Microsoft Security Bulletin MS00-042 - Critical
Patch Available for 'Active Setup Download' Vulnerability
Published: June 29, 2000 | Updated: February 28, 2003
Originally Posted: June 29, 2000
Updated: February 28, 2003
Microsoft has released a patch that eliminates a security vulnerability in an ActiveX control that ships with Microsoft® Internet Explorer. The vulnerability could be used to overwrite files on the computer of a user who visited a malicious web site operator's site.
- Microsoft Internet Explorer 4.x
- Microsoft Internet Explorer 5.x
The Active Setup Control allows .cab files to be downloaded to a user's computer as part of the installation process for software updates. However, the control has two flaws. First, it treats all Microsoft-signed .cab files as trusted, thereby allowing them to be installed without asking the user's approval. Second, it provides a method by which the caller can specify a download location on the user's hard drive. In combination, these two flaws would allow a malicious web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on the user's machine. By overwriting system files, this could allow the malicious user to render the machine unusable.
It is important to note that there is no capability via this vulnerability to actually install the software that has been downloaded - the vulnerability only allows files to be overwritten, in a denial of service attack. System File Protection in Windows 2000 would prevent an attack like this one from being used to overwrite system files.
What's this bulletin about?
Microsoft Security Bulletin MS00-042 announces the availability of a patch that eliminates a vulnerability in an ActiveX control that ships with Microsoft® Internet Explorer. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. It could allow a malicious web site operator to overwrite a file on the computer of a visiting user. If certain system files on the computer were overwritten, it could render the visitor's computer unusable.
The vulnerability could only be used to overwrite a file as a means of preventing it from operating - it could not be used to replace an executable file with new code of the malicious web site operator's choice. If the malicious user's web site were running in a Security Zone in which ActiveX controls are not allowed to run, the vulnerability could not be exploited.
What causes the vulnerability?
The vulnerability results because of two flaws in an ActiveX control, the Active Setup Control:
- The control does not prompt the user when downloading a file that has been digitally signed by Microsoft.
- The control allows the caller to install the file at any desired location on the hard drive.
Is this a flaw in the ActiveX technology?
No. This vulnerability has nothing to do with the ActiveX technology per se. It results because of the way one particular ActiveX control was implemented.
What is Active Setup, and what is the Active Setup Control?
Active Setup is a technology that dramatically improves the process of installing software updates, especially over the Internet. In most browsers, if a user needs to download a software update via the Internet, he must download a large package that contains every file that might conceivably be needed for the update. In contrast, Active Setup in Internet Explorer allows a small setup package to be downloaded to the user's machine, which then determines which files are needed and downloads only them. This significantly reduces the time required for updates.
The ActiveX control at issue here, the Active Setup control, is one of the components of IE that's used to effect this functionality.
What's the issue regarding Microsoft-signed updates?
In general, the Active Setup control will check to see whether a setup package has been digitally signed, and if so by whom, before downloading a setup package. Digital signatures provide proof of who created the package, and that it hasn't been changed or tampered with.
If the setup package is not digitally signed, the control will warn the user and ask whether to continue with the download. Likewise, if the package is digitally signed by a party that the user hasn't specified that they trust, the control will ask whether to continue with the installation, and also whether to always trust content from the signer. However, Microsoft-signed content is trusted by default.
Why is Microsoft-signed content trusted by default?
By design, Microsoft-signed files are trusted by default. At first blush, this would seem appropriate - after all, the user has chosen to install a Microsoft product, so they've already made the decision to trust the content that Microsoft provides.
The security problem this raises is that there's nothing to prevent other people from hosting Microsoft-signed files (after all, Microsoft-signed files are freely available from various pages on the Microsoft web site) and using them inappropriately.
What do you mean by "hosting Microsoft-signed files and using them inappropriately"?
A malicious web site could download Microsoft-signed updates from the Microsoft web site, host them on his own site, and use the fact that they are trusted by default to silently download them on the machine of a visiting user. It's important to note the restrictions on this vulnerability:
- It would not provide the malicious user with a means of modifying the update in any way. If he did, the verification of the digital signature would fail.
- It would not provide the malicious user with a means of initiating the installation process. That is, the vulnerability would allow him to download the update, but he would need some other means of getting the installation to actually occur.
I don't see a problem. So the malicious web site user could download an unmodified Microsoft product onto a visitor's machine. Why is that a security vulnerability?
That's where the second flaw comes in. The Active Setup Control also allows the caller (in this case, the malicious web site operator) to specify the path and file name to which the file should be downloaded. This would allow the malicious user to overwrite any desired file on the visitor's machine.
But if the malicious user couldn't initiate the installation process, why would it matter if he could put the file wherever he wants?
The point of the attack would not necessarily be to try to install the update - it would be simply to overwrite some file on the user's disk. For instance, if the malicious web site operator overwrote a crucial file on the disk, he could potentially render the machine inoperable. The fact that he would be overwriting it with an Active Setup file would be incidental - the important point would be his ability to overwrite the file at all.
I heard that something in Windows 2000 would help protect against this vulnerability. Is this true?
Yes. A feature in Windows 2000 called System File Protection (SFP) would protect somewhat against this vulnerability. SFP is a feature in which certain critical Windows 2000 files are marked and checked each time the system is started. If the files have been changed, they're reinstated to their original condition. If a malicious web site operator used this vulnerability to overwrite an SFP-protected file, the attack would be ineffective, because Windows 2000 would restore the affected files.
SFP would not prevent the malicious web site operator from overwriting files that the visitor had created, such as Word documents or text files. However, to overwrite these, the malicious web site operator would need to know the exact path and file name of the files. This would significantly increase the difficulty of carrying out the attack, because this vulnerability provides no way for the malicious web site operator to inventory the files on the user's computer.
Would the Security Zones feature help protect against this vulnerability?
Yes. The Security Zones feature of IE allows you to categorize the web sites you visit and specify what the sites in a particular category should be allowed to do. Among the options you can choose is whether or not web sites should be able to use ActiveX components or not. A malicious web site operator could only exploit this vulnerability if ActiveX components are allowed to run on your browser.
Microsoft recommends that customers routinely use the Security Zones feature. We recommend putting the sites that you visit frequently and trust into the Trusted Zone. All sites that you haven't otherwise categorized will reside in the Internet Zone. You can then configure the zones to give the appropriate privileges to the web sites in these zones.
Who should use the patch?
Microsoft recommends that all customers using an affected version of Internet Explorer consider installing the patch.
What does the patch do?
The patch does two things:
- It changes the Active Setup Control so that it treats Microsoft-signed content exactly like content from any other software issuer.
- It removes the capability of the caller to dictate where the file will be downloaded to. Instead, the file will always be downloaded to a standard location, and the setup file, when initiated by the user, will select where the update should be installed.
The Patch Availability section of the bulletin says that the patch for IE 5.5 has been incorporated into a later-released patch. Why was this done?
We did this to minimize the number of patches customers need to apply. If you're running IE 5.5 and have applied the patch provided in Microsoft Security Bulletin MS00-055, you're already protected against this vulnerability and don't need to take any other action.
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How can I tell if I installed the patch correctly?
The Knowledge Base provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a procedure that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
Download locations for this patch
- Internet Explorer 4.01 Service Pack 2, Internet Explorer 5.01, or Internet Explorer 5.01 Service Pack 1:
Contact Microsoft Product Support
- Internet Explorer 5.5:
Note: The patch for IE 5.5 only has been incorporated into a subsequently-released patch. For more information, please see Microsoft Security Bulletin MS00-055.
Note: Customers installing the patch on versions other than those listed above may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q265258.
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article Q265258, http://support.microsoft.com/default.aspx?scid=kb;en-us;265258&sd=tech
Support: This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support .
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (June 29, 2000): Bulletin Created.
- V1.1 (August 09, 2000): Patch Availability section updated to advise that, for IE 5.5 only, a subsequently-released patch is available that eliminates other vulnerabilities in addition to those discussed here.
- V1.2 (February 28, 2003): Updated links in Frequently Asked Questions section.
Built at 2014-04-18T13:49:36Z-07:00