What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker could exploit the vulnerability via either a web page or an HTML mail, and successfully exploiting it would grant the attacker complete control over a user's system. This would give the attacker the ability to add, delete or change any data on the system, reformat the hard drive, or take other actions.
The vulnerability is subject to several constraints:
- The vulnerability could only be exploited if the control were installed on the user's system. However, it is not installed by default as part of any version of Windows.
- Customers who use Outlook 98 or Outlook 2000 in conjunction with the Outlook Email Security Update, or who use Outlook Express 6 or Outlook 2002, would be at no risk from the email-based attack vector.
What causes the vulnerability?
The vulnerability results because the Terminal Services Advanced Client (TSAC) ActiveX control contains an unchecked buffer. If called by a web site in a particular way, the buffer could be overrun, with the result that an attacker could cause the control to take action on the user's system.
What is the TSAC ActiveX control?
The Terminal Services Advanced Client (TSAC) ActiveX provides a way for Windows systems to run Terminal Services sessions within Internet Explorer. It provides nearly the same functionality as the full Terminal Services Client, but is designed to deliver this functionality over the Web. Through the control, users can establish terminal server sessions from suitably configured IIS servers.
Is the TSAC control installed by default?
No. In fact, you cannot install the control by any means except visiting a web site that offers terminal services. The control is downloaded from the server to the client system as part of the session connection sequence.
How does the installation process for the TSAC control work?
By default, IIS web sites don't offer access to terminal services enabled machines. When an administrator chooses to configure the site to provide them, he or she must download a hostable version of the control from the Microsoft web site and install it on the server. (In the case of Windows XP Professional, the hostable version of the control can also be obtained from the installation CD). Once this has been done, the server will download the control to any system that visits the web site, after which point the user can start terminal service sessions with the web site.
Can the control be installed by a web site without the user's knowledge?
No. The installation process always generates a warning to user, and the user does have the opportunity to cancel.
What's wrong with the TSAC ActiveX control?
The control contains an unchecked buffer. If called using a particular type of malformed input value, the buffer could be overrun. The effect would be, in essence, to change the functionality of the control and make it take new actions instead of those it's programmed to take.
What could this vulnerability enable an attacker to do?
An attacker could use this vulnerability to gain control over another user's computer. Depending on exactly how the attacker overran the buffer, he or she could cause the control to take any desired action. Because the control operates in the context of the user , the attacker would be able to perform any action the user was able to perform.
How might an attacker exploit the vulnerability?
The attacker would need to construct a web page that calls the control and provides the malformed input value discussed above. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page would attempt to run the control and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to run the control and exploit the vulnerability.
You said the web page could "attempt" to run the control. What would determine whether this attempt was successful?
Two factors would determine whether the attack was successful:
- Whether the user had previously accepted the installation of the control from a web site. If the control wasn't present on the system, it couldn't be called. As discussed above, the control is not installed by default in any version of Windows.
- Whether ActiveX controls were allowed to run on the user's system. The Internet Explorer Security Zones mechanism provides a way of regulating what actions various web sites can take - among them, whether they can run ActiveX controls. By default, web pages in the Restricted Sites Zone cannot run ActiveX controls. This turns out to be especially significant in the case of an attack via the HTML mail vector.
Why is that?
By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at no risk from the email attack vector.
In the Summary section of the bulletin, you recommended that web masters who offer terminal services install the patch. Does that mean this vulnerability poses a threat to my web site?
No. The vulnerability poses a threat to the clients in this scenario, not the server. When hosted on a server, the control is encapsulated in a compressed file (called a cabinet file). It cannot be executed while in this state.
If the vulnerability doesn't pose a threat to my web site, why do I have to install the new patch on my server?
To be clear, you may not need to install it. Only web sites that provide terminal services and which host the TSAC control need to install the new patch. However, if you do provide terminal services, you should install the patch in order to ensure that your web site is hosting the most up to date version of the control. If you don't, users who take the actions we recommend below will be unable to use access terminal services enabled machines from your web site.
After installing the patch on my web server, do I need to take any other action?
Yes. You'll need to follow the instructions in Microsoft Knowledge Base article Q327521 for updating your web pages to use the new control.
In the Summary section of the bulletin, you recommended that users should not install this patch, but instead should install the most recent cumulative patch for IE. Why?
The latest cumulative patch for IE (which, at this writing, is the one provided in Microsoft Security Bulletin MS02-047) sets the "kill bit" for the control. This action in itself is sufficient to protect users from the vulnerability, because it prevents the vulnerable version of the control from ever being instantiated within Internet Explorer. (For more information on the "kill bit", see Microsoft Knowledge Base article Q240797.
But why aren't you providing an updated control for users to install on their systems?
The updated control will be delivered to users through the normal installation process described above. That is, the next time the user visits a web site that offers terminal services and has installed the patch, the updated control will be delivered to the user's system. (On the other hand, if the web site has not installed the patch, the user will be unable to use terminal services. This is the correct behavior, since the older version of the control does represent a security exposure if used).
I don't know whether I've ever visited a web site that installed the TSAC control. Should I install the latest IE patch?
Yes. The patch provided in Microsoft Security Bulletin MS02-047 contains fixes for a number of vulnerabilities in addition to this one. It's worth installing in its own right, even if you don't have the TSAC control.
How can I tell if the TSAC ActiveX control is already on my computer?
To see if the control is on your computer, do the following:
- Start Internet Explorer
- Select Tools, then Internet Options.
- Click on the General tab.
- Click on Settings, then click on View Objects.
- Search the resulting list for a Program File name called Microsoft Terminal Services Client Control or Microsoft RDP Client Control
- If neither of these files are present, you definitely do not have the TSAC control installed.
- If Microsoft Terminal Service Client Control or Microsoft RDP Client control is present, right-click on it and select properties, then look for one of the following IDs. If either are present, you have a vulnerable version of the TSAC control installed.
- {1fb464c8-09bb-4017-a2f5-eb742f04392f}
- {791fa017-2de3-492e-acc5-53c67a2b94d0}
I do have the vulnerable control on my system, but I don't want to install the IE patch. Is there another way to protect my system?
Yes. You can set the "kill bit" manually. Just follow the instructions in Microsoft Knowledge Base Article Q240797, and set the "killbit" for the following IDs:
- {1fb464c8-09bb-4017-a2f5-eb742f04392f}
- {791fa017-2de3-492e-acc5-53c67a2b94d0}
My system is set up by my administrator to not install ActiveX controls. What should I do?
You may be part of the Users group, which by default doesn't allow ActiveX controls to be installed. You will need to contact your administrator about how you can install the ActiveX control. The administrator will determine what method will be used in your organization.
What does the patch do?
The patch addresses the vulnerability by instituting proper input data checking in the TSAC ActiveX control.
