microsoft Exchange Server 2003 Service Pack 1
For more information about Exchange 2000 Server Post-Service Pack 3 Update Rollup see Microsoft Knowledge Base Article 870540.
CVE Information:
CAN-2005-1987
Mitigating Factors for Collaboration Data Objects Vulnerability:
* By default, Microsoft Internet Information Services (IIS) 5.0 Simple Mail Transfer Protocol (SMTP) and the Exchange 2000 Server SMTP service do not use the event sinks, which use the Cdosys.dll file and the Codex.dll file.
* By default, IIS 6.0 is not enabled on Windows Server 2003.
* IIS 6.0, when enabled, does not enable SMTP by default.
Workarounds for Collaboration Data Objects Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Disable all event sinks that are enabled on Exchange 2000 Server and on servers that are running IIS:
Disabling all event sinks will help protect the affected system from attempts to exploit this vulnerability. To disable the any custom or third-party event sinks, follow these steps:
1. Use the cscript.exe smtpreg.vbs /enum command-line command to enumerate all the registered event sinks. Examine the output of this command and look for custom or non-Microsoft software event sink entries.
2. After you identify the event sink that you want to disable, run the following command at a command prompt:
cscript.exe smtpreg.vbs /disable
Impact of Workaround: The custom or third-party application that has created the event sink in the SMTP service will not work correctly until the event sink is re-enabled.
* Unregister the Cdoex.dll file and the Cdosys.dll file on Exchange 2000 Server and unregister the Cdosys.dll file on servers that are running IIS:
* Unregistering the Cdoex.dll file and the Cdosys.dll file helps protect the affected system from attempts to exploit this vulnerability.
To disable the Cdoex.dll file and the Cdosys.dll file for Exchange 2000 Server, follow these steps.
Important You must follow these steps in the following order.
1. Run the following command at a command prompt:
Regsvr32.exe C:\Program Files\Common Files\Microsoft Shared\CDO\cdoex.dll /u
2. Run the following command at a command prompt:
Regsvr32.exe %windir%\system32\cdosys.dll /u
To disable the Cdosys.dll file for servers that are running IIS, type the following command at a command prompt:
1. Regsvr32.exe %windir%\system32\cdosys.dll /u
Impact of Workaround: Unregistering COM objects breaks programs that depend on the Cdosys.dll file or the Cdoex.dll file.
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
An unchecked buffer in Collaboration Data Objects (CDO).
What is Collaboration Data Objects?
Collaboration Data Objects (CDO) is a Component Object Model (COM) component designed to, among other functions, make it easier to write programs that create or change Internet mail messages.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
On Microsoft Windows or Microsoft Exchange 2000 Server, any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.
How could an attacker exploit the vulnerability?
An attacker could attempt to exploit the vulnerability by creating a specially crafted message that would be processed by CDOSYS or CDOEX on an affected system. This message would most commonly be delivered through SMTP.
What systems are primarily at risk from the vulnerability?
Microsoft Windows and Microsoft Exchange 2000 are primarily at risk from this vulnerability if applications that call functions in CDOSYS or CDOEX are used to process messages.
What does the update do?
The update removes the vulnerability by modifying the way that CDO validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
