Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-048)
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in a Microsoft® ActiveX control. The vulnerability could allow the creation of a malicious email that, even when normal safe computing practices are followed, could take malicious action against the recipient. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could enable a malicious user to create a mail bomb. The primary danger in this vulnerability is that, where a mail bomb normally relies on an unwary recipient, this technique could allow malicious code to be executed even if the user followed what are normally safe computing procedures.
This vulnerability requires a very specific set of conditions in order to be exploited:
- It requires that the recipient of the malicious mail be using a mail reader that executes script in HTML mail.
- It requires that the recipient be using a mail reader that saves files to known locations when attempting to open them.
- It requires that the recipient decide to open the attachment from within the mail, rather than saving it to disk and opening it later.
What is the vulnerability?
The vulnerability involves the ability of a particular ActiveX control to launch cabinet files. When a number of other factors are present, it is possible to disguise a cabinet file as an innocuous file type, send it as an attachment in an HTML mail, then use a particular ActiveX control to launch it from within a script embedded in the mail.
Why is this called the "Active Setup Control" vulnerability?
The particular ActiveX control at issue here is provided for use as part of Active Setup, a technology that makes software installation faster and more reliable. The vulnerability has nothing to do with Active Setup per se; it lies entirely within one particular ActiveX control.
What is a cabinet file?
Cabinet files are a type of self-extracting compressed file that normally are used to install software. They can contain executable code in an initialization section. Cabinet files are involved in this vulnerability only because they happen to be the type of file that the ActiveX control is able to launch.
Why disguise the cabinet file? It still couldn't run even if the user opened it.
That's correct. If a cabinet file were disguised as, say, a .mid file and the recipient opened it, the application associated with .mid files, Windows Media Player, would try to play the contents of the file. However, it would be unable to make any sense of the file, so the operation would fail.
However, disguising the file serves two purposes. First, even a security-conscious user might decide to open a .mid file, since they are ostensibly safe. Second, some mail readers save a copy of an attachment in a known location on the disk as part of the process of opening a file. If this were done, a script embedded in the HTML mail could use the ActiveX control to launch the saved copy of the file.
Why is this a security vulnerability, if it relies on the recipient opening an attachment to an e-mail? I thought that was a known bad security practice.
The vulnerability gives the malicious user an opportunity to disguise an unsafe attachment as a safe one. Even a security-conscious user who is following recommended practices might choose to open such an attachment, since they do not contain executable code.
Why all the complexity? Why not just attach a malicious executable to the email?
Most mail bombs do just consist of a malicious executable as an attachment. However, security-conscious users know the dangers of running programs from untrusted sources, and might simply refuse to open such an attachment. The danger posed by this vulnerability is that even a security-conscious user might open the attachment, since it would ostensibly be safe.
What if the user saved the attachment and opened it later?
The attack would fail because the script would have no way to determine where the user had saved the file. One of the key points in this vulnerability is that it requires a mail reader that saves files in a known location as part of the process of opening them.
Could the vulnerability be exploited no matter what mail reader the recipient uses?
No. It would only be effective if the mail reader allows script in HTML mails to execute, and if it uses deterministic locations for storing the temporary files that are created when attachments are launched.
Can I prevent scripts from running in HTML mail?
Yes. Outlook 2000 and Outlook Express enable you to disable scripts in HTML mail.
Could this vulnerability be used to run programs that are already on my drive?
No. The affected ActiveX control can only be used to run files of a particular type. It cannot be used to run .exe, .com, or most other types of executable files.
What does the patch do?
The patch changes the way the ActiveX control operates when attempting to launch a cabinet file on the local machine. Specifically, it only allows the control to launch digitally-signed cabinet files.
Why couldn't a malicious user just digitally sign his or her cabinet file?
They could, but the signature would allow the recipient to determine exactly who created the file.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 244540 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.