Sorry for the OT, but I just received this flash and felt that people should be aware... Since many of you use Access, both locally and on webservers, this may be fairly important. This vulnerability can allow a program from _elsewhere_ on the net to run on _your_ system. Steve >I am forwarding this note to you as a FLASH because the vulnerability >it describes is probably the most dangerous programming error in Windows >workstation (all varieties -- 95, 98, 2000, NT 4.0) that Microsoft has >made. > >You are vulnerable to total compromise simply by previewing or reading >an email (without opening any attachments) if you have one of the >affected operating systems and have the following installed: >* Microsoft Access 97 or 2000 >* Internet Explorer 4.0 or higher, including 5.5 (Windows 2000 includes > IE 5) > >SANS Prize: It may be possible to fix this vulnerability automatically, >via an email without asking every user to take action. The concept is >similar to use a slightly modified version of a virus to provide >immunity against infection. SANS is offering a $500 prize (and a few >minutes of fame) to the first person who sends us a practical automated >solution that companies can use, quickly, easily, and (relatively) >painlessly to protect all vulnerable systems. > > AP > > >By: Jesper Johansson, Assistant Professor, Boston University, and >Editor, SANS Windows Security Digest > >This is a special issue of the SANS Windows Security Digest. On June 27 >Georgi Guninski posted an exploit using Access 2000 to exploit Windows >98. We developed this exploit further and realized that this is one of >the most serious exploits of Windows workstations in the last several >years. Microsoft asked us to not release the details until they had a >fix. On July 14, 2000, they posted a workaround for this issue, and we >now bring you this update. > >MS00-049 - Patch Available for "The Office HTML Script" Vulnerability >and a Workaround for "The IE Script" Vulnerability > >The bulletin actually discusses two separate issues. We consider the >Access issue much more serious than the other issue so we will cover >that first. > >Internet Explorer allows the use of an object tag to load an ActiveX >control. The data property of the object tag is the ActiveX control to >be loaded. An ActiveX control is normally some executable. However, >Microsoft Office documents are also ActiveX controls. In a default >installation, ActiveX controls load silently, without prompting the >user, thus automatically executing the exploit. > >Internet Explorer can be configured to prompt the user about whether to >load ActiveX controls. However, there is a serious bug in the prompting >that appears to only surface when the requested control is a Microsoft >Access database file (.MDB file). The order of events with MDB files >is: > >1. User opens a web page with an Object tag >2. IE downloads database and calls Access to open the database >3. IE prompts user whether to open the database >4. User clicks No >5. IE displays an error message stating that some code on this page is > unsafe > >As can be seen from this sequence of events, the order of execution is >wrong. IE actually opens the Access database BEFORE it asks the user >whether to open it. Assume now that the user has disabled execution of >ActiveX controls entirely. The following sequence of events would occur: > >1. User opens a web page with Object tag >2. IE downloads database and calls Access to open the database >3. IE informs user that some code on this page is unsafe > >Again, the database is opened before IE checks whether to execute >ActiveX controls. > >Microsoft calls this issue the "IE Script" vulnerability. That title is >misleading because it implies that if Active Scripting is disabled, the >exploit would not work. This is not true. The exploit does not rely on >scripting, and therefore disabling scripting has no effect on this >exploit. > >Furthermore, this is very easy to exploit through HTML e-mail. In fact, >most popular e-mail programs, such as Outlook, Outlook Express, and >Eudora have a preview pane. That preview pane will display HTML in an >HTML formatted e-mail message. The interpreter used for these programs >is Internet Explorer. Hence, this exploit will also work through HTML >formatted e-mail. Thus the user need not open the e-mail, nor download >anything for this to work. In addition, if this is the only e-mail in >the user's Inbox, the exploit will execute as soon as the e-mail is >received. > >This is a very serious problem given the power of the Visual Basic for >Applications (VBA) language used in Access. Access can run VBA code when >the database is opened. We successfully made Access connect to a Windows >Networking (CIFS) file share on the Internet and ran a program from >there. Thus the malicious program that an attacker wants to run does >not need to reside on the user's machine. > >VULNERABLE SYSTEMS > >All Windows Systems (Windows 2000, NT 4.0, 98 and 95) with all of the >following installed: >* Microsoft Access 97 or 2000 >* Internet Explorer 4.0 or higher, including 5.5 (Windows 2000 includes > IE 5) >* Systems with Outlook, Outlook Express, Eudora, or another mail reader > that uses IE to render HTML are also vulnerable to exploiting this > through e-mail > > >WORKAROUND >We recommend several steps to work around this issue: > >1. Ensure that an exploit such as this cannot run malicious programs on >the Internet. This is done by blocking outgoing Windows File Sharing at >the firewall. To do so, block outgoing traffic to ports UDP 138, UDP >and TCP 139, and UDP and TCP 445. >2. Apply the Microsoft workaround to all installations of Microsoft >Access under your control. The steps to do so are: >a. Start Access 2000 but don't open any databases >b. From the Tools menu, choose Security >c. Select User and Group Accounts >d. Select the Admin user, which should be defined by default >e. Go to the Change Logon Password tab >f. The Admin password should be blank if it has never been changed >g. Assign a password to the Admin user >h. Click OK to exit the menu >3. Apply the Outlook E-Mail security update, available on >http://officeupdate.microsoft.com if you use Outlook 98 or 2000. >4. Set Outlook Express or Eudora to read e-mail in the Restricted Sites >zone and then disable everything in that zone. > >Steps 3 and 4 have no effect on the current issue, but are good security >practice. > >Office HTML Script Vulnerability > >The second issue discussed in this bulletin also involves using Office >components as ActiveX controls, although it is not as serious as the >Access issue discussed above. Excel 2000 and PowerPoint 97 and 2000 can >be scripted from inside IE to save a file to an arbitrary location on >the user's hard drive as long as the user has access to that location. >This would enable an attacker to save files to locations such as the >Startup folder in the user's profile. > >This vulnerability is not exploitable if Active Scripting and/or Running >ActiveX controls is disabled. Therefore, it is considerably less >dangerous than the Access problem. The root cause of this problem is >that Excel and PowerPoint files are marked as safe for scripting. The >patch marks them as unsafe for scripting. > >VULNERABLE SYSTEMS > >All Windows Systems (Windows 2000, NT 4.0, 98 and 95) with all of the >following installed: >* Microsoft Excel 2000 or PowerPoint 97 or 2000 >* Internet Explorer 4.0 or higher, including 5.5 >* Systems with Outlook, Outlook Express, Eudora, or another mail reader > that uses IE to render HTML are also vulnerable to exploiting this > through e-mail > >FIX >Microsoft has made a fix available. It is available from the following >locations: > >* Office Update >http://officeupdate.microsoft.com >* Microsoft Excel 2000 and PowerPoint 2000: >http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm >* Microsoft PowerPoint 97: >http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm > >For more information see: >* Microsoft Security Bulletin MS00-049 >http://www.microsoft.com/technet/security/bulletin/MS00-049.asp >* Frequently Asked Questions: Microsoft Security Bulletin MS00-049 >http://www.microsoft.com/technet/security/bulletin/fq00-049sp >* Microsoft Knowledge Base (KB) article Q268365 "XL2000: Update >Available for HTML Script Vulnerability" >http://www.microsoft.com/technet/support/kb.asp?ID=268365 >* Microsoft Knowledge Base (KB) article Q268457 "PPT2000: Update >Available for HTML Script Vulnerability" >http://www.microsoft.com/technet/support/kb.asp?ID=268457 >* Microsoft Knowledge Base (KB) article Q268477 "PPT97: Update Available >for HTML Script Vulnerability" >http://www.microsoft.com/technet/support/kb.asp?ID=268477 > >There is no Knowledge Base article on the Access issue yet. > -- Stephen Garrett GPS [EMAIL PROTECTED] (360) 896-2714 ICQ# 10776767 ------------------------------------------------------------------------------ Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
