??? MS03-040 Cumulative Patch for Internet Explorer (828750) ???

[Max Burke]

What *exactly* does this update fix?????


Does it fix this object data tag vulnerability or not?

<quote>
Description:
eEye Digital Security has discovered a security vulnerability in
Microsoft's Internet Explorer that would allow executable code to run
automatically upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object
tag, which is used to embed basically all ActiveX into HTML pages. The
parameter that specifies the remote location of data for objects is not
checked to validate the nature of the file being loaded, and therefore
trojan executables may be run from within a webpage as silently and as
easily as Internet Explorer parses image files or any other "safe" HTML
content.
This attack may be utilized wherever IE parses HTML, including websites,
email, newsgroups, and within applications utilizing web-browsing
functionality.
http://www.eeye.com/html/Research/Advisories/AD20030820.html
<end quote>

In some other security groups I read the some say that this update not
only **doesn't** fix that vulnerability, Microsoft dont even acknowledge
there is a vulnerability. (in this update) I'm still trying to 'decode'
the information on the Microsoft web page to see if it does or not.

<quote>
What does the patch do?
The patch addresses the vulnerabilities by ensuring that Internet
Explorer performs proper checks when it receives an HTTP response.

Workarounds
Are there any workarounds that can be used to block exploitation of this
vulnerability while I test the patch?

Yes. It should be noted that these workarounds should be considered
temporary measures as they just help block paths of attack rather than
correcting the underlying vulnerability. Microsoft encourages installing
the patch at the earliest opportunity.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
<end quote>

[Does this mean installing the patch means the work arounds are no
longer needed, or they need to be applied *with * the patch?]

Note I have installed the update, but haven't removed the 'prompt
activeX work arounds' yet....

 

[Walter Schulz]

What *exactly* does this update fix?????

It fixes (for my two systems I tested) the object tag bug described in
http://www.eeye.com/html/Research/Advisories/AD20030820.html
The previous fix delivered by microsoft (mentioned in the article
above) wasn't able to do what it was intended to do.

I have a link to a site which will be able to verify/falsify the
behauviour. It's in german, so I have to explain the mechanism.
If you click on the link below your unpatched IE will download
BROWSERCHECK.EXE to you homedir (%Userprofile%) and execute it.
A small window (red background colour) will be seen if you are using
an unsecure Browser.

http://www.heise.de/security/dienste/browsercheck/demos/ie/htacheck.shtml

You have to delete BROWSERCHECK.EXE manually after testing. Removal of
the exe would have been possible but for some reasons this routine
wasn't applied to the Exe.

Ciao, Walter

 

[Mike Brannigan [MSFT]]

see the Technical description at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

--
Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[Roger Abell]

from
http://microsoft.com/technet/security/bulletin/ms03-040.asp
Vulnerability identifier:


a.. Object Tag vulnerability in Popup Window: CAN-2003-0838
b.. Object Tag vulnerability with XML data binding: CAN-2003-0809

 

[Max Burke]

Mike Brannigan [MSFT] scribbled:

see the Technical description at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

Been there, done that (several times, before I downloaded/installed the
update, and after testing it to see if it works) but the wording is
ambiguous about what it does fix, and from my tests it isn't fixing what
it's supposed to be fixing.....

<quote>
What's the scope of this vulnerability?

A flaw in the way Internet Explorer handles a specific HTTP request
could allow arbitrary code to execute in the context of the logged-on
user, should the user visit a site under the attacker's control.

What causes the vulnerability?

The vulnerability results because Internet Explorer does not properly
check a specially crafted HTTP response that can be encountered when
Internet Explorer handles an object tag in an Internet Explorer windows
created with by a Window.CreatePopup script command.

What's wrong with the way Internet Explorer handles object tags?

There is a flaw in the way Internet Explorer determines an object type.
Internet Explorer does not conduct a proper parameter check on an HTTP
response. The response can point to a particular file type which will
then cause an object to be scripted, then run. This could allow an
attacker to run arbitrary code on a user's machine.

What could this vulnerability enable an attacker to do?

This vulnerability could enable an attacker to cause Internet Explorer
to execute code of the attacker's choice. This would allow an attacker
to take any action on a user's system in the security context of the
currently logged-on user.

How could an attacker exploit this vulnerability?

An attacker could seek to exploit this vulnerability by hosting a
specially constructed Web page. If the user visited this Web page,
Internet Explorer could fail and could allow arbitrary code to execute
in the context of the user. Alternatively, an attacker could also craft
an HTML-based e-mail that attempts to exploit this vulnerability.

What does the patch do?

The patch addresses the vulnerabilities by ensuring that Internet
Explorer performs proper checks when it receives an HTTP response.


[the above would indicate it is fixing the vulnerability, however in the
FAQ section there is this about prompting to allow activeX components to
execute as a work around....]

Workarounds

Are there any workarounds that can be used to block exploitation of this
vulnerability while I test the patch?

Yes. It should be noted that these workarounds should be considered
temporary measures as they just help block paths of attack rather than
correcting the underlying vulnerability. Microsoft encourages installing
the patch at the earliest opportunity.

The following sections are intended to provide you with information to
help protect your computer from attack.

Prompt before running of ActiveX controls in the Internet and Intranet
zones:
<end quote>

Testing the MS03-040 update at this website:
http://www.secunia.com/MS03-032/
that tests MS03-032 (MS03-040 is a *replacement* for MS03-032 because
ms03-032 doesn't work) still shows me to be vulnerable to the object
data tag vulnerability.....

This test runs mshta.exe on your computer and executes activeX commands,
apparently without IE testing/verifying object data tags.

So if MS03-040 is supposed to be fixing the object data tag
vulnerability in IE (that MS03-032 didn't fix) then MS03-040 doesn't fix
it either........

 

[Max Burke]

Roger Abell scribbled:

from
http://microsoft.com/technet/security/bulletin/ms03-040.asp
Vulnerability identifier:

a.. Object Tag vulnerability in Popup Window: CAN-2003-0838

From: http://www.cve.mitre.org/ (The originating website for these
links)

ERROR: Couldn't find 'CAN-2003-0838'

b.. Object Tag vulnerability with XML data binding: CAN-2003-0809

CAN-2003-0809 (under review)
This is a candidate for inclusion in the CVE list, which standardizes
names for security problems. It must be reviewed and accepted by the CVE
Editorial Board before it can be added into CVE. Therefore, this
candidate may be modified or even rejected in the future.

And the testing I have done on MS03-040 today show it does NOT fix the
object data tag vulnerability AT ALL!

 

[Roger Abell]

Well, there are quite a number of patches IE is (perhaps)
still needing, guessing by earlier lists of exploits and the
manifest of new patches in ms03-040.

However, using the testing link you provided
http://www.secunia.com/MS03-032/
this system (with all current service) did prompt for
permission to download test.hta, so in order to get to
the window where they explain that if such a prompt
was seen one is not vulnerable it was necessary for
me to acknowledge and allow an unknown ActiveX control
and then the test.hta file.

 

[Max Burke]

Roger Abell scribbled:

Well, there are quite a number of patches IE is (perhaps)
still needing, guessing by earlier lists of exploits and the
manifest of new patches in ms03-040.

However, using the testing link you provided
http://www.secunia.com/MS03-032/
this system (with all current service) did prompt for
permission to download test.hta, so in order to get to
the window where they explain that if such a prompt
was seen one is not vulnerable it was necessary for
me to acknowledge and allow an unknown ActiveX control
and then the test.hta file.

It does the same on my system, but that's only half a fix surely,
especially if you allow the test.hta to run it then executes activeX
commands embeded in it and opens a nes explorer windows and says embeded
active ex commands can still run on the system without being
checked.....
IOW it does ask if the file can be downloaded but by replying yes the
client system is STILL VULNERABLE to malicious activeX code
execution.....

As we all know active ex commands can be installed in files (a html file
to open an apparently inncent window in IE for example) but can then
silently install malicious code without the user being aware of that
happening.
A user could be allowing the opening of a perfectly vaild window in IE
while while activeX scripts are running in the background installing
anything......

The real fix would be that IE tests the parameter of the object data tag
*in the request* to validate any file download.
See below as to what the real vulnerability is.....

<quote>
Description:
eEye Digital Security has discovered a security vulnerability in
Microsoft's Internet Explorer that would allow executable code to **RUN
AUTOMATICALY* upon rendering malicious HTML.
This is a flaw in Microsoft's primary contribution to HTML, the Object
tag, which is used to embed basically all ActiveX into HTML pages.

*** NOTE: BUG/VULNERABILITY is HERE ****
The parameter that specifies the remote location of data for objects is
not checked to validate the nature of the file being loaded, and
therefore trojan executables may be run from within a webpage as
silently and as easily as Internet Explorer parses image files or any
other "safe" HTML content.

This attack may be utilized wherever IE parses HTML, including websites,
email, newsgroups, and within applications utilizing web-browsing
functionality.
http://www.eeye.com/html/Research/Advisories/AD20030820.html
<end quote>

Any malicious code/trojan/virus isn't going to 'reveal it's self' by
asking if it can be downloaded/installed.....

 

[Roger Abell [MVP]]

We are basically in agreement.
I am uncomfortable with calling something that depends on user
behavior a full solution, but at least now they are given the option
as compared to the prior default acceptance.
The updated CERT IN-2003-04 (exploitation of IE vulnerabilty)
http://www.cert.org/incident_notes/IN-2003-04.html
makes it pretty clear that the world is looking for a final solution
as compared to this emergency approach apparently (no insider
info here, just my guess) hastened out to stem off qhost and its
friends (or should I say fiends?).