Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: o-008.txt

Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability (CIAC O-008)





             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

     Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability
                     [Microsoft Security Bulletin MS03-042]

October 16, 2003 01:00 GMT                                        Number O-008
[REVISED 17 Oct 2003]
[REVISED 30 Oct 2003]
______________________________________________________________________________
PROBLEM:       A problem exists in the Windows Troubleshooter ActiveX Control 
               (Tshoot.ocx) causing it to not correctly validate parameters 
               under certain circumstances. An attacker could exploit this 
               vulnerability using a specially crafted Web Page, or e-mail 
               message. This would allow the attacker to run arbitrary code on 
               the system in the security context of the logged-in user. 
SOFTWARE:      MS Windows 2000, Service Pack 2 
               MS Windows 2000, Service Pack 3, Service Pack 4 
DAMAGE:        An attacker could install and run arbitrary code on a user's 
               system. 
SOLUTION:      Apply the appropriate patches or implement workarounds. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A remote attacker could install and run 
ASSESSMENT:    code as the logged-in user. Note that most users run with 
               administrator privileges. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-008.shtml 
 ORIGINAL BULLETIN:  http://www.microsoft.com/technet/treeview/default.asp?
                        url=/technet/security/bulletin/MS03-042.asp 
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2003-0661 
 ADDITIONAL LINKS:   CERT Advisory CA-2003-27
                     http://www.cert.org/advisories/CA-2003-27.html
______________________________________________________________________________
REVISION HISTORY:
10/17/03 - added link to CERT Advisory CA-2003-27.
10/30/03 - Microsoft released a revised security patch for Windows 2000
           to address the problem described in their Knowledge Base Article 
           #830846 where installation of the previous patch may stop 
           responding (hang). The revised patch contains version 5.4.1.0 of 
           Update.exe. Version 5.4.1.0 or later versions of Update.exe no 
           longer require the Debug Programs user right. 


[***** Start Microsoft Security Bulletin MS03-042 *****]
   
Microsoft Security Bulletin MS03-042  


Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code 
Execution (826232)
Issued: October 15, 2003 
Version Number: 1.0 

Summary
Who Should Read This Document:  Customers using Microsoft® Windows®

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating:  Critical

Recommendation:  Customers should apply the patch immediately

Patch Replacement:  None

Caveats:  None

Tested Software and Patch Download Locations: 

Affected Software: 
Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4 
Download the patch at:  
http://www.microsoft.com/downloads/details.aspx?FamilyId=
 FC1FD84B-B3A4-43F5-804B-A2608EC56163&displaylang=en

Non Affected Software: 
Microsoft Windows NT 4.0 
Microsoft Windows NT Server 4.0, Terminal Server Edition 
Microsoft Windows Millennium Edition 
Microsoft Windows XP 
Microsoft Windows Server 2003 
The software listed above has been tested to determine if the versions are 
affected. Other versions are no longer supported, and may or may not be 
affected.


Technical Details
Technical Description:

A security vulnerability exists in the Microsoft Local Troubleshooter 
ActiveX control. The vulnerability exists because the ActiveX control 
(Tshoot.ocx) contains a buffer overflow that could allow an attacker 
to run code of their choice on a user’s system. Because this control 
is marked "safe for scripting", an attacker could exploit this 
vulnerability by convincing a user to view a specially crafted 
HTML page that references this ActiveX control. The Microsoft 
Local Troubleshooter ActiveX control is installed as a default 
part of the operating system on Windows 2000.

To exploit this vulnerability, the attacker would have to create a 
specially formed HTML–based e-mail and send it to the user. 
Alternatively an attacker would have to host a malicious Web site 
that contained a Web page designed to exploit this vulnerability.

In the worst case, this vulnerability could allow an attacker to load 
malicious code onto a user's system and then to execute the code. The 
code would run in the context of the user. Therefore, the code is 
limited to any action that the legitimate user could take on the system. 
Any limitations on the user's account would also limit the actions of 
any arbitrary code that the attacker could execute.

The risk of attack from the HTML email vector can be significantly 
reduced if the following conditions are met:

You have applied the patch included with Microsoft Security bulletin 
MS03-040 

You are using Internet Explorer 6 or later 

You are using the Microsoft Outlook Email Security Update or Microsoft 
Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in 
their default configuration. 

Mitigating factors: 

A Web–based attack would only be successful if the attacker creates a 
Web site that contains a Web page that they use to exploit this 
vulnerability. An attacker would have no way to force users to visit 
the malicious Web site. Instead, the attacker would have to lure them 
there, typically by getting them to click a link in an email message 
that would takes them to the attacker's site. 

By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the 
Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail 
in the Restricted Sites Zone if the Outlook Email Security Update has 
been installed. Customers who use any of these products would be at a 
reduced risk from an e-mail borne attack that attempted to exploit this 
vulnerability unless the user clicked a malicious link in the email. 
An attacker’s code could only run with the same permissions as the logged 
on user. The specific privileges the attacker could gain through this 
vulnerability would therefore depend on the privileges granted to the 
user. Any limitations on the user's account would also limit the actions 
of any arbitrary code executed by this vulnerability. 

Severity Rating:

Microsoft Windows 2000 Critical 


The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0661 

Workarounds

Microsoft has tested the following workarounds. These workarounds will 
not correct the underlying vulnerability however they help block known 
attack vectors. Workarounds may cause a reduction in functionality in 
some cases – in such situations this is identified below.

Prompt before running of ActiveX controls in the Internet and Intranet 
zones: You can help protect against this vulnerability by changing your 
settings for the Internet security zone to prompt before running ActiveX 
components. To do this, perform the following steps: 

1. In Internet Explorer, select Tools, Internet Options 
2. Click on the Security tab 
3. Highlight the Internet icon and click on the Custom Level button 
4. Scroll through the list to the Active X controls and plug-ins section 
5. Under Run ActiveX controls and plug-ins click Prompt 
6. Click OK 
7. Highlight the Local Intranet icon and click on the Custom Level button 
8. Scroll through the list to the Active X controls and plug-ins section 
9. Under Run ActiveX controls and plug-ins click Prompt 
10. Click OK; then click OK again to return to Internet Explorer 

Impact of Workaround: 
Many Web sites on the Internet use ActiveX to provide additional 
functionality. For instance, an online e-commerce site or banking site 
might use ActiveX controls to provide menus, ordering forms, or even 
account statements. Prompting before running ActiveX controls is a 
global setting for all Internet and Intranet sites. You will be prompted 
frequently when you enable this work-around. For each prompt, if you 
feel you trust the site that you are visiting, click Yes to run ActiveX 
components. If you do not want to be prompted for all of these sites, 
you can instead use the "Restrict Web sites to only your trusted Web 
sites" workaround. 

Restrict Web sites to only your trusted Web sites. After requiring a 
prompt before running ActiveX in the Internet and Intranet zone, you 
can add sites that you trust into Internet Explorer’s Trusted sites. 
This will allow you to continue using trusted Web sites exactly as you 
do today, while protecting you from this attack on untrusted sites. 
Microsoft recommends that you only add sites that you trust to the 
trusted sites zone. 

To do this, perform the following steps:

1. In Internet Explorer, select Tools, then Internet Options. Click the 
Security tab. 
2. In the box labeled Select a Web content zone to specify its current 
security settings, click Trusted Sites, then click Sites. 
3. If you want to add sites that do not require an encrypted channel, 
click to clear the Require server verification (https:) for all sites 
in this zone check box. 
4. In the box labeled Add this Web Site to the zone, type the URL of a 
site that you trust, then click the Add button. Repeat for each site 
that you want to add to the zone.
5. Click OK twice to accept the changes and return to Internet Explorer. 
Add any sites that you trust not to take malicious action on your computer. 
One in particular that you may want to add is 
"*.windowsupdate.microsoft.com" (without the quotes). This is the 
site that will host the patch, and it requires the use of an ActiveX 
control to install the patch. 

Impact of Workaround: 
For those sites you have not configured to be in your Trusted sites zone, 
their functionality will be impaired if they require ActiveX controls to 
function properly. Adding sites to your Trusted sites zone will allow them 
to be able to download the ActiveX control required to function correctly. 
However you should only add Web sites you trust to the Trusted sites zone.

Install Outlook Email Security Update if you are using Outlook 2000 SP1 or 
Earlier. 

The Outlook Email Security Update causes Outlook 98 and 2000 to open 
HTML mail in the Restricted Sites Zone by default. Outlook Express 6.0 and 
Outlook 2002 by default open HTML mail in the Restricted Sites Zone. 
Customers who use any of these products would be at a reduced risk from 
an e-mail borne attack that attempts to exploit this vulnerability unless 
the user clicks a malicious link in the email 

If you are using Outlook 2002 or Outlook Express 6.0SP1 or higher, to 
help protect yourself from the HTML email attack vector, read email in 
plain text format. 

Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied 
Service Pack 1 and or higher can enable a feature to view all 
non-digitally-signed e-mail or non-encrypted e-mail messages in plain 
text only.

Digitally signed e-mail or encrypted e-mail messages are not affected 
by the setting and may be read in their original formats. Information 
on enabling this setting in Outlook 2002 can be found in the following 
Knowledge Base article: 

http://support.microsoft.com/default.aspx?scid=kb;en-us;307594

Information on enabling this setting in Outlook Express 6.0 can be found 
in the following Knowledge Base article:

http://support.microsoft.com/?kbid=291387 

Impact of Workaround: 
E-mail viewed in plain text format cannot contain pictures, specialized 
fonts, animations, or other rich content. In addition: 

The changes are applied to the preview pane and open messages. 
Pictures become attachments to avoid loss. 
Since the message is still in Rich Text or HTML format in the store, 
the object model (custom code solutions) may behave unexpectedly 
because the message is still in Rich Text or HTML format in the mail 
store.  


Security Patch Information

Installation platforms and Prerequisites: 

For information about the specific security patch for your platform, 
click the appropriate link: 

Windows 2000 (all versions)

Acknowledgments

Microsoft thanks the following for working with us to protect customers: 

Greg Jones of KPMG UK and Cesar Cerrudo for reporting the issue 
described in MS03-042. 

Obtaining other security patches:

Patches for other security issues are available from the following 
locations: 

Security patches are available from the Microsoft Download Center, and 
can be most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

Support:

Technical support is available from Microsoft Product Support Services at 
1-866-PCSAFETY. There is no charge for support calls associated with 
security patches. 

Security Resources: 

The Microsoft TechNet Security Web Site provides additional information 
about security in Microsoft products. 

Microsoft Software Update Services: http://www.microsoft.com/sus/ 
Microsoft Baseline Security Analyzer (MBSA) details: 
   http://www.microsoft.com/mbsa. 

Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 
for list of security patches that have detection limitations with MBSA tool. 

Revisions:

1.0 (October 15, 2003): Bulletin published


[***** End Microsoft Security Bulletin MS03-042 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corp.  for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-157: CERT/CC Vulnerability Note OpenSSH PAM challenge authentication failure
N-158: CERT/CC Vulnerability Note Portable OpenSSH server PAM
N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing
O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely
O-002: Microsoft Internet Explorer Cumulative Patch
O-003: HP Potential Security Vulnerability in dtprintinfo
O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution
O-005: Microsoft Exchange Server Vulnerabilities
O-006: Microsoft Authenticode Verification Vulnerability
O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH