Archive of CERT general posting, CERT Advisory CA-2000-07

25/05/00, CERT Advisory CA-2000-07
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: CERT Advisory CA-2000-07
From: CERT Advisory <cert-advisory@cert.org>
Date: Wed, 24 May 2000 16:04:53 -0400 (EDT)
Organization: CERT(R) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Advisory CA-2000-07 Microsoft Office 2000 UA ActiveX Control
Incorrectly Marked "Safe for Scripting"

   Original release date: May 24, 2000
   Last revised: --
   Source: CERT/CC
   
   A complete revision history is at the end of this file.
   
Systems Affected

     * Systems with Internet Explorer and Microsoft Office 2000
       components, including
       
     * Word 2000
     * Excel 2000
     * PowerPoint 2000
     * Access 2000
     * Photodraw 2000
     * FrontPage 2000
     * Project 2000
     * Outlook 2000
     * Publisher 2000
     * Works 2000 Suite
       
Overview

   The Microsoft Office 2000 UA ActiveX control is incorrectly marked as
   "safe for scripting". This vulnerability may allow an intruder to
   disable macro warnings in Office products and, subsequently, execute
   arbitrary code. This vulnerability may be exploited by viewing an HTML
   document via a web page, newsgroup posting, or email message.
   
I. Description

   Microsoft and L0pht Research Labs have recently published advisories
   describing a vulnerability in the Microsoft Office 2000 UA ActiveX
   control. Due to the severity of this vulnerability, we are issuing a
   CERT advisory to help reach as broad an audience as possible.
   
ActiveX Overview

   ActiveX controls are highly portable Component Object Model (COM)
   objects, used extensively throughout Microsoft Windows platforms, and
   especially in web-based applications. COM objects, including ActiveX
   controls, can invoke each other through interfaces defined by the COM
   architecture. The COM architecture allows for interoperability among
   binary software components produced in disparate ways.
   
   ActiveX controls can also be invoked from web pages through the use of
   a scripting language or directly with an OBJECT tag. If an ActiveX
   control is not installed locally, it is possible to specify a URL
   where the control can be obtained. Once obtained, the control installs
   itself automatically if permitted by the browser. Once it is
   installed, it can be invoked without the need to be downloaded again.
   
   ActiveX controls can be signed or unsigned. A signed control provides
   a high degree of verification that the control was produced by the
   signer and has not been modified. Signing does not guarantee the
   benevolence, trustworthiness, or competence of the signer; it only
   provides assurance that the control originated from the signer.
   
   ActiveX controls are binary code capable of taking any action that the
   user can take. They do not run in a "sandbox" of any kind. Because of
   this, it is important to have a high degree of trust in the author of
   the control. The CERT/CC recommends against installing any unsigned
   controls.
   
   Controls can also be marked as "safe for scripting" indicating that is
   is permissible to invoke the control from a script contained in a web
   page, using data and parameters provided by that page. In essence, a
   control marked "safe for scripting" is an assertion by the author that
   the control has implemented its own "sandbox" and cannot be used by an
   intruder to damage or compromise your system. Because you must rely on
   the author of the control to implement this "sandbox" correctly,
   controls marked as "safe for scripting" require an especially high
   degree of trust.
   
   ActiveX controls are managed by the Windows registry, and it is
   cumbersome to audit them or examine their properties without the use
   of a specialized tool. One such tool is the OLE/COM Object Viewer
   (oleview.exe) included with the Windows NT Resource Kit. More
   information on oleview is available at
   
   http://www.microsoft.com/Com/resources/oleview.asp
          
   More information about ActiveX and COM can be found at
   
   http://www.microsoft.com/com
          
The Microsoft Office 2000 UA ActiveX Control

   The UA ActiveX control implements the "Show Me" feature of the
   interactive help system. Because the control is incorrectly marked
   "safe for scripting", a malicious web author may use the UA ActiveX
   control to script interactions that result in reduced security, such
   as activating the dialog box for "Macro Security Setting" and
   selecting the least secure choice. The control is correctly signed by
   Microsoft.
   
Other Advisories and Information

   L0pht Research Labs and @Stake Inc. published an advisory describing
   this vulnerability. They also produced a proof-of-concept exploit.
   These documents are available from the L0pht web site:
   
   http://www.l0pht.com/advisories/msoua.txt
          
   Microsoft has published a security bulletin, an FAQ, and a
   knowledgebase article describing this vulnerability. These documents
   are available from Microsoft's web site:
   
   http://microsoft.com/technet/security/bulletin/ms00-034.asp
          http://microsoft.com/technet/security/bulletin/fq00-034.asp
          http://microsoft.com/technet/support/kb.asp?ID=262767
          
II. Impact

   The Office 2000 UA control is able to perform a wide variety of
   actions within the Microsoft Office Product Suite, including
     * Launch Internet Explorer
     * Launch Microsoft Outlook
     * Launch Microsoft Visual Basic
     * Disable macro virus protection
     * Save files
       
   Perhaps the most significant impact is the ability to set Macro Virus
   Protection to "Low", disabling warnings about malicious macro activity
   in future documents. An intruder can exploit this vulnerability to
   disable these warnings and then link directly to another Office
   document that contains malicious macros. The macros in the second
   document will run without confirmation and may take essentially any
   action desired by the intruder.
   
   Calls to the vulnerable control may originate in script or OBJECT tags
   in web pages, newsgroup postings, or email messages.
   
   As suggested by L0pht, this virus could be incorporated into an
   electronic mail virus such as LoveLetter or Melissa. Note that
   exploitation of this vulnerability under the default configuration of
   Internet Explorer 5 and Microsoft Outlook 2000 does not require the
   user to open any attachments or confirm any warning dialogs.
   
III. Solution

Apply a patch

   Microsoft has produced a patch to correct this vulnerability. The
   patch sets the "kill bit" for the vulnerable control and installs a
   new control. The new control is similar to the original but lacks the
   dangerous functionality. The new control is also marked "safe for
   scripting".
   
   As a result of the removed functionality, the "Show Me" and "pop-up"
   features of Office help will no longer function.
   
   The patch is available through Office Update at
   
   http://officeupdate.microsoft.com/info/ocx.htm
          
Limit Exposure to Vulnerability via Email

   Since many e-mail applications provide the ability to start your web
   browser automatically, you may wish to reduce your exposure via mail
   messages by disabling scripting languages in your email client.
   
The Restricted Zone and Active Scripting

   Microsoft suggests in their advisory to configure Outlook to view mail
   in the Restricted Zone. While this is certainly good advice, it is not
   sufficient to protect you from exploitation of this vulnerability if
   the patch for the Office 2000 UA control has not been applied.
   
   Because the Restricted Zone still allows the execution of scripts, an
   intruder can send you an email message which when viewed starts
   Internet Explorer and immediately exploits the vulnerability. To
   protect against this scenario, and others like it, you may wish to
   disable Active Scripting in the Restricted Zone.
   
   Instructions for changing Outlook to use the Restricted Zone are
   available in Microsoft's FAQ on this topic. Instructions for disabling
   Active Scripting in the Restricted Zone are similar to those at
   
   http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps
          
   Note that these changes may result in reduced functionality in
   Internet Explorer and Outlook.
   
Microsoft Outlook Security Update

   Installing the Microsoft Outlook 2000 E-Mail Security Update will
   modify Outlook to use the Restricted Zone as suggested previously. It
   also limits which attachment file types are displayed in Outlook
   messages, and adds new prompts for accessing the address book or
   sending email messages. While none of these changes will protect you
   completely from the Office 2000 UA vulnerability described in this
   advisory, the update may significantly reduce the chance of the
   vulnerability being exploited successfully on your system by a worm
   propagating via Outlook.
   
   More information about the Outlook 2000 E-Mail Security Update is
   available from
   
   http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm
          
Other Email Clients

   If you use Internet Explorer as your web browser, you may wish to
   disable JavaScript or other scripting languages in your email client
   to prevent an email message from starting IE and exploiting this
   vulnerability.
   
Appendix A. Vendor Information

Microsoft Corporation

   Microsoft has published a security bulletin, an FAQ, and a
   knowledgebase article describing this vulnerability. These documents
   are available from Microsoft's web site:
   
   http://microsoft.com/technet/security/bulletin/ms00-034.asp
          http://microsoft.com/technet/security/bulletin/fq00-034.asp
          http://microsoft.com/technet/support/kb.asp?ID=262767
     _________________________________________________________________
   
   The CERT Coordination Center thanks L0pht Research Labs and @Stake for
   initially discovering and reporting this vulnerability. We also thank
   the Microsoft Security Team for their assistance in preparing this
   advisory.
     _________________________________________________________________
   
   Cory Cohen and Shawn Hernan were the primary authors of this document.
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/advisories/CA-2000-07.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2000 Carnegie Mellon University.
   
   Revision History
May 24, 2000:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOSwsnFr9kb5qlZHQEQKdHACff3k1ASGTddS0kyoTWjHoJ1F2OSQAnR7z
R4KtbZMTnbdV3BYntGNbyFxn
=HKK9
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Advisory CA-2000-06
Next message sorted by date: CERT Advisory CA-2000-08
Previous message sorted by thread: CERT Advisory CA-2000-06
Next message by thread: CERT Advisory CA-2000-08
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: May 2000