Microsoft Security Bulletin (MS00-028): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-028 announces a procedure to eliminate a vulnerability affecting two components that ship with several web server products. The vulnerability could allow a malicious user to mount denial of service attacks or run arbitrary code on an affected server. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. If the buffer were overrun with carefully-chosen data, the server could be made to run code of the malicious user's choice. The remediation is to remove the affected components.
Unlike many buffer overruns, this one could not be used to cause the server to crash, because of the security context in which the affected components run. For the same reason, the arbitrary code could only be made to run in the user's own security context, not in an elevated one.
What causes the vulnerability?
Two components of FrontPage 97 and 98 Server Extensions, Htimage.exe and Imagemap.exe, contain unchecked buffers. If carefully-chosen arguments were supplied to these components, they could be made to run code via a classic buffer overrun vulnerability.
What do these components do?
Both components are used to provide server-side image mapping functionality for older browsers. Specifically, Htimage.exe provides CERN-compliant server-side image mapping, and Imagemap.exe provides NCSA-compliant server-side image mapping.
What do you mean by "server-side image mapping"?
Image mapping allows a web page to attach a hyperlink to an image. For example, a web site might display a picture of the United States, and clicking on an individual state might lead to a page showing tourist attractions for that state. Image mapping is the technique that integrates the image and the hyperlink.
Most modern browsers support client side image mapping natively, and browsers can display the image and integrate the hyperlink. However, legacy browsers (for example, Internet Explorer 1.0 and 2.0) didn't possess this capability, and components on the server were needed to allow them to do image mapping. The two affected components in this vulnerability perform this function, in compliance with two different specifications, CERN's and NCSA's.
Is this a vulnerability affecting browsers?
No. The two components at issue here are used to support older browsers, but the vulnerability has nothing to do with the browsers themselves. It's entirely a problem involving how Htimage.exe and Imagemap.exe handle incoming arguments.
Buffer overruns usually enable a malicious user to crash the affected machine. Does this one?
No. Htimage.exe and Imagemap.exe run "out of process" under normal conditions. That is, they do not run as part of the web server process, but instead run as separate processes, in the security context of the user who called them. Although a user certainly could overrun the buffer with random data in order to cause the process to crash, doing so would only crash Htimage.exe or Imagemap.exe, respectively -- not cause the server or the web service to crash.
If a malicious user exploited this vulnerability to run arbitrary code, what could he do?
Because these two components execute in the security context of the user, the arbitrary code would as well. This is a significant restriction in the scope of the vulnerability.
However, it does not mean that there is no risk, especially if security best practices are not observed. For instance, if a web site did not observe the "least privilege" security recommendation, and allowed user processes to run in the context of a more privileged user, this vulnerability could allow them to run code in that context.
It sounds to me as though this vulnerability would never let someone take actions that they aren't already permitted to take. Is this true?
It's true that a malicious user who exploited this vulnerability to run code of his choice could only take actions he has permission to take - that's true by definition, since the code runs in the context of the user.
However, there is still a security risk from this vulnerability. Even though a user may be permitted to take some action, he may not be capable of taking it unless the proper functionality is exposed via a web page, script, or some other means. This vulnerability would essentially let a malicious user make use of all functionality that he has permissions for, including functionality that isn't otherwise exposed. In particular, it could allow a malicious user to more easily exploit misconfigured servers.
Could this vulnerability be exploited accidentally?
No. Exploiting the buffer overrun to cause arbitrary code to execute would require significant effort, and could not happen accidentally.
What machines are primarily at risk from this vulnerability?
Web servers running any of the affected server products could be affected by this vulnerability.
I'm using one of the affected products on my web server. What should I do?
Just delete all copies of Htimage.exe and Imagemap.exe. To do this, follow these steps:
- Select Start, then Search, then For Files or Folders.
- In the box labeled "Search for files or folders named:", type Htimage.exe.
- Hit the "Search Now"
- In the Search Results box, right-click on each copy of Htimage.exe found, and select "delete".
- Repeat the above steps to delete Imagemap.exe
What functionality will I lose by deleting these files?
The only lost functionality is the ability to support server side image-mapping for older browsers such as IE 1.0 and 2.0.
Once I've deleted the files, do I need to anything more?
ISPs and other customers who allow other people to host and manage web sites on their server may need to take additional steps to ensure that the files cannot be unknowingly re-introduced onto their servers. .
I allow other people to host and manage web sites on my server. How can I prevent them from re-introducing the files onto the server?
ISPs and Server Administrators should use functionality built into the Server Extensions to limit Authors from uploading files to executable folders on the web server. The default setting for FrontPage 2000 Server Extensions is to deny uploading files to executable folders. The default setting for FrontPage 2000 would prevent htimage.exe and imagemap.exe from being published to the cgi-bin folder in the web. To learn more about these settings with FrontPage 2000 or FrontPage 98 Server Extensions, please see the following resources:
FrontPage 2000 Server Extensions Server Extensions Resource Kit
FrontPage 98 Server Extensions Server Extensions Resource Kit
What is Microsoft doing about this issue?
- Microsoft has developed a procedure that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.