-----Original Message----- From: UNIRAS (UK Govt CERT) Sent: 13 December 2002 10:19 To: [EMAIL PROTECTED] Subject: UNIRAS Brief - 444/02 - Microsoft - Flaw in Microsoft VM Could Enable System Compromise
-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ ---------- UNIRAS (UK Govt CERT) Briefing Notice - 444/02 dated 13.12.02 Time: 10.20 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - ------------------------------------------------------------------------ ---------- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - ------------------------------------------------------------------------ ---------- Title ===== Microsoft Security Bulletin - MS02-069: Flaw in Microsoft VM Could Enable System Compromise Detail ====== - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Flaw in Microsoft VM Could Enable System Compromise (810030) Date: 11 December 2002 Software: Microsoft VM Impact: Eight vulnerabilities, the most serious of which would enable an attacker to gain control over another user's system. Max Risk: Critical Bulletin: MS02-069 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS02-069.asp http://www.microsoft.com/security/security_bulletins/ms02-069.asp. - - ---------------------------------------------------------------------- Issue: ====== The Microsoft VM is a virtual machine for the Win32(r) operating environment. The Microsoft VM shipped in most versions of Windows (a complete list is available in the FAQ), as well as in most versions of Internet Explorer. A new version of the Microsoft VM is available, which includes all previously released fixes for the VM, as well as fixes for eight newly reported security issues. The attack vectors for all of the new issues would likely be the same. An attacker would create a web page that, when opened, exploits the desired vulnerability, and either host it on a web page or send it to a user as an HTML mail. The newly reported security issues are as follows: - A security vulnerability through which an untrusted Java applet could access COM objects. By design, COM objects should only be available to trusted Java programs because of the functionality they expose. COM objects are available that provide functionality through which an attacker could take control of the system. - A pair of vulnerabilities that, although having different underlying causes, would have the same effect, namely, disguising the actual location of the applet's codebase. By design, a Java applet that resides on user storage or a network share has read access to the folder it resides in and all folders below it. The vulnerabilities provide methods by which an applet located on a web site could misrepresent the location of its codebase, to indicate that it resided instead on the user's local system or a network share. - A vulnerability that could enable an attacker to construct an URL that, when parsed, would load a Java applet from one web site but misrepresent it as belonging to another web site. The result would be that the attacker's applet would run in the other site's domain. Any information the user provided to it could be relayed back to the attacker. - A vulnerability that results because the Microsoft VM doesn't prevent applets from calling the JDBC APIs - a set of APIs that provide database access methods. By design, these APIs provide functionality to add, change, delete or modify database contents, subject only to the user's permissions. - A vulnerability through which an attacker could temporarily prevent specified Java objects from being loaded and run. A legacy security mechanism known as the Standard Security Manager provides the ability to impose restrictions on Java applets, up to and including preventing them from running altogether. However, the VM does not adequately regulate access to the SSM, with the result that an attacker's applet could add other Java objects to the "banned" list. - A vulnerability through which an attacker could learn a user's username on their local system. The vulnerability results because one particular system property, user.dir, should not be available to untrusted applets but, through a flaw, is. While knowing a username would not in itself pose a security risk, it could be useful for reconnaissance purposes. - A vulnerability that results because it's possible for a Java applet to perform an incomplete instantiation of another Java object. The effect of doing so would be to cause the containing application - Internet Explorer - to fail. Mitigating Factors: ==================== All of the vulnerabilities share a pair of common mitigating factors: - The web-based attack vector would be blocked if the user had disabled Java applets in the Internet Explorer security zone in which the attacker's web site rendered. - The email vector would be blocked if the user were running any of several mail clients. Specifically, Outlook Express 6 and Outlook 2002 (which ships as part of Office XP) disable Java by default, and Outlook 98 and 2000 disable it if the Outlook Email Security Update has been installed. COM Object Access Vulnerability: - The vulnerability represents a target of opportunity only. The attacker would have no means of ensuring that sensitive data would be located in system memory, cookies, the clipboard, or other locations. CODEBASE Spoofing Vulnerabilities: - The attacker's access to files, including those on remote shares, would be limited to those of the user. If the user had only limited permissions, so would the attacker. Domain Spoofing Vulnerability: - The vulnerability could only be exploited if the user visited the attacker's site en route to visiting a third-party site. - The effect of exploiting the vulnerability would apply only to the current web session. JDBC API Vulnerability: - To exploit this vulnerability, the attacker would need to know the names of each data source he or she wanted to access. In most cases, this would require the attacker to have insider knowledge of the user's network. - The attacker would gain only the user's own permissions to the data sources. For instance, if the user had only read access to a particular database, so would the attacker. Standard Security Manager Access Vulnerability: - The effect of exploiting this vulnerability would only persist during the current browser session. - The vulnerability provides no means of modifying an applet's functioning - only preventing it from running. User.dir Exposure Vulnerability: - Knowing a user's username would not, by itself, enable an attacker to take any action against the user. The sole value in learning this information would be for reconnaissance purposes, in the hope of using it in some future, unspecified attack. Incomplete Java object Instantiation Vulnerability: - This vulnerability would only enable the attacker to cause Internet Explorer to fail - it would not enable the attacker to cause Windows itself, or any other applications, to fail. - The user could restore normal operation by restarting the browser. Risk Rating: ============ - COM Object Access Vulnerability: Critical - CODEBASE Spoofing Vulnerabilities: Important - Domain Spoofing Vulnerability: Moderate - JDBC API Vulnerability: Moderate - Standard Security Manager Access Vulnerability: Low - User.dir Exposure Vulnerability: Low - Incomplete Java object Instantiation Vulnerability: Low Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-069.asp for information on obtaining this patch. - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPfe8II0ZSRQxA/UrAQE+wAf/WdruD788OEm/Gg3SAhJv9VLRfQ7ck+3F Q6e6hh21UmJmGXMtlsUzNyccvK0fELA352i6L0KCc8yJs5NQPDDqVVZ2bOFr+QiU 8KMLAptr2TfAlb3zNhUGQuTxnGIfzLKoaRz3dtal3FLWV4UoyOMTh5KiX/I9O+wH Vr1X7i9Ii+I4tR/56Ew0e+L5KoKR9W7SI/rdKogRBPoSQ0OcnVtY6+bm9SK6+49z 5YI+3N5kYCpyBtIKfP5kRQ2AdO1nB9Ezar4f2kI3zrlvp4+znPSBhLjmrODXpKfv hRGbueA+jZ+J5lDsDgXe9qFfp3Z9crMSUQvdovhZeaBBBdhIVrBCNQ== =xtJ0 - -----END PGP SIGNATURE----- Reprinted with permission of Microsoft Corporation. - ------------------------------------------------------------------------ ---------- For additional information or assistance, please contact the HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: [EMAIL PROTECTED] Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 - ------------------------------------------------------------------------ ---------- UNIRAS wishes to acknowledge the contributions of Microsoft for the information contained in this Briefing. - ------------------------------------------------------------------------ ---------- This Briefing contains the information released by the original author. Some of the information may have changed since it was released. If the vulnerability affects you, it may be prudent to retrieve the advisory from the canonical site to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither UNIRAS or NISCC shall also accept responsibility for any errors or omissions contained within this briefing notice. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - ------------------------------------------------------------------------ ---------- <End of UNIRAS Briefing> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQCVAwUBPfmzropao72zK539AQFmVwP/Wuc4veqggGUTmJ7+xI6cvLsluHvITWPI GSSyksdniQvNB1oN4oMNS87sEwrcJ/PKWgsNp/9lXHYh+j+eqeJEg4qpCnHeVXuS cDkOoQou9yROq/rVOTbEkvBlv1DBtTR7uNvzD7KQD6FS3J2gqcrgAO+JnUsnRxba JR48J0PDpzg= =WePz -----END PGP SIGNATURE----- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk