Another Critical Microsoft Hole

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Microsoft Security Bulletin MS02-065

[henben]

Interestingly, that page doesn't render properly in Opera 7 Beta unless you identify as MSIE - when it works fine.

The admission is in the faq section.

[terradyn]

Reproduced for your enjoyment:

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

1. In Internet Explorer, choose Tools, then Internet Options.
2. Select the Content tab. In the Certificates section of the page, click on Publishers.
3. In the Certificates dialog, click on the Trusted Publishers tab.
4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

Re:why?

[jandrese]

Because if you don't bring these problems out into the open, Microsoft won't fix them. There have been several cases in the past where security vulnerabilities were left unpatched until people started clamoring for a fix. Also, this hole is rather severe (if a similar hole was found in SSH or Apache Slashdot would announce it) and the fact that it is digitally signed makes it unusual and newsworthy.

FWIW: .NET may help this...

[Kanagawa]

I'm no M$ fan, but I deal with it at work so I make a point at figuring out how to deal with the problems. Frankly, this isn't a suprise. The most well secured enterprises I've seen allow only internal ActiveX publishers -- ActiveX is just too hard to make safe.

Looking forward, I recently picked up .NET Framework Security [amazon.com] -- anyway, it seems like Microsoft is at least attempting to solve this particular problem. And, their approach isn't completely idiotic. Really.

Mobile code that runs in the .NET common language runtime (read: M$ JVM) is controlled by a fairly sophisticated access control system. The default policy in XPsp1 from M$ allows no code from the Internet to execute, at all. Not exactly what I want as a user, but its what I want as an admin...

Frustratingly, you can't run .NET mobile code without also enabling ActiveX controls. Not sure what the issue there is, but I suspect the CLR loader is some sort of ActiveX control. Anyone know about that?

Anyway... here's some additional links to M$ references on mobile code:

Security in .NET: Enforce Code Access Rights... [microsoft.com]
Security in the .NET Framework [microsoft.com]

Install MDAC 2.7

[Brazzo]

Yes, there are still bugs with MDAC 2.6; install MDAC 2.7. You'll note at the bottom of the security update that MDAC 2.7 is not affected by this issue.

Here's a URL for you, even...

MDAC 2.7 Refresh [microsoft.com]

Keeping Windows secure is hard, but it's easier if you install the recent components...

Re:More Bias

[Anonymous Coward]

If you read the article, their advice is to "make sure you have no trusted publishers, including Microsoft." Every time that you hit a website that uses an ActiveX control, you'll get a warning message.

So they are requesting that people do what most people here recommend already - don't trust anyone.

A mountain of sloppy code?

[Futurepower(R)]

While researching the article linked below, I developed the impression that Microsoft has for years allowed its programmers to submit sloppy code. Now bugs are not easily found or fixed because everything is a mess.

Windows XP Shows the Direction Microsoft is Going [hevanet.com].

Re:why?

[GnomeKing]

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

I guess the same reason that...
Security Vulnerabilities in KDE 2.1-3.0.4, 3.1 RC3 [slashdot.org]
Trojan Found in libpcap and tcpdump [slashdot.org]
Bind 4 and 8 Vulnerabilities [slashdot.org]
and
Vulnerability In Linksys Cable/DSL Router [slashdot.org]

were posted?

i.e. this particular article would have been posted were it about windows, redhat, solaris or pretty much any other "widly used" system

And while where at it...

[Theodore Logan]

Perhaps it's the same exploits mentioned in the linked Slashdot article, and in that case pardon my ignorance. If not, I haven't seen these nine security holes [greymagic.com] talked about at too many places. Why I don't know. They are certainly vicious.

However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?

Re:why?

[_bug_]

Because in a recent /. story [slashdot.org] there is reference to a recent /. poll [slashdot.org] which shows 47% of those who responded still use a Windows operating system.

Nearly half of /. users use Windows.

This would seem to validate the need to have stories about Microsoft software bugs, especially those as grevious as this, on /.

And in the future

[Anonymous Coward]

make sure that when you are prompted to accept a certificate from Microsoft, make sure you don't have a check in the box "always trust content from Microsoft".

Re:Better fix

[murgee]

Well, actually it does... Start->Run->cmd->ftp ftp.mozilla.org :)

It sucks, though. but you didn't say anything about the FTP client needing to be good..

Re:Question

[gmoschin]

Actually, you can.. at least, on Windows XP.. I haven't tried earlier versions.

Create a shortcut to Internet Explorer.

Right-click the shortcut, choose "Run As.."

The option "Current User" and "Protect my computer and data from unauthorized program activity" should be checked.

Click OK to run Internet Explorer in "secure mode".

Caveats to running in this mode:
Your bookmarks or links won't appear, but they'll still be there if you run it in normal mode.
Other web-based programs may not run correctly.

You can test to see if it's working by going to Windows Update - if it's secure, you'll see something about having to run Windows Update as an administrator.

Re:MS buffer overrun theory

[ChaosDiscord]

The lack of an snprintf method in the DevStudio standard C lib...

From my time as a Windows developer, I have alot of grudges against Microsoft. (I've even publically aired some of them [highprogrammer.com].) But I can't complain about lack of a snprintf. It's right here [microsoft.com], and has been for at least five years. If an obvious function appears to be missing, look for a version prefixed with an underscore. (Of course, it seems stupid to me that it's prefixed with an underscore, instead of conforming to other systems, but that's a different issue.)

RTFM : lol... Try Runas..

[bored]

Re enable the runas service (it's on by default). Now try right clicking an exe with the shift button held down. See that "Run As..." menu item? Click it, now the program will run with alternate use privledge. Welcome to NT... What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..

Unsafe at any release?

[geoff lane]

For those of us still running Win95 on hardware that cannot support '98 or XP there is no fix for the recent critical IE security problems.

So, to fix this particular little problem needs a hardware replacement "upgrade" :-(

Re:Install MDAC 2.7

[stefanb]

Yes, you need to install the patch.

However, the issue is that even after you've installed the patch, you're still vulnerable, because the vulnerable version will be downloaded and executed as soon as you hit a Web page requesting that version, since it's signed by Microsoft, and most installs trust stuff signed by Microsoft.

Sheesh, now /.er don't even read the blurb anymore?

Score one against DRM !!!

[Anonymous Custard]

From the MS Technet article [microsoft.com]:

Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?

A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.

Re:why?

[SEWilco]

Well, like someone else in the /. apache section said... "Apache bugs never make the front page"

Didn't I recently see on the front page an article about unpatched Apache servers? Wasn't this Apache OpenSSL Worm [slashdot.org] article on the front page last month?

Re:did you read the eula?

[marauder404]

did you read the EULA [microsoft.com]? You just sold your soul! 1 d (e)"indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorneys' fees, that arise or result from ...."

Did you read the GPL [gnu.org]? (lameness filter requires changing to lowercase letters -- it comes in screaming caps)

In no event unless required by applicable law or agreed to in writing will any copyright holder ... be liable to you for damages, including any general, special, incidental or consequential damages arising out of the use or inability to use the program (including but not limited to loss of data or data being rendered inaccurate or losses sustained by you or third parties or a failure of the program to operate with any other programs), even if such holder or other party has been advised of the possibility of such damages.

Indeminification of software writers is standard practice. There are tons of better things you can use against Microsoft than this lame argument.

Re:More Bias

[Archie Steel]

It's not MS bashing, it's warning people of a dangerous bug/vulnerability so they can be better prepared to deal with it.

Despite, what's wrong with bashing a 40-billion quasi-monopoly that dominates the OS and Office markets while doing its best to destroy the competition by spreading FUD and distributing payolas around? Vocal criticism and boycotting are the sole weapons of consumers in facing this juggernaut, and you'd want us to forfeit these as well? Are you a MS employee or shareholder? If not, then why does MS-bashing annoy you so much? In my view, MS has more than deserved all the bashing it can get!

RTFA

[captainstupid]

I'm sorry, but it doesn't appear that anyone read the freaking article.

From the MS TechNet article:
* Customers using Windows XP, or who have installed MDAC 2.7 on their systems are at no risk and do not need to take any action.

* Web server administrators who are running an affected version of MDAC should either install the patch, disable MDAC and/or RDS, or upgrade to MDAC 2.7, which is not affected by the vulnerability.

The "fix" to this vulnerability is installing MDAC 2.7 which is available on all versions of Windows back to 98.

Other than the fact that this is the 50,000th security patch that I have to install on all my machines, what's the big deal?

Bias and the 'solution'

[mythosaz]

The problem is not that Slashdot is picking and choosing bug reports in an attempt to make M$FT look bad. They're reporting bugs from all the "major" OSs. The problem is the bias in the reporting and by the upwards modded comentators. Take this example from the article (and the note which it closes on):

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

NO! The 'solution' from Microsoft is that you just patch your MDAC to include the component from 2.7 or that you just update your MDAC to 2.7

For Christ's sake people, if this were a *nix bug, you'd all be beating your "we know how to update our machines" drum complaining that only stupid Windows users don't use updates.

Or perhaps it would be the "at least fixes are available immediately for *nix" argument. MDAC 2.7 isn't new, kids.

Just report the bug, and report the CORRECT fix.

You disagree with me. Mod me down.

Re:RTFM : lol... Try Runas..

[Pfhreakaz0id]

well, the way to do it is to turn on security audiiting and log "failed" accesses (you don't want to do this permanently, turn on, run software, turn off). then look at the log. You want to do this for registry as well. Sometimes it is a physical file, sometimes a registry key you need to give the "users" group permission to.

It pisses me off, because I am doing the company's job. You can usually figure it out and write a script or bat file with cacls to apply the permisions the user needs.

Re:Don't trust Linux either...

[Atryn]

OK, So you are saying that the combination of all open source projects from all developers in the OSS and Linux communities COMBINED had more vulnerabilities that MS ALONE had... Wow.

We could look at vulnerabilities per line of code... But then MS has bloated code too... hmmm...

Catch-22 is probably a better description

[Tired_Blood]

From the recommendation page:
Who could exploit the vulnerability?
...
* Web client. A user could exploit the vulnerability against a web client if he or she were able to construct a web page that would send an appropriate HTTP command, and then convince a user to open it. Typically, this would be done by either hosting the page on a web site that the attacker controlled or sending it directly to users as an HTML mail.

Also:
A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

HTTP commands are the method for exploiting this vulnerability. By default, IE trusts MS. I must use HTTP commands to visit the MS site and thereby learn not to trust MS (as advised). But in doing so, I accepted anything that may be malicious, before I knew exactly how not to.

From this point of view, it seems to be more of a Catch-22. But then, in that scenario, MS would host the malicious server, which would be horrible PR and therefore improbable.

One last thing, AFAIK it's the "Paradox of the Lie" and not the "Liar's Paradox", since the classic example is a statement (Like: "This statement is false" or my sig: "This is not my sig."), and does not refer to a person or liar. I lost points on a philosophy paper for just that reason. Pissed me off enough that I still remember it today.

This "study" was completely debunked.

[Anonymous Coward]

First of all, in their comparison of the number of critical bugs in Linux vs. Windows, they counted application bugs in the Linux totals, but not in the Windows totals. If they had included all the bugs in IE, IIS, Office, etc., the Microsoft numbers would have been MICH higher.

Their other deceitful manipulation of the statistics was that they counted every bug in every Linux package once for every distro they evaluated. So even barring the other deception, you have to divide their Linux bug count by 15 or something to get a meaningful comparison.

A grain of salt ain't gonna cut it with this so-called "study". It's not just bad methodology; it's an outrageous pile of shit. You'd have to be a pointy-haired boss not to smell it.

Re:More design flaws

[Mr_Silver]

Well if it is, it doesn't make you look any more intelligent by quoting his little unprovable bits and saying 'please sir, can I have some more?'

Actually I asked if I could see some facts to back up his assertions. It's all very well saying MS is dragging the industry behind, but unless you've got credible sources then it's pure speculation. Give me facts, good solid facts.

So, yea, congratulations, you've made yourself look like a bumbling idiot for picking only the parts of the post you disliked and putting them on the chopping block, while ignornig the point.

Go read his post again. I quoted EVERYTHING. That was the ENTIRE post. I didn't dislike the post, I just wanted some facts.

I don't dispute that MS is a bad thing - but when people start making claims that they drag the industry back then they need to quote some sources otherwise people will just bash it as mindless FUD.

If you can cite a source that backs up your comments, you'll find people are very ready to believe you more. It's all very well screaming "MS is eeeeeevil" till you're blue in the face - but it doesn't exactly help change peoples minds.