Microsoft Security Bulletin MS07-048 - Important

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, which could reduce the severity of exploitation of this vulnerability. The following mitigating factor may be helpful in your situation:

• The user needs to subscribe to a untrusted or compromised RSS feed in the Feed Headlines Gadget using Internet Explorer.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Disable the Feed Headlines Gadget:

  To disable the Feed Headlines Gadget, follow these steps:

  1. Right click in Sidebar.
  2. Select Properties from the menu.
  3. In the Windows Sidebar Properties dialog click the View list of running gadgets button.
  4. Select the Feed Headlines Gadget and click the Remove button.

  Impact of Workaround: The Feed Headlines Gadget is disabled.

• Uninstall the Feed Headlines Gadget:

  To uninstall the Feed Headlines Gadget, follow these steps:

  • Right click in Sidebar.
  • Select Add Gadgets… from the menu.
  • Right click on the Feed Headlines Gadget.
  • Select uninstall from the menu.

  Impact of Workaround: The Feed Headlines Gadget will be uninstalled.

• Modify the Access Control List on gadget.xml to be more restrictive:

  Applying this workaround may cause the installation of security updates provided with this security bulletin to fail.

  To modify the Access Control List (ACL) on gadget.xml to be more restrictive, follow these steps:

  1. Click Start, click All Programs, click Accessories, right click on Command Prompt, click Run as administrator, and then click Continue.
  2. Type the following command at a command prompt:
     
     cd %ProgramFiles%\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US
  3. Type the following command at a command prompt make a note of the current ACL’s that is on the file (including inheritance settings) for future reference to undo this modification:
     
     takeown /f gadget.xml
  4. Type the following command at a command prompt to ACL the Feed Headlines Gadget. Make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:
     
     icacls gadget.xml /deny Everyone:(R,RX)
  5. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: The Feed Headlines Gadget is disabled.

• Disable Sidebar in Group Policy

  To disable Sidebar in Group Policy, follow these steps:

  1. Click Start, click Run, type “gpedit.msc”, and then click Continue.
  2. Under Local Computer Policy\Computer Configuration double click Administrative Templates, double click Windows Components, and then double click Windows Sidebar.
  3. Change the value of the Turn off Windows Sidebar setting to Enabled:
  4. Right click on Turn off Windows Sidebar.
  5. Select Properties from the menu.
  6. Select the Enabled radio button.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

• Disable the Sidebar in the system registry

  Disabling Sidebar by creating a new registry key helps protect the affected system from attempts to exploit this vulnerability. To create a new Sidebar registry key, follow these steps:

  Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note: We recommend backing up the registry before you edit it.

  1. Click Start, click Run, type “regedit” (without the quotation marks), and then click Continue.
  2. Expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Windows, expand CurrentVersion, and then expand Policies.
  3. Right click on Policies, select New, select Key, and then type Windowsas the file name.
  4. Right click on Windows, select New, select Key, and then type Sidebaras the file name.
  5. Right click on Sidebar, select New, select DWORD (32-bit) Value, and the type TurnOffSidebaras the Name.
  6. Right click on TurnOffSidebar, and then change Value data: to 1.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could run code on the vulnerable system.

What causes the vulnerability
The Feed Headlines Gadget does not perform sufficient validation when parsing HTML attributes.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run code on the affected system.

How could an attacker exploit the vulnerability?
The Feed Headlines Gadget is installed on Windows Vista and is enabled by default. The user needs to subscribed to a RSS feed in the Feed Headlines Gadget using Internet Explorer. Once a feed is subscribed an attacker must send a specially crafted RSS post using the existing subscription to exploit the system. An attacker could then execute code in the context of the logged on user from the subsequent malicious or specially crafted feed over the internet.

What is a Gadget?
Gadgets are mini-applications designed to provide the user with information or utilities. Windows Vista treats gadgets similar to the way Windows Vista treats all executable code. Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as web pages are. HTML content in the Gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer. This download process is similar to applications (.exe files) downloaded from the Internet.

Could the vulnerability be exploited over the Internet?
Yes, this vulnerability could be exploited over the internet once a user has subscribed to a malicious RSS feed in the Feed Headlines Gadget, or if a trusted feed is compromised by an attacker.

What systems are primarily at risk from the vulnerability?
Any Windows Vista system where the Feed Headlines Gadget is enabled and subscribed to RSS feeds.

What does the update do?
The update removes the vulnerability by adding additional checks on HTML attributes within the Feed Headlines Gadgets.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, which could reduce the severity of exploitation of this vulnerability. The following mitigating factor may be helpful in your situation:

• The Contacts Gadget is not enabled by default. To be subject to exploitation of this vulnerability, the user must add the Contacts Gadget to Windows Sidebar.
• When the Contacts Gadget is enabled, the user must add or import specially crafted malicious contacts from an attacker.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Disablethe Contacts Gadget:

  To disable the Contacts Gadget, follow these steps:

  1. Right click in Sidebar.
  2. Select Properties from the menu.
  3. In the Windows Sidebar Properties dialog click the View list of running gadgets button.
  4. Select the Contacts Gadget and click the Remove button.

  Impact of Workaround: The Contacts Gadget is disabled.

• Uninstallthe Contacts Gadget:

  To uninstall the Contacts Gadget, follow these steps:

  1. Right click in Sidebar.
  2. Select Add Gadgets… from the menu.
  3. Right click on the Contacts Gadget.
  4. Select uninstall from the menu.

  Impact of Workaround: The Contacts Gadget will be uninstalled.

• Modify the Access Control List on gadget.xml to be more restrictive:

  Applying this workaround may cause the installation of security updates provided with this security bulletin to fail.

  To modify the Access Control List (ACL) on gadget.xml to be more restrictive, follow these steps:

  1. Click Start, click All Programs, click Accessories, right click on Command Prompt, click Run as administrator, and then click Continue.
  2. Type the following command at a command prompt:
     
     cd %ProgramFiles%\Windows Sidebar\Gadgets\Contacts.Gadget\en-US
  3. Type the following command at a command prompt make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:
     
     takeown /f gadget.xml
  4. Type the following command at a command prompt to ACL the Contacts Gadget. Make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:
     
     icacls gadget.xml /deny Everyone:(R,RX)
  5. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: The Contacts Gadget is disabled.

• Disable Sidebar in Group Policy

  To disable Sidebar in Group Policy, follow these steps:

  1. Click Start, click Run, type “gpedit.msc”, and then click Continue.
  2. Under Local Computer Policy\Computer Configuration double click Administrative Templates, double click Windows Components, and then double click Windows Sidebar.
  3. Change the value of the Turn off Windows Sidebar setting to Enabled:
  4. Right click on Turn off Windows Sidebar.
  5. Select Properties from the menu.
  6. Select the Enabled radio button.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

• Disable Sidebar in the system registry

  Disabling Sidebar by creating a new registry key helps protect the affected system from attempts to exploit this vulnerability. To create a new Sidebar registry key, follow these steps:

  Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note: We recommend backing up the registry before you edit it.

  1. Click Start, click Run, type “regedit” (without the quotation marks), and then click Continue.
  2. Expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Windows, expand CurrentVersion, and then expand Policies.
  3. Right click on Policies, select New, select Key, and then type Windows as the file name.
  4. Right click on Windows, select New, select Key, and then type Sidebar as the file name.
  5. Right click on Sidebar, select New, select DWORD (32-bit) Value, and the type TurnOffSidebaras the Name.
  6. Right click on TurnOffSidebar, and then change Value data: to 1.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

What is the scope of the vulnerability?
This is a code execution vulnerability. An attacker who successfully exploited this vulnerability could run code on the vulnerable system in the context of the logged on user.

What causes the vulnerability
The Contacts Gadget does not perform sufficient validation on contacts when imported.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run code on the affected system in the context of the user.

How could an attacker exploit the vulnerability?
While the Contacts Gadget is installed on Windows Vista it is not enabled by default. A user would be required to enable the Contacts Gadget. An attacker would then have to send a specially crafted contact to an affected system, or persuade a user to visit a webpage that allowed the specially crafted contact to be downloaded. The user would have to add the malicious contact. Once the contact was added or imported the attacker could then execute code in the context of the logged on user when the contact was selected or if the contact were the first contact in the list.

What is a Gadget?
Gadgets are mini-applications designed to provide the user with information or utilities. Windows Vista treats gadgets similar to the way Windows Vista treats other executable code. Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as web pages are. HTML content in the Gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer. This download process is similar to applications (.exe files) downloaded from the Internet.

Could the vulnerability be exploited over the Internet?
Yes, this vulnerability could be exploited over the internet if a user added or imported the malicious contact file from the Internet into the Contacts Gadget. The contact would have to be selected or the first contact in the list.

What systems are primarily at risk from the vulnerability?
Any Windows Vista system where the Contacts Gadget is enabled would be at risk form the vulnerability.

What does the update do?
The update removes the vulnerability by adding additional checks on imported contacts within Contacts Gadget.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, which could reduce the severity of exploitation of this vulnerability. The following mitigating factor may be helpful in your situation:

• Links are not visible in the default view of the Weather Gadget. To view links in the Weather Gadget the user must drag and drop the Weather Gadget onto the desktop.
• Weather services provided in the Weather Gadget are not available in all geographical regions.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Disable the Weather Gadget:

  To disable the Weather Gadget, follow these steps:

  1. Right click in Sidebar.
  2. Select Properties from the menu.
  3. In the Windows Sidebar Properties dialog click the View list of running gadgets button.
  4. Select the Weather Gadget and click the Remove button.

  Impact of Workaround: The Weather Gadget is disabled.

• Uninstall the Weather Gadget:

  To uninstall the Weather Gadget, follow these steps:

  • Right click in Sidebar.
  • Select Add Gadgets… from the menu.
  • Right click on the Weather Gadget.
  • Select uninstall from the menu.

  Impact of Workaround: The Weather Gadget will be uninstalled.

• Modify the Access Control List on gadget.xml to be more restrictive:

  Applying this workaround may cause the installation of security updates provided with this security bulletin to fail.

  To modify the Access Control List (ACL) on gadget.xml to be more restrictive, follow these steps:

  1. Click Start, click All Programs, click Accessories, right click on Command Prompt, click Run as administrator, and then click Continue.
  2. Type the following command at a command prompt:
     
     cd %ProgramFiles%\Windows Sidebar\Gadgets\Weather.Gadget\en-US
  3. Type the following command at a command prompt make a note of the current ACL’s that is on the file (including inheritance settings) for future reference to undo this modification:
     
     takeown /f gadget.xml
  4. Type the following command at a command prompt to ACL the Weather Gadget. Make a note of the current ACL’s that are on the file (including inheritance settings) for future reference to undo this modification:
     
     icacls gadget.xml /deny Everyone:(R,RX)
  5. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: The Weather Gadget is disabled.

• Disable Sidebar in Group Policy

  To disable Sidebar in Group Policy, follow these steps:

  1. Click Start, click Run, type “gpedit.msc”, and then click Continue.
  2. Under Local Computer Policy\Computer Configuration double click Administrative Templates, double click Windows Components, and then double click Windows Sidebar.
  3. Change the value of the Turn off Windows Sidebar setting to Enabled:
  4. Right click on Turn off Windows Sidebar.
  5. Select Properties from the menu.
  6. Select the Enabled radio button.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

• Disable the Sidebar in the system registry

  Disabling Sidebar by creating a new registry key helps protect the affected system from attempts to exploit this vulnerability. To create a new Sidebar registry key, follow these steps:

  Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note: We recommend backing up the registry before you edit it.

  1. Click Start, click Run, type “regedit” (without the quotation marks), and then click Continue.
  2. Expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Windows, expand CurrentVersion, and then expand Policies.
  3. Right click on Policies, select New, select Key, and then type Windows as the file name.
  4. Right click on Windows, select New, select Key, and then type Sidebar as the file name.
  5. Right click on Sidebar, select New, select DWORD (32-bit) Value, and the type TurnOffSidebaras the Name.
  6. Right click on TurnOffSidebar, and then change Value data: to 1.
  7. You must Log Off your system or close the sidebar.exe process after you apply this workaround.

  Impact of Workaround: Sidebar is disabled.

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could run code on the vulnerable system.

What causes the vulnerability
Weather Gadget does not perform sufficient validation when parsing HTML attributes.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run code on the affected system.

How could an attacker exploit the vulnerability?
In order to exploit this vulnerability, an attacker would have to compromise the user’s connection and convince the user to click a malicious link in the Weather Gadget. To view links in the Weather Gadget the user must first drag and drop the Weather Gadget onto the desktop. Links are not visible in the default view of the Weather Gadget.

What is a Gadget?
Gadgets are mini-applications designed to provide the user with information or utilities. Windows Vista treats gadgets similar to the way Windows Vista treats other executable code. Gadgets are written using HTML and script, but this HTML is not located on an arbitrary remote server as web pages are. HTML content in the Gadget is downloaded first as part of a package of resources and configuration files and then executed from the local computer. This download process is similar to applications (.exe files) downloaded from the Internet.

Could the vulnerability be exploited over the Internet?
No, this vulnerability can not be exploited over the internet by an anonymous attacker.

What systems are primarily at risk from the vulnerability?
Any Windows Vista system where the Weather Gadget is running on the desktop and links are visible.

What does the update do?
The update removes the vulnerability by adding additional checks on HTML attributes within the Weather Gadgets.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Installing the Update

When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Windows hotfix. If you have previously installed a hotfix to update one of these files, the installer will apply the LDR version of this update. Otherwise, the installer will apply the GDR version of the update. The LDR version of a file has a higher version number than the GDR version of a file. For more information about this behavior, see Microsoft Knowledge Base Article 824994.For more information about the installer, see Microsoft Knowledge Base Article 934307.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

This security update supports the following setup switches.

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site. For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

Removing the Update

To remove this update, use the Add or Remove Programs tool in Control Panel.

Verifying That the Update Has Been Applied

• Microsoft Baseline Security Analyzer

  To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

• File Version Verification

  Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

  1. Click Start, and then click Search.
  2. In the Search Results pane, click All files and folders under Search Companion.
  3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
  4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
     
     Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.
  5. On the General tab, determine the modified date of the file that is installed on your computer by comparing it to the modified date that is documented in the appropriate file information table. The files in this package do not have version numbers. prompt:
     
     Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a recommended method of verifying that the update has been applied. However the files updated for this security patch do not contain file version information so using file attributes information used to verify the update is a detection mechanisms. In certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.