– ———————————————————————-
Title: Unchecked Buffer in Network Share Provider Can Lead to
Denial of Service (Q326830)
Date: 22 August 2002
Software: Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Terminal Sever Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Windows XP Professional
Impact: Denial of Service
Max Risk: Moderate
Bulletin: MS02-045
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-045.asp.
– ———————————————————————-
Issue:
======
SMB (Server Message Block) is the protocol Microsoft uses to share
files, printers, serial ports, and also to communicate between
computers using named pipes and mail slots. In a networked
environment, servers make file systems and resources available to
clients. Clients make SMB requests for resources and servers make
SMB responses in what described as a client server, request-
response protocol.
By sending a specially crafted packet request, an attacker can mount
a denial of service attack on the target server machine and crash
the system. The attacker could use both a user account and anonymous
access to accomplish this. Though not confirmed, it may be possible
to execute arbitrary code.
Mitigating Factors:
====================
– – An administrator can block this attack by turning off anonymous
access. However, this does not prevent legitimate users from
exploiting this vulnerability.
– – An administrator can block access to SMB ports from untrusted
networks. By blocking TCP ports 445 and 139 at the network
perimeter, administrators can prevent this attack from untrusted
parties. In a file and printing environment, this may not be a
practical solution for legitimate users.
– – An administrator can stop the Lanman server service which prevents
the attack, but again may not be suitable on a file and print
sharing server.
Risk Rating:
============
– Internet systems: Low
– Intranet systems: Moderate
– Client systems: Moderate
Patch Availability:
===================
– A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-045.asp
for information on obtaining this patch.
– ———————————————————————
– ———————————————————————-
Title: Buffer Overrun in TSAC ActiveX Control Could Allow
Code Execution (Q327521)
Date: 22 August 2002
Software: Microsoft Terminal Services Advanced Client (TSAC)
ActiveX control, which can be installed on any
Windows system.
Impact: Run code of the attacker’s choice
Max Risk: Moderate
Bulletin: MS02-046
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-046.asp
– ———————————————————————-
Issue:
======
The Terminal Services Advanced Client (TSAC) web control is an
ActiveX control that can be used to run Terminal Services sessions
within Internet Explorer. The downloadable ActiveX control provides
nearly the same functionality as the full Terminal Services Client,
but is designed to deliver this functionality over the Web.
The TSAC control does not come installed as part of any Windows
client system. Instead, clients obtain the control from web
servers that offer terminal services. The configuration process
that enables an IIS server to provide terminal services involves
installing on the server a cabinet file containing the control.
The server then delivers the cabinet file to any client system
that needs it, and the client installs the control via the cabinet
file.
A security vulnerability results because the control contains an
unchecked buffer in the code that processes one of the input
parameters. By calling the control on a client system and
overrunning the buffer, an attacker could gain the ability to
run code in the security context of the currently logged on user.
This would enable the attacker to take any desired action on the
user’s system. The attacker could mount an attack by either
hosting a web page that exploits the vulnerability against any
user who visits it, or by sending an HTML mail to another user.
Mitigating Factors:
====================
– The vulnerability could only be exploited if the TSAC control
had been installed on the user’s system by an IIS server
hosting the control.
– The vulnerability poses no threat to servers that host it.
While housed on the server, the control is encapsulated in
a cabinet file and cannot be executed.
– The HTML mail-based attack vector could not be exploited on
systems where Outlook 98 or Outlook 2000 were used in
conjunction with the Outlook Email Security Update, or
Outlook Express 6 or Outlook 2002 were used in their
default configurations
Risk Rating:
============
– Internet systems: Low
– Intranet systems: Low
– Client systems: Moderate
Patch Availability:
===================
– A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-046.asp
for information on obtaining this patch.
Acknowledgment:
===============
– Ollie Whitehouse of @Stake (http://www.atstake.com)
– ———————————————————————
– ———————————————————————-
Title: Cumulative Patch for Internet Explorer (Q323759)
Date: 22 August 2002
Software: Internet Explorer
Impact: Six new vulnerabilities, the most serious of which
could enable an attacker to execute commands on a
user’s system.
Max Risk: Critical
Bulletin: MS02-047
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-047.asp.
– ———————————————————————-
Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for IE 5.01, 5.5 and 6.0. In addition,
it eliminates the following six newly discovered vulnerabilities:
– A buffer overrun vulnerability affecting the Gopher protocol
handler. This vulnerability was originally discussed in
Microsoft Security Bulletin MS02-027, which provided workaround
instructions while the patch provided here was being completed.
– A buffer overrun vulnerability affecting an ActiveX control used
to display specially formatted text. The control contains a buffer
overrun vulnerability that could enable an attacker to run code
on a user?s system in the context of the user.
– A vulnerability involving how Internet Explorer handles an HTML
directive that displays XML data. By design, the directive
should only allow XML data from the web site itself to be
displayed. However, it does not correctly check for the case
where a referenced XML data source is in fact redirected to a
data source in a different domain. This flaw could enable an
attacker?s web page to open an XML-based files residing a
remote system within a browser window that the site could
read, thereby enabling the attacker to read contents from
websites that users had access to but the attacker was not
able to navigate to.
– A vulnerability involving how Internet Explorer represents the
origin of a file in the File Download Dialogue box. This flaw
could enable an attacker to misrepresent the source of a file
offered for download in an attempt to fool users into
accepting a file download from an untrusted source believing
it to be coming from a trusted source.
– A Cross Domain verification vulnerability that occurs because
of improper domain checking in conjunction with the Object tag.
As a result, the vulnerability could enable a malicious web
site operator to access data across different domains, for
example one in a web site?s domain and the other on the
user?s local file system and then pass information from the
latter to the former. This could enable the web site operator
to read, but not change, any file on the user?s local computer
that could be viewed n a browser window. In addition, this can
also enable an attacker to invoke, but not pass parameters to,
an executable on the local system, much like the
“Local Executable Invocation via Object tag” vulnerability
discussed in MS02-015.
– A newly reported variant of the “Cross-Site Scripting in Local
HTML Resource” vulnerability originally discussed in
Microsoft Security Bulletin MS02-023. Like the original
vulnerability, this variant could enable an attacker to create
a web page that, when opened, would run in the Local Computer
zone, allowing it to run with fewer restrictions than it would
in the Internet Zone.
In addition, the patch sets the Kill Bit on the MSN Chat ActiveX
control discussed in Microsoft Security Bulletin MS02-022 as well
as the TSAC ActiveX control discussed in Microsoft Security
Bulletin MS02-046. This has been done to ensure that vulnerable
controls cannot be introduced onto users? systems. Customers
who use the MSN Chat control should ensure that they have applied
the updated version of the control discussed in MS02-022 and
customers who use the TSAC control should ensure that they
have applied the updated version of the control discussed
in MS02-046 .
Mitigating Factors:
====================
Buffer Overrun in Gopher Protocol Handler:
– The vulnerability would provide the attacker with user?s own
privileges on the system. Customers who run with fewer than
full privileges on the system would therefore be at lower risk.
Buffer Overrun in Legacy Text Formatting ActiveX Control:
– The vulnerable ActiveX control is not installed by default as
part of a current version of IE. Upon learning of the
vulnerability, Microsoft removed the download from its site
to minimize the likelihood that users would have the control
on their systems.
– The vulnerability would provide the attacker with the user?s
own privileges on the system. Customers who run with fewer
than full privileges on the system would therefore be at
lower risk.
– Customers who use Outlook Express 6.0 or Outlook 2002
(or Outlook 98 or 2000 in conjunction with the Outlook Email
Security Update) would by default by protected against
email-borne attacks via this vulnerability unless they
specifically clicked a link within the email message.
XML File Reading via Redirect:
– The vulnerability only provides a capability to read
XML-based files that they know the complete path to.
– The vulnerability could not be used to add, change or delete
files.
– Customers who use Outlook Express 6.0 or Outlook 2002
(or Outlook 98 or 2000 in conjunction with the Outlook Email
Security Update) would by default by protected against
email-borne attacks via this vulnerability.
File Origin spoofing:
– The vulnerability does not give an attacker the means to
place or run executables directly on the system: user
interaction is required in a successful attack.
Cross Domain Verification in Object Tag:
– The vulnerability would not enable the attacker to pass any
parameters to an executable program. Microsoft is not aware
of any programs installed by default in any version of
Windows that, when called with no parameters, could be used
to compromise the system.
– An attacker could only invoke a file on the victim?s local
machine. The vulnerability could not be used to execute a
program on a remote share or web site.
– The vulnerability would not provide any way for an attacker
to put a program of his choice onto another user?s system.
– An attacker would need to know the name and location of any
file on the system to successfully invoke it.
– The vulnerability could only be used to view or invoke files.
It could not be used to create, delete, or modify them.
– The vulnerability would only allow an attacker to read files
that can be rendered in a browser window, such as image files,
HTML files and ext files. Other file types, such as binary
files, executable files, Word documents, and so forth, could
not be read.
– Outlook 98 and 2000 (after installing the Outlook Email Security
Update), Outlook 2002, and Outlook Express 6 all open HTML mail
in the Restricted Sites Zone. As a result, customers using
these products would not be at risk from email-borne attacks.
Variant of Cross-Site Scripting in Local HTML Resource:
– Outlook 98 and 2000 (after installing the Outlook Email
Security Update), Outlook 2002, and Outlook Express 6 all
open HTML mail in the Restricted Sites Zone. As a result,
customers using these products would not be at risk from
automated email-borne attacks. However, these customers can
still be attacked if they choose to click on a hyperlink in a
malicious HTML email.
– Customers using Outlook 2002 SP1 who have enabled the “Read as
Plain Text” feature would be immune from the HTML email
attack. This is because this feature disables all HTML
elements, including scripting, from mail when it is displayed.
– Any limitations on the rights of the user’s account would
also limit the actions of the attacker’s script.
– Customers who exercise caution in what web sites they visit
or who place unknown or untrusted sites in the Restricted
Sites zone can potentially protect themselves from attempts
to exploit this issue on the web.
Aggregate Severity of all issues included in this patch
(including issues addressed in previously released patches):
============
– Internet systems: Critical
– Intranet systems: Critical
– Client systems: Critical
Patch Availability:
===================
– A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-047.asp
for information on obtaining this patch.
Acknowledgment:
===============
– GreyMagic Software (http://sec.greymagic.com/news/) for
reporting the XML File Reading via Redirect vulnerability.
– Mark Litchfield of Next Generation Security Software Ltd.
(http://www.nextgenss.com/) for reporting the Buffer Overrun
in Legacy Text Formatting ActiveX Control vulnerability.
– Jouko Pynnonen of Oy Online Solutions Ltd for reporting
the File Origin Spoofing vulnerability.
– ———————————————————————
