|
|
|
|
| |
| Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. The vulnerability allows a malicious user to run code on another user's machine. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected Software Versions:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
An ActiveX control that ships as part of Windows 2000 contains an unchecked buffer. If the control were called from a web page or HTML mail using an especially malformed parameter, it would be possible to cause code to execute on the machine via a buffer overrun attack. This enables a malicious user to take any desire action on the user's machine, limited only by the permissions of the user.
The vulnerability could only be exploited if ActiveX controls are enabled in IE, Outlook or Outlook Express. The Security Zones feature in IE enables customers to limit what web sites can do, and customers who have used the feature to prevent untrusted sites from invoking ActiveX controls would be at minimal risk from the web-based attack scenario. Customers who have applied the Outlook Security Update would be protected against the mail-borne scenario, since it moves mail into the Restricted Sites Zone, thereby preventing HTML mails from invoking ActiveX controls.
Patch Availability:
- http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25532
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. A malicious user could exploit the vulnerability to run code of his choice on another user's computer, via either of two scenarios. If the malicious user operated a web site, he could use the vulnerability to attack users who visited his site. If he did not operate a web site, he could send the user an HTML mail that would exploit the vulnerability when opened. The code would be capable of taking any action on the user's computer that the user himself could take. This would likely include adding, creating or deleting files, formatting the hard drive, communicating with a web site, or other actions.
The vulnerability could only be exploited if ActiveX controls were allowed to run. This means that customers who have applied the Outlook Security Patch would be at no risk from the email-borne scenario, and customers who use IE's Security Zones could prevent the web-based scenario from succeeding.
What causes the vulnerability?
There is an unchecked buffer in an ActiveX control that ships as part of Windows 2000. By providing carefully crafted parameters when invoking the control, it would be possible to cause code of the caller's choice to run via a buffer overrun.
Is this a flaw in the ActiveX technology?
No. This vulnerability has nothing to do with the ActiveX technology per se, nor does it have anything to do with the ActiveX security model. The vulnerability results because there is an unchecked buffer in a specific ActiveX control.
How could a malicious user exploit this vulnerability?
The vulnerability could exploited via either of two scenarios:
* Web-based. A malicious web site operator could code a web page on his site that invokes the ActiveX control using an especially malformed parameter, simply for the purpose of overrunning the buffer. If he did this, and a person who visited his site had ActiveX enabled, the malicious web site operator could potentially make code of his choice run on the visitor's computer.
* Email-based. A malicious user could create an HTML mail that invoked the ActiveX control using the malformed parameter, and then mail it to someone. When the recipient opened it, it could run code of the sender's choice on the recipient's computer, if he had ActiveX enabled in the Security Zone that his mail runs in.
What could code run via this vulnerability do?
The code would run on the user's machine, in the user's security context. It could therefore do anything that the user himself could do. If the user were using an account with very limited privileges, the code might be able to do very little. On the other hand, if the user were running in an administrator account, there would be virtually nothing the code could not do.
This is one reason why Microsoft recommends that customers always adhere to the least privilege guideline. Especially when using systems like Windows 2000 that provide the ability to tightly regulate users' privileges, there is always a payoff to limiting users to having only the minimal privileges they need.
Buffer overruns usually also carry a denial of service threat. Does this one?
Generally, an unchecked buffer can be overrun in either of two ways. If overrun with random data, it can be used to cause the affected program to crash in a denial of service attack. Alternatively, if overrun with carefully selected data, it can be used to run code.
In this case, both types of attack are feasible. However, the first case doesn't really pose a security risk. In such a case, the user's application (IE in the case of the web-based scenario; Outlook or Outlook Express in the case of the mail-based scenario) would crash, but the attack would have no other effect. The user could simply restart the application and resume normal operation.
How likely am I to be affected by this vulnerability?
For the case of the web-based scenario, it depends on your web browsing habits. The key thing to remember is that you have to visit a malicious web site in order to be affected by it. Most people visit a small number of familiar, professionally operated web sites, and it's unlikely that such a site would pose any risk. Users who surf lots of unknown web sites would be at greater risk. However, Security Zones provide a great way to manage your risk, and we recommend that customers use them.
In the case of the mail-based scenario, it depends on what Security Zone you read mail in. If you read mail in the Restricted Zone, you would be at no risk from this vulnerability. The Outlook Security Update configures Outlook to read mail in the Restricted Zone by default.
How would Security Zones help protect me against the web-based scenario?
The Security Zones feature of IE allows you to categorize the web sites you visit and specify what the sites in a particular category should be allowed to do. Among the options you can choose is whether or not web sites should be able to use ActiveX controls or not. A malicious web site operator could only exploit this vulnerability if ActiveX controls are allowed to run on your browser.
Microsoft recommends that customers routinely use the Security Zones feature. We recommend putting the sites that you visit frequently and trust into the Trusted Zone. All sites that you haven't otherwise categorized will reside in the Internet Zone. You can then configure the zones to give the appropriate privileges to the web sites in these zones.
How would Security Zones help protect me against the mail-borne scenario?
Both Outlook and Outlook Express allow you to select a Security Zone in which HTML mail will be opened. This subjects HTML mail to the same restrictions as a web site in that zone. As a general rule, it's a good idea to put mail in the Restricted Zone. The Outlook Security Update will do this for you automatically.
How common are buffer overrun vulnerabilities?
It's been estimated that anywhere from two-thirds to three-quarters of all computer security vulnerabilities involve a buffer overrun. They occur in all vendors' products, and are an industry problem. Microsoft is working hard to develop coding and testing methods that will reduce or eliminate buffer overrun vulnerabilities in its software.
Who should use the patch?
Microsoft recommends that Windows 2000 users consider applying the patch on any machine that is used for web browsing or email.
What does the patch do?
The patch eliminates the vulnerability by causing it to check the length of all parameters before using them.
How do I use the patch?
Knowledge Base article Q278511 contains detailed instructions for applying the patch to your site
How can I tell if I installed the patch correctly?
The Knowledge Base article Q278511 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
|
|
|
|
|
|
|
