|
|
|
|
| |
An ActiveX that ships with Microsoft's Indexing Services is incorrectly marked as 'safe for scripting', which allows malicious web operators to activate it when a user surfing the web from a vulnerable machine reaches their web site.
This ActiveX can be used to retrieve file properties on local files, and in some extreme cases might lead to reading of local text file's content. |
| |
Credit:
For more information about this vulnerability, see: http://www.microsoft.com/technet/security/bulletin/fq00-098.asp.
See the Microsoft TechNet Security page for more information about Microsoft security.
|
| |
Vulnerable systems:
Index Server 2.0 (ships in Windows NT 4.0 Option Pack)
Indexing Services 3.0 (ships in Windows 2000)
Patch Availability
Indexing Service 3.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26595
Note: a patch has not been provided for Index Server 2.0, because this product should only be installed on web servers, which should never be used for browsing the Internet.
Note: This patch can be applied to systems running Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 3.
What?s the scope of the vulnerability?
This vulnerability could enable a malicious web site operator to write a web application that could gather information about files on a visiting user?s computer. Among the information the application could gather are the names and properties of folders and files on the user?s machine. If Indexing Service were running, rather than just installed, the application also could use the vulnerability to search for files containing specific words.
The vulnerability does not provide any way to read the contents of files, except via a procedure that, as discussed below, is unlikely to be possible in most realistic cases. There is no capability to add, change or delete information on the user?s computer via this vulnerability.
What causes the vulnerability?
An ActiveX control that ships as part of Indexing Service is incorrectly marked as "safe for scripting". The control allows files and folders to be enumerated; because it?s marked safe for scripting, a web application could invoke it if a user visited the site using an affected machine.
What is Indexing Service?
Microsoft Indexing Service is a service that provides a means of quickly searching for files on the machine. The most familiar usage of the service is on web servers, where it provides the functionality behind site searches. However, Index Service 3.0 ships as part of all versions of Windows 2000 Server, so all Windows 2000 users could potentially be affected by the vulnerability.
Prior to Windows 2000, Indexing Service was known as Index Server. Index Server 2.0, which ships as part of the Windows NT 4.0 Option Pack, also is affected by the vulnerability. However, as discussed below, customers who follow recommended operational procedures could not be affected by it.
What?s wrong with Indexing Service?
There?s nothing wrong with the service itself. The vulnerability results because an ActiveX control that ships with Indexing Service is incorrectly marked as "safe for scripting". This allows it to be invoked by applications on web sites. The control provides functionality that would enable a web application to list file and folder names, and potentially learn other information as well.
What does "safe for scripting" mean?
Whenever a developer writes an ActiveX control, she needs to indicate whether a program on a web site can safely call the control. Web sites can potentially be operated by malicious people, so a control should only be callable by a site if its functionality cannot be misused to harm visitors to the site.
By marking a control "safe for scripting", the developer makes an assertion that the control is safe for use by web sites. Any control that isn?t marked as "safe for scripting" can only be used by programs that run on the user?s machine. The problem in this case is that an ActiveX control that ships with Indexing Service is incorrectly marked as "safe for scripting".
What would the control allow a web site to do?
The control could be used to perform two tasks:
It would allow a web application to enumerate files and folders on the user?s machine. This would enable the malicious web site operator to learn the names of the files and folders, and to view their properties.
If Indexing Service were running on the user?s machine, the control could be used to search files on the machine, and return a list of the ones that contain particular words.
What kind of information could a malicious web site operator learn by viewing file properties?
At a minimum, he could learn the date on which the file was created and the date when it was last modified. If information such as the title, creator?s name, and subject had been stored, the malicious web site operator could read it as well. This information is not typically stored as part of text files and executable files, but it is generally stored as part of Office files.
Could the malicious web site operator read the files?
Not directly. The control would not enable the web application to open the file and simply read its contents. It only allows the files to be enumerated.
However, if Indexing Service were running on the user?s machine, a roundabout method could be used under very unusual conditions to gain the file contents. If the web site operator performed a search on the user?s machine for every word in the dictionary, he could compile a listing of the files that contain each word, and where in the file the word resides. He could then use this information to reconstruct the files. However, this clearly would take an extraordinary amount of time, and it is very unlikely that a visitor to a web site would stay connected to the site long enough for this to done successfully.
Is Indexing Service running by default on Windows 2000 machines?
No. Although it is installed by default as part of all versions of Windows 2000, it does not run by default.
Could this vulnerability be used to change data on the user?s machine?
No. It could only be used to read data. There is no capability to add, change or delete data via the control.
Is the control present on all Windows 2000 machines?
Yes. The control ships as part of Indexing Service, and is installed by default on all Windows 2000 machines, regardless of whether Indexing Service is running or not.
Does this vulnerability represent a flaw in the ActiveX technology?
No. The vulnerability exists because a particular ActiveX control was incorrectly marked. There is no flaw in the ActiveX technology.
Why is there a patch for Indexing Service, but not for Index Server?
Although the vulnerability does affect both Indexing Service and Index Server, the difference in the way the two versions ships makes a radical difference in the risk the vulnerability poses.
Every copy of Windows 2000 includes Indexing Service, so every Windows 2000 user is potentially affected by the vulnerability. As a result, we?ve provided a patch to eliminate the vulnerability in Indexing Service.
In contrast, Index Server only ships as part of the Windows NT 4.0 Option Pack - it does not ship by default as part of any operating system. Moreover, the Option Pack is only intended for installation on web servers (indeed, it?s the delivery vehicle for IIS 4.0). Thus, a user could only be affected by the Index Server vulnerability if he used his web server to browse untrustworthy Internet sites, which clearly is contrary to safe computing practices.
Who should use the patch?
Microsoft recommends that Windows 2000 users consider installing the patch on any machine used for web browsing.
What does the patch do?
The patch eliminates the vulnerability by removing the "safe for scripting" marking on the control.
|
|
|
|
|
|
|
