[CrackMonkey] For your collection

Wed Jul 19 07:13:05 PDT 2000

On Tue, Jul 18, 2000 at 01:14:34PM -0700, Don Marti wrote:

> Security Advisory: Buffer Overflow in MS Outlook & Outlook Express Email Clients
> 
> Date: 			18th July 2000
> Author:			Aaron Drew (mailto:ripper at wollongong.hotkey.net.au)
> Versions Affected: 	MS Outlook 97/2000 and MS Outlook Express 4/5

Holy Cow, eh? I just got this: ("the most dangerous programming mistake that
Microsoft has made.")

Anyone for $500?
------

Date: Mon, 17 Jul 2000 14:48:36 -0600 (MDT)
From: The SANS Institute <sans at sans.org>
Subject: SANS Flash: Most dangerous flaw found in Windows workstations, Fix available.

I am forwarding this note to you as a FLASH because the vulnerability
it describes is probably the most dangerous programming error in Windows
workstation (all varieties -- 95, 98, 2000, NT 4.0) that Microsoft has
made.

You are vulnerable to total compromise simply by previewing or reading
an email (without opening any attachments) if you have one of the
affected operating systems and have the following installed:
* Microsoft Access 97 or 2000
* Internet Explorer 4.0 or higher, including 5.5 (Windows 2000 includes
  IE 5)

SANS Prize: It may be possible to fix this vulnerability automatically,
via an email without asking every user to take action.  The concept is
similar to using a slightly modified version of a virus to provide
immunity against infection. SANS is offering a $500 prize (and a few
minutes of fame) to the first person who sends us a practical automated
solution that companies can use, quickly, easily, and (relatively)
painlessly to protect all vulnerable systems.

                AP

By: Jesper Johansson, Assistant Professor, Boston University, and
Editor, SANS Windows Security Digest

This is a special issue of the SANS Windows Security Digest. On June 27
Georgi Guninski posted an exploit using Access 2000 to exploit Windows
98.  We developed this exploit further and realized that this is one of
the most serious exploits of Windows workstations in the last several
years.  Microsoft asked us to not release the details until they had a
fix. On July 14, 2000, they posted a workaround for this issue, and we
now bring you this update.

MS00-049 - Patch Available for "The Office HTML Script" Vulnerability
and a Workaround for "The IE Script" Vulnerability

The bulletin actually discusses two separate issues. We consider the
Access issue much more serious than the other issue so we will cover
that first.

Internet Explorer allows the use of an object tag to load an ActiveX
control. The data property of the object tag is the ActiveX control to
be loaded. An ActiveX control is normally some executable. However,
Microsoft Office documents are also ActiveX controls. In a default
installation, ActiveX controls load silently, without prompting the
user, thus automatically executing the exploit.

Internet Explorer can be configured to prompt the user about whether to
load ActiveX controls. However, there is a serious bug in the prompting
that appears to only surface when the requested control is a Microsoft
Access database file (.MDB file). The order of events with MDB files
is:

1. User opens a web page with an Object tag
2. IE downloads database and calls Access to open the database
3. IE prompts user whether to open the database
4. User clicks No
5. IE displays an error message stating that some code on this page is
   unsafe

As can be seen from this sequence of events, the order of execution is
wrong. IE actually opens the Access database BEFORE it asks the user
whether to open it. Assume now that the user has disabled execution of
ActiveX controls entirely. The following sequence of events would occur:

1. User opens a web page with Object tag
2. IE downloads database and calls Access to open the database
3. IE informs user that some code on this page is unsafe

Again, the database is opened before IE checks whether to execute
ActiveX controls.

Microsoft calls this issue the "IE Script" vulnerability. That title is
misleading because it implies that if Active Scripting is disabled, the
exploit would not work. This is not true. The exploit does not rely on
scripting, and therefore disabling scripting has no effect on this
exploit.

Furthermore, this is very easy to exploit through HTML e-mail. In fact,
most popular e-mail programs, such as Outlook, Outlook Express, and
Eudora have a preview pane. That preview pane will display HTML in an
HTML formatted e-mail message. The interpreter used for these programs
is Internet Explorer. Hence, this exploit will also work through HTML
formatted e-mail.  Thus the user need not open the e-mail, nor download
anything for this to work. In addition, if this is the only e-mail in
the user's Inbox, the exploit will execute as soon as the e-mail is
received.

This is a very serious problem given the power of the Visual Basic for
Applications (VBA) language used in Access. Access can run VBA code when
the database is opened. We successfully made Access connect to a Windows
Networking (CIFS) file share on the Internet and ran a program from
there.  Thus the malicious program that an attacker wants to run does
not need to reside on the user's machine.

VULNERABLE SYSTEMS

All Windows Systems (Windows 2000, NT 4.0, 98 and 95) with all of the
following installed:
* Microsoft Access 97 or 2000
* Internet Explorer 4.0 or higher, including 5.5 (Windows 2000 includes
  IE 5)
* Systems with Outlook, Outlook Express, Eudora, or another mail reader
  that uses IE to render HTML are also vulnerable to exploiting this
  through e-mail

WORKAROUND
We recommend several steps to work around this issue:

1. Ensure that an exploit such as this cannot run malicious programs on
the Internet. This is done by blocking outgoing Windows File Sharing at
the firewall. To do so, block outgoing traffic to ports UDP 138, UDP
and TCP 139, and UDP and TCP 445.
2. Apply the Microsoft workaround to all installations of Microsoft
Access under your control. The steps to do so are:
a. Start Access 2000 but don't open any databases
b. From the Tools menu, choose Security
c. Select User and Group Accounts
d. Select the Admin user, which should be defined by default
e. Go to the Change Logon Password tab
f. The Admin password should be blank if it has never been changed
g. Assign a password to the Admin user
h. Click OK to exit the menu
3. Apply the Outlook E-Mail security update, available on
http://officeupdate.microsoft.com if you use Outlook 98 or 2000.
4. Set Outlook Express or Eudora to read e-mail in the Restricted Sites
zone and then disable everything in that zone.

Steps 3 and 4 have no effect on the current issue, but are good security
practice.

Office HTML Script Vulnerability

The second issue discussed in this bulletin also involves using Office
components as ActiveX controls, although it is not as serious as the
Access issue discussed above. Excel 2000 and PowerPoint 97 and 2000 can
be scripted from inside IE to save a file to an arbitrary location on
the user's hard drive as long as the user has access to that location.
This would enable an attacker to save files to locations such as the
Startup folder in the user's profile.

This vulnerability is not exploitable if Active Scripting and/or Running
ActiveX controls is disabled. Therefore, it is considerably less
dangerous than the Access problem. The root cause of this problem is
that Excel and PowerPoint files are marked as safe for scripting. The
patch marks them as unsafe for scripting.

VULNERABLE SYSTEMS

All Windows Systems (Windows 2000, NT 4.0, 98 and 95) with all of the
following installed:
* Microsoft Excel 2000 or PowerPoint 97 or 2000
* Internet Explorer 4.0 or higher, including 5.5
* Systems with Outlook, Outlook Express, Eudora, or another mail reader
  that uses IE to render HTML are also vulnerable to exploiting this
  through e-mail

FIX
Microsoft has made a fix available. It is available from the following
locations:

* Office Update
http://officeupdate.microsoft.com
* Microsoft Excel 2000 and PowerPoint 2000:
http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm
* Microsoft PowerPoint 97:
http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm

For more information see:
* Microsoft Security Bulletin MS00-049
http://www.microsoft.com/technet/security/bulletin/MS00-049.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-049
http://www.microsoft.com/technet/security/bulletin/fq00-049sp
* Microsoft Knowledge Base (KB) article Q268365 "XL2000: Update
Available for HTML Script Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=268365
* Microsoft Knowledge Base (KB) article Q268457 "PPT2000: Update
Available for HTML Script Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=268457
* Microsoft Knowledge Base (KB) article Q268477 "PPT97: Update Available
for HTML Script Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=268477

There is no Knowledge Base article on the Access issue yet.

-- 
Bob Bernstein         
at                    obsd2.7 woohoo! and, it's canadian.
Esmond, R.I., USA            