What's this bulletin about?
Microsoft Security Bulletin MS00-042 announces the availability of a patch that eliminates a vulnerability in an ActiveX control that ships with Microsoft® Internet Explorer. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. It could allow a malicious web site operator to overwrite a file on the computer of a visiting user. If certain system files on the computer were overwritten, it could render the visitor's computer unusable.
The vulnerability could only be used to overwrite a file as a means of preventing it from operating - it could not be used to replace an executable file with new code of the malicious web site operator's choice. If the malicious user's web site were running in a Security Zone in which ActiveX controls are not allowed to run, the vulnerability could not be exploited.
What causes the vulnerability?
The vulnerability results because of two flaws in an ActiveX control, the Active Setup Control:
- The control does not prompt the user when downloading a file that has been digitally signed by Microsoft.
- The control allows the caller to install the file at any desired location on the hard drive.
Is this a flaw in the ActiveX technology?
No. This vulnerability has nothing to do with the ActiveX technology per se. It results because of the way one particular ActiveX control was implemented.
What is Active Setup, and what is the Active Setup Control?
Active Setup is a technology that dramatically improves the process of installing software updates, especially over the Internet. In most browsers, if a user needs to download a software update via the Internet, he must download a large package that contains every file that might conceivably be needed for the update. In contrast, Active Setup in Internet Explorer allows a small setup package to be downloaded to the user's machine, which then determines which files are needed and downloads only them. This significantly reduces the time required for updates.
The ActiveX control at issue here, the Active Setup control, is one of the components of IE that's used to effect this functionality.
What's the issue regarding Microsoft-signed updates?
In general, the Active Setup control will check to see whether a setup package has been digitally signed, and if so by whom, before downloading a setup package. Digital signatures provide proof of who created the package, and that it hasn't been changed or tampered with.
If the setup package is not digitally signed, the control will warn the user and ask whether to continue with the download. Likewise, if the package is digitally signed by a party that the user hasn't specified that they trust, the control will ask whether to continue with the installation, and also whether to always trust content from the signer. However, Microsoft-signed content is trusted by default.
Why is Microsoft-signed content trusted by default?
By design, Microsoft-signed files are trusted by default. At first blush, this would seem appropriate - after all, the user has chosen to install a Microsoft product, so they've already made the decision to trust the content that Microsoft provides.
The security problem this raises is that there's nothing to prevent other people from hosting Microsoft-signed files (after all, Microsoft-signed files are freely available from various pages on the Microsoft web site) and using them inappropriately.
What do you mean by "hosting Microsoft-signed files and using them inappropriately"?
A malicious web site could download Microsoft-signed updates from the Microsoft web site, host them on his own site, and use the fact that they are trusted by default to silently download them on the machine of a visiting user. It's important to note the restrictions on this vulnerability:
- It would not provide the malicious user with a means of modifying the update in any way. If he did, the verification of the digital signature would fail.
- It would not provide the malicious user with a means of initiating the installation process. That is, the vulnerability would allow him to download the update, but he would need some other means of getting the installation to actually occur.
I don't see a problem. So the malicious web site user could download an unmodified Microsoft product onto a visitor's machine. Why is that a security vulnerability?
That's where the second flaw comes in. The Active Setup Control also allows the caller (in this case, the malicious web site operator) to specify the path and file name to which the file should be downloaded. This would allow the malicious user to overwrite any desired file on the visitor's machine.
But if the malicious user couldn't initiate the installation process, why would it matter if he could put the file wherever he wants?
The point of the attack would not necessarily be to try to install the update - it would be simply to overwrite some file on the user's disk. For instance, if the malicious web site operator overwrote a crucial file on the disk, he could potentially render the machine inoperable. The fact that he would be overwriting it with an Active Setup file would be incidental - the important point would be his ability to overwrite the file at all.
I heard that something in Windows 2000 would help protect against this vulnerability. Is this true?
Yes. A feature in Windows 2000 called System File Protection (SFP) would protect somewhat against this vulnerability. SFP is a feature in which certain critical Windows 2000 files are marked and checked each time the system is started. If the files have been changed, they're reinstated to their original condition. If a malicious web site operator used this vulnerability to overwrite an SFP-protected file, the attack would be ineffective, because Windows 2000 would restore the affected files.
SFP would not prevent the malicious web site operator from overwriting files that the visitor had created, such as Word documents or text files. However, to overwrite these, the malicious web site operator would need to know the exact path and file name of the files. This would significantly increase the difficulty of carrying out the attack, because this vulnerability provides no way for the malicious web site operator to inventory the files on the user's computer.
Would the Security Zones feature help protect against this vulnerability?
Yes. The Security Zones feature of IE allows you to categorize the web sites you visit and specify what the sites in a particular category should be allowed to do. Among the options you can choose is whether or not web sites should be able to use ActiveX components or not. A malicious web site operator could only exploit this vulnerability if ActiveX components are allowed to run on your browser.
Microsoft recommends that customers routinely use the Security Zones feature. We recommend putting the sites that you visit frequently and trust into the Trusted Zone. All sites that you haven't otherwise categorized will reside in the Internet Zone. You can then configure the zones to give the appropriate privileges to the web sites in these zones.
Who should use the patch?
Microsoft recommends that all customers using an affected version of Internet Explorer consider installing the patch.
What does the patch do?
The patch does two things:
- It changes the Active Setup Control so that it treats Microsoft-signed content exactly like content from any other software issuer.
- It removes the capability of the caller to dictate where the file will be downloaded to. Instead, the file will always be downloaded to a standard location, and the setup file, when initiated by the user, will select where the update should be installed.
The Patch Availability section of the bulletin says that the patch for IE 5.5 has been incorporated into a later-released patch. Why was this done?
We did this to minimize the number of patches customers need to apply. If you're running IE 5.5 and have applied the patch provided in Microsoft Security Bulletin MS00-055, you're already protected against this vulnerability and don't need to take any other action.
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How can I tell if I installed the patch correctly?
The Knowledge Base provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a procedure that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
