Microsoft Security Bulletin MS00-085 - Critical
Patch Available for 'ActiveX Parameter Validation' Vulnerability
Published: November 02, 2000 | Updated: February 28, 2003
Originally posted: November 2, 2000
Updated: February 28th, 2003
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows 2000. The vulnerability could allow enable a malicious user to potentially run code on another user's machine.
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Advanced Server
Vulnerability Identifier: CVE-2000-1034
An ActiveX control that ships as part of Windows 2000 contains an unchecked buffer. If the control was called from a web page or HTML mail using a specially-malformed parameter, it would be possible to cause code to execute on the machine via a buffer overrun. This could potentially enable a malicious user to take any desired action on the user's machine, limited only by the permissions of the user.
The vulnerability could only be exploited if ActiveX controls are enabled in IE, Outlook or Outlook Express. The Security Zones feature in IE enables customers to limit what web sites can do, and customers who have used the feature to prevent untrusted sites from invoking ActiveX controls would be at minimal risk from the web-based attack scenario. Customers who have applied the Outlook Security Update would be protected against the mail-borne scenario, since it moves mail into the Restricted Sites Zone, thereby preventing HTML mails from invoking ActiveX controls.
What's this bulletin about?
Microsoft Security Bulletin MS00-085 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. A malicious user could exploit the vulnerability to run code of his choice on another user's computer, via either of two scenarios. If the malicious user operated a web site, he could use the vulnerability to attack users who visited his site. If he did not operate a web site, he could send the user an HTML mail that would exploit the vulnerability when opened. The code would be capable of taking any action on the user's computer that the user himself could take. This would likely include adding, creating or deleting files, formatting the hard drive, communicating with a web site, or other actions.
The vulnerability could only be exploited if ActiveX controls were allowed to run. This means that customers who have applied the Outlook Security Patch would be at no risk from the email-borne scenario, and customers who use IE's Security Zones could prevent the web-based scenario from succeeding.
What causes the vulnerability?
There is an unchecked buffer in an ActiveX control that ships as part of Windows 2000. By providing carefully-crafted parameters when invoking the control, it would be possible to cause code of the caller's choice to run via a buffer overrun.
Is this a flaw in the ActiveX technology?
No. This vulnerability has nothing to do with the ActiveX technology per se, nor does it have anything to do with the ActiveX security model. The vulnerability results because there is an unchecked buffer in a specific ActiveX control.
How could a malicious user exploit this vulnerability?
The vulnerability could exploited via either of two scenarios:
- Web-based. A malicious web site operator could code a web page on his site that invokes the ActiveX control using a specially malformed parameter, simply for the purpose of overrunning the buffer. If he did this, and a person who visited his site had ActiveX enabled, the malicious web site operator could potentially make code of his choice run on the visitor's computer.
- Email-based. A malicious user could create an HTML mail that invoked the ActiveX control using the malformed parameter, and then mail it to someone. When the recipient opened it, it could run code of the sender's choice on the recipient's computer, if he had ActiveX enabled in the Security Zone that his mail runs in.
What could code run via this vulnerability do?
The code would run on the user's machine, in the user's security context. It could therefore do anything that the user himself could do. If the user were using an account with very limited privileges, the code might be able to do very little. On the other hand, if the user were running in an administrator account, there would be virtually nothing the code could not do.
This is one reason why Microsoft recommends that customers always adhere to the least privilege guideline. Especially when using systems like Windows 2000 that provide the ability to tightly regulate users' privileges, there is always a payoff to limiting users to having only the minimal privileges they need.
Buffer overruns usually also carry a denial of service threat. Does this one?
Generally, an unchecked buffer can be overrun in either of two ways. If overrun with random data, it can be used to cause the affected program to crash in a denial of service attack. Alternatively, if overrun with carefully-selected data, it can be used to run code.
In this case, both types of attack are feasible. However, the first case doesn't really pose a security risk. In such a case, the user's application (IE in the case of the web-based scenario; Outlook or Outlook Express in the case of the mail-based scenario) would crash, but the attack would have no other effect. The user could simply restart the application and resume normal operation.
How likely am I to be affected by this vulnerability?
For the case of the web-based scenario, it depends on your web browsing habits. The key thing to remember is that you have to visit a malicious web site in order to be affected by it. Most people visit a small number of familiar, professionally-operated web sites, and it's unlikely that such a site would pose any risk. Users who surf lots of unknown web sites would be at greater risk. However, Security Zones provide a great way to manage your risk, and we recommend that customers use them.
In the case of the mail-based scenario, it depends on what Security Zone you read mail in. If you read mail in the Restricted Zone, you would be at no risk from this vulnerability. The Outlook Security Update configures Outlook to read mail in the Restricted Zone by default.
How would Security Zones help protect me against the web-based scenario?
The Security Zones feature of IE allows you to categorize the web sites you visit and specify what the sites in a particular category should be allowed to do. Among the options you can choose is whether or not web sites should be able to use ActiveX controls or not. A malicious web site operator could only exploit this vulnerability if ActiveX controls are allowed to run on your browser.
Microsoft recommends that customers routinely use the Security Zones feature. We recommend putting the sites that you visit frequently and trust into the Trusted Zone. All sites that you haven't otherwise categorized will reside in the Internet Zone. You can then configure the zones to give the appropriate privileges to the web sites in these zones.
How would Security Zones help protect me against the mail-borne scenario?
Both Outlook and Outlook Express allow you to select a Security Zone in which HTML mail will be opened. This subjects HTML mail to the same restrictions as a web site in that zone. As a general rule, it's a good idea to put mail in the Restricted Zone. The Outlook Security Update will do this for you automatically.
Could this vulnerability be exploited accidentally?
No. In order to exploit this vulnerability, a malicious user would need to carefully craft the malformed data and deliberately host it on his web site or send it via HTML mail to someone.
How common are buffer overrun vulnerabilities?
It's been estimated that anywhere from two-thirds to three-quarters of all computer security vulnerabilities involve a buffer overrun. They occur in all vendors' products, and are an industry problem. Microsoft is working hard to develop coding and testing methods that will reduce or eliminate buffer overrun vulnerabilities in its software.
Who should use the patch?
Microsoft recommends that Windows 2000 users consider applying the patch on any machine that is used for web browsing or email.
What does the patch do?
The patch eliminates the vulnerability by causing it to check the length of all parameters before using them.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
Microsoft Knowledge Base (KB) article Q278511, http://support.microsoft.com/default.aspx?scid=kb;en-us;278511&sd=tech
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (November 2, 2000): Bulletin Created.
- V1.1 (February 28, 2003) : Updated link to Outlook Security Update in Frequently Asked Questions
Built at 2014-04-18T13:49:36Z-07:00