Microsoft Security Bulletin MS02-049

Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning (Q326568)

Originally posted: September 04, 2002

Summary

Who should read this bulletin:
Customers using Microsoft® Visual FoxPro 6.0

Impact of vulnerability:
Attacker could gain control over user's system.

Maximum Severity Rating:
Moderate.

Recommendation:
Customers using Visual FoxPro 6.0 should install the patch immediately.

Affected Software:

Microsoft Visual FoxPro 6.0

General Information

Technical details

Technical description:

In general, when an product installs, it should register itself with Internet Explorer. This allows the product to specify how Internet Explorer should handle files associated with it when referenced from a web page - for instance, it allows the product to specify whether the user should be presented with a warning dialogue before such a file is opened.

Visual FoxPro 6.0 does not perform this registration, and this gives rise to a situation in which a web page could automatically launch a Visual FoxPro application (i.e., an .app file). In most cases, this would not result in a security vulnerability - because of the way Visual FoxPro 6.0 evaluates file names, FoxPro itself could be started but the .app file would typically not run. However, if the filename of the application were constructed in a particular way, a second error (associated with how Visual FoxPro 6.0 evaluates application filenames) could not only start FoxPro but allow the application to execute.

The vulnerability could be exploited by creating a web page that references a Visual FoxPro application, and either hosting it on a web site or sending it to a user as an HTML mail. If the user had installed Visual FoxPro 6.0 - or had installed a product that includes the Visual FoxPro 6.0 runtime - and the filename of the application was constructed in a particular way, the application would execute. This would enable the application to not only interrogate databases, but also issue system commands in the user's security context.

Mitigating factors:

The vulnerability could only be exploited if Visual FoxPro 6.0 (or the Visual FoxPro 6.0 runtime) is installed on the system. Other products, and other versions of Visual FoxPro, are not affected by the vulnerability.
The most privileges the application could gain would be those of the user. If the user were operating in a less-privileged context, it would limit the damage that the application could cause.

Severity Rating:

	Internet Servers	Intranet Servers	Client Systems
Visual FoxPro 6.0	Low	Low	Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2002-0696

Tested Versions:

Microsoft tested Visual FoxPro 6.0 and 7.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This vulnerability could enable an attacker to run a Visual FoxPro application on another user's system. By doing so, the attacker would be able to take any action that user could take, including loading and running programs, altering data on the system, reformatting the hard drive, and so forth.
The vulnerability could only be exploited if two conditions were present:

Visual FoxPro Version 6.0 (or another product that installs certain parts of Visual FoxPro 6.0, as discussed below) was installed on the system. No other products - and no other versions of FoxPro - are affected by the vulnerability.
The application's file name had a specific, peculiar construction.

What causes the vulnerability?
The vulnerability results because Visual FoxPro application can be launched from a web page without generating a warning to the user.

What's Visual FoxPro?
Visual FoxPro is an object-oriented database management system that enables the development of database solutions for desktops or the web. The version of Visual FoxPro at issue here, Version 6.0, shipped as both a stand-alone product and as part of Visual Studio 6.0.

What's a Visual FoxPro application?
In Visual FoxPro, as in most database systems, it's possible to write an application that automates access to the database. Such an application can not only interrogate the database, but also can, by design, take actions on the user's system.

What's wrong with the way Visual FoxPro applications are handled?
There are two problems that combine to create a vulnerability. The first is that Visual FoxPro 6.0 does not register itself with Internet Explorer. Whenever a product installs, it should register with Internet Explorer and indicate whether files associated with the application can open automatically, or require user approval before opening. However, Visual FoxPro 6.0 does not do this.
Under most conditions, this would not pose a security vulnerability. For the vast majority of cases, the sole effect of opening a Visual FoxPro application would be to start Visual FoxPro but not actually run the application. However, if the application's filename is constructed in a particular way, it will cause Visual FoxPro to interpret and execute the application.

What could this vulnerability enable an attacker to do?
The vulnerability would enable an attacker to launch a Visual FoxPro application on another user's system, after which point the application could take any action that the user was authorized to take on the system.

How might an attacker exploit the vulnerability?
The attacker would need to create a web page that invokes a Visual FoxPro application, and either host the page on a web site or send it to another user as an HTML mail. In either case, if a user opened that page, and had Visual FoxPro 6.0 installed on the system, the application would launch without warning

I don't have Visual FoxPro installed on my system. Am I at any risk?
The vulnerability could only be exploited if Visual FoxPro - and specifically Version 6.0 of Visual FoxPro - was installed on your system. However, it is important to note that there are two ways it could be installed. The most common way would be for you to have installed the Visual FoxPro 6.0 product on your system.
But it's also possible for third-party products to embed the Visual FoxPro 6.0 runtime - essentially, the core database engine, without any of the supporting feature set. If you had installed such a product, you could also be vulnerable.

What third-party products install the Visual FoxPro 6.0 runtime?
It's impossible to say. The runtime is embedded in a number of applications that have been written by companies for their internal use, as well as by commercial products. If you think you might be using such a product, you can determine whether the Visual FoxPro 6.0 runtime is present on your system by searching for any of the following files on your system: vfp6r.dll, vfp6t.dll, or vfp6run.exe. If any of them are present, Visual FoxPro 6.0 is installed on your system and you need the patch.

I have Visual FoxPro 7.0 installed on my system. Am I at any risk?
No. The vulnerability only affects Visual FoxPro 6.0.

I used to have Visual FoxPro 6.0 on my system, but I upgraded to Version 7.0. Am I at any risk?
No. Upgrading to Version 7.0 eliminates the vulnerability. This is true even if you did a side-by-side installation - that is, if you installed Version 7.0 on a system that already had Version 6.0 on it, but elected to keep both versions present on the system.

Is there any way to eliminate the vulnerability other than installing the patch?
Yes. Recall that the vulnerability results in part because Visual FoxPro 6.0 doesn't tell Internet Explorer how to handle Visual FoxPro applications. It's possible to do this manually via the following procedure:

Open Control Panel
Select "Tools", then "Folder Options"
Click the "File Types" tab
In the scroll box titled "Registered File Types", select the "APP" extension. (If this extension is not present in the list, it means you don't have Visual FoxPro installed).
Click on "Advanced"
Select "Confirm open after downloading".
Hit OK to close the Edit File Type dialogue
Hit OK to close the File Options dialogue
Close Control Panel

What does the patch do?
The patch registers Visual FoxPro application (.app) files with Internet Explorer and also removes the code flaw that allows certain filenames to be evaluated and launched.

Patch availability

Other information:

Acknowledgments

Microsoft thanks Cristobal Bielza and Juan Carlos G. Cuartango from Instituto Seguridad Internet (http://www.instisec.com) for reporting this issue to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article Q326568 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (September 04, 2002): Bulletin Created.