Archive of CERT general posting, CERT Advisory CA-2000-16

12/08/00, CERT Advisory CA-2000-16
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: CERT Advisory CA-2000-16
From: CERT Advisory <cert-advisory@cert.org>
Date: Fri, 11 Aug 2000 15:36:08 -0400 (EDT)
Organization: CERT(R) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Advisory CA-2000-16 Microsoft 'IE Script'/Access/OBJECT Tag
Vulnerability

   Original release date: August 11, 2000
   Last revised: --
   Source: CERT/CC
   
   A complete revision history is at the end of this file.
   
Systems Affected

     * Internet Explorer 4.x, 5.x
     * Microsoft Access 97 or 2000
       
Overview

   Under certain conditions, Internet Explorer can open Microsoft Access
   database or project files containing malicious code and execute the
   code without giving a user prior warning. Access files that are
   referenced by OBJECT tags in HTML documents can allow attackers to
   execute arbitrary commands using Visual Basic for Applications (VBA)
   or macros.
   
   A patch which protects against all known variants of attack exploiting
   this vulnerability is now available. A workaround which was previously
   suggested provided protection against one specific publicly-available
   exploit using .mdb files but did not protect against attack using many
   other Access file types. (See Appendix B for a complete list of file
   types.)
   
I. Description

   Last month, a workaround for the "IE Script" vulnerability was
   addressed in Microsoft Security Bulletin MS00-049: Subsection
   "Workaround for 'The IE Script' Vulnerability." Microsoft has just
   re-released MS00-049, which now includes information about a patch for
   this vulnerability. The CERT Coordination Center is issuing this
   advisory to raise awareness in the Internet community about the need
   to apply this patch to protect IE users against all variants of
   attacks which can exploit this particular vulnerability.
   
Initial Findings

   Many of the initial public details about the vulnerability were
   discussed on the SecurityFocus Bugtraq mailing list, as well as in a
   SANS Flash Advisory:
   
	http://www.securityfocus.com/bid/1398
        http://www.sans.org/newlook/resources/win_flaw.htm
          
   This vulnerability in IE can be used to open Access data or project
   files. (See Appendix B for a complete list of file types.) Visual
   Basic for Application (VBA) code embedded within these files will then
   execute. If a warning message appears (depending on the security
   settings in IE), it will only do so after the code has been run.
   
   Attackers exploit this vulnerability by placing OBJECT tags in HTML
   files posted on malicious Web sites or transmitted via email or via
   newsgroup postings. The OBJECT tag can look like

        <OBJECT data="database.mdb" id="d1"></OBJECT">

   Note, however, the file extension does not have to be .mdb; an
   attacker may use any of the ones listed in Appendix B.
   
   The Access file can then open before any warning messages are
   displayed, regardless of the default security settings in either IE or
   Access. Since Access files can contain VBA or macro code executed upon
   opening the file, arbitrary code can be run by a remote intruder on a
   victim machine without prior warning.
   
   While this is not an ActiveX issue per se, since all Microsoft Office
   documents are normally treated like ActiveX controls, by default
   Microsoft Access files are treated as unsafe for scripting within the
   IE Security Zone model. This vulnerability, however, can be used to
   reference an Access file and execute VBA or macro code even if
   scripting has been disabled in Internet Explorer.
   
Other Vulnerable OBJECT tag extensions

   In Microsoft Security Bulletin MS00-049, Microsoft initially provided
   a workaround for this vulnerability which involved setting the Admin
   password in MS Access. However, unlike with Access data files, setting
   the Admin password will not protect against exploits using project
   files (.ade, .adp). (See Appendix B.)
   
   Because Access project files rely on SQL backends to authenticate
   their requests, project files created without SQL content can bypass
   the default authentication for such requests in MS Access. For more
   information regarding Access project files, see
   
	http://msdn.microsoft.com/library/techart/acaccessprojects.htm
          
II. Impact

   A remote intruder can send malicious HTML via an email message,
   newsgroup posting, or downloaded Web page and may be able to execute
   arbitrary code on a victim machine.
   
III. Solution

Apply the patch provided by Microsoft

   Microsoft has released the following patch which addresses the "IE
   Script" vulnerability, as well as others:
   
	http://www.microsoft.com/windows/ie/download/critical/patch11.htm
          
   Please see MS00-055 "Patch Available for 'Scriptlet Rendering'
   Vulnerability" for additional information regarding other issues
   addressed by this patch:
   
	http://www.microsoft.com/technet/security/bulletin/ms00-055.asp
          
   Note that the OBJECT tag issues addressed by MS00-049, MS00-055, and
   this advisory are separate from those addressed by the recently
   released MS00-056: "Patch Available for 'Microsoft Office HTML Object
   Tag' Vulnerability."
   
   Microsoft's initial workaround for this issue was for users to set the
   Admin password for Access. Since Access does not allow a user to
   disable VBA code embedded in Access data and project files, the CERT
   Coordination Center recommends that users follow the suggested
   workaround and set the Admin password even after the patch for this
   vulnerability has been applied.
   
   Appendix A contains information provided by vendors for this advisory.
   We will update the appendix as we receive more information. If you do
   not see your vendor's name, the CERT/CC did not hear from that vendor.
   Please contact your vendor directly.
   
Appendix A. Vendor Information

Microsoft Corporation

   Microsoft has published the following documents regarding this issue:
   
	http://www.microsoft.com/technet/security/bulletin/ms00-049.asp
        http://www.microsoft.com/technet/security/bulletin/fq00-049.asp
        http://www.microsoft.com/technet/support/kb.asp?ID=269368
          
Appendix B. Additional Information

   The full list of OBJECT tag extensions which may be used to exploit
   this vulnerability is listed below:

     * .adp - Microsoft Access project file
     * .ade - ADP file with all modules compiled and all editable source
              code removed

     * .mdb - Microsoft Access database file
     * .mde - MDB file with all modules compiled and all editable source
              code removed
     * .mda - Microsoft Access VBA add-in

     * .mdw - Microsoft Access workgroup information file synonym for
              the system database used to store group and user account
              names and the passwords used to authenticate users when
              they log on to an Access database or MDE file secured
              with user-level security
       
   The patch provided by Microsoft addresses all the file extensions
   identified above.
   
   Please consult the following resources for further information
   regarding the other file types involved in exploited this
   vulnerability:

     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adefile
     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adpfile
     * http://msdn.microsoft.com/library/officedev/off2000/defAddIn.htm
     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdbfile
     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdefile
     * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#workgroupinformationfile
       _____________________________________________________________
       
       The CERT Coordination Center thanks Timothy Mullen, Alan Paller
       and the SANS Research Office, and the Microsoft Security Response
       Center for their help in developing this advisory.
       _____________________________________________________________
       
       Author: Jeffrey S. Havrilla
       __________________________________________________________________
       
       This document is available from:

	    http://www.cert.org/advisories/CA-2000-16.html
       __________________________________________________________________
       
CERT/CC Contact Information
       
       Email: cert@cert.org
                Phone: +1 412-268-7090 (24-hour hotline)
                Fax: +1 412-268-6989
                Postal address:
                CERT Coordination Center
                Software Engineering Institute
                Carnegie Mellon University
                Pittsburgh PA 15213-3890
                U.S.A.
                
       CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

Using encryption

       We strongly urge you to encrypt sensitive information sent by
       email. Our public PGP key is available from
       
	http://www.cert.org/CERT_PGP.key
       
       If you prefer to use DES, please call the CERT hotline for more
       information.
   
Getting security information

       CERT publications and other security information are available
       from our web site
   
	http://www.cert.org/
       
       To be added to our mailing list for advisories and bulletins,
       send email to cert-advisory-request@cert.org and include
       SUBSCRIBE your-email-address in the subject of your message.
   
 * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2000 Carnegie Mellon University.
   
   Revision History

   August 11, 2000:  Initial release


-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOZRPDFr9kb5qlZHQEQJLaACeI4QH03vr031yaAlOisX4Z3LdoCQAnjKx
kSf3jAgm5d/btu6rqpl/LsQ0
=eqtt
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Advisory CA-2000-15
Previous message sorted by thread: CERT Advisory CA-2000-15
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Aug 2000