US-CERT Technical Cyber Security Alert TA04-184A -- Internet Explorer Update to Disable ADODB.Stream ActiveX Control

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 07/03/04

  • Next message: CERT Advisory: "US-CERT Technical Cyber Security Alert TA04-196A -- Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express"
    Date: Fri, 2 Jul 2004 18:50:27 -0400
    To: cert-advisory@cert.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Internet Explorer Update to Disable ADODB.Stream ActiveX Control

       Original release date: July 2, 2004
       Last revised: --
       Source: US-CERT

    Systems Affected

         * Microsoft Windows systems

    Overview

       Microsoft has released a security update for Internet Explorer (IE)
       that disables the ADODB.Stream ActiveX control. This update reduces
       the impact of attacks against cross-domain vulnerabilities in IE.

    I. Description

       A class of vulnerabilities in IE allows malicious script from one
       domain to execute in a different domain which may also be in a
       different IE security zone. Attackers typically seek to execute script
       in the security context of the Local Machine Zone (LMZ). One such
       vulnerability (VU#713878) is described in US-CERT Technical Alert
       TA04-163A. Other cross-domain vulnerabilities have similar impacts.

       After obtaining access to the LMZ through one or more of the
       vulnerabilities noted above, attackers typically attempt to download
       and run an executable file. Writing the executable to disk can be
       accomplished using the ADODB.Stream ActiveX control. In order to
       defeat this technique, Microsoft has released an update that disables
       the ADODB.Stream control. From Microsoft Knowledge Base Article
       870669:

         An ADO stream object contains methods for reading and writing
         binary files and text files. When an ADO stream object is combined
         with known security vulnerabilities in Internet Explorer, a Web
         site could execute scripts from the Local Machine zone. To help
         protect your computer from this kind of attack, you can manually
         modify your registry.

       It is important to note that there may be other ways for an attacker
       to write arbitrary data or to execute commands without relying on the
       ADODB.Stream control.

       Further information is available from Microsoft in What You Should
       Know About Download.Ject. Instructions for securing IE and other web
       browsers against malicious web scripts are available in the Malicious
       Web Scripts FAQ.

    II. Impact

       By convincing a victim to view an HTML document (web page, HTML
       email), an attacker could execute script in a different security
       domain than the one containing the attacker's document. By causing
       script to be run in the Local Machine Zone, the attacker could execute
       arbitrary code with the privileges of the user running IE.

       Recent incident activity known as Download.Ject (also JS.Scob.Trojan,
       Scob, JS.Toofeer) uses cross-domain vulnerabilities and the
       ADODB.Stream control to install software that steals sensitive
       financial information.

    III. Solution

       Until a complete solution is available from Microsoft, consider the
       following workarounds.

    Disable Active scripting and ActiveX controls

       Disabling Active scripting and ActiveX controls in the Internet Zone
       (or any zone used by an attacker) appears to prevent exploitation of
       this vulnerability. Disabling Active scripting and ActiveX controls in
       the Local Machine Zone will prevent widely used payload delivery
       techniques from functioning. Instructions for disabling Active
       scripting in the Internet Zone can be found in the Malicious Web
       Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
       information about securing the Local Machine Zone. Also, Service Pack
       2 for Windows XP (currently at RC2) includes these and other security
       enhancements for IE.

    Do not follow unsolicited links

       Do not click on unsolicited URLs received in email, instant messages,
       web forums, or Internet relay chat (IRC) channels. While this is
       generally good security practice, following this behavior will not
       prevent exploitation of this vulnerability in all cases. For example,
       a trusted web site could be compromised and modified to deliver
       exploit script to unsuspecting clients.

    Disable ADODB.Stream ActiveX control

       One way to disable the ADODB.Stream control is to apply the update
       from the Microsoft Download Center (KB870669) or the Windows Update
       web site.

       The ADODB.Stream control can also be disabled by modifying the Windows
       registry as described in Microsoft Knowledge Base Article 870669.

       Both of these methods disable ADODB.Stream by setting the kill bit for
       the control in the Windows registry.

       Note that disabling the ADODB.Stream control does not directly address
       any cross-domain vulnerabilities, nor does it prevent attacks. This
       workaround prevents a well-known and widely used technique for writing
       arbitrary data to disk after a cross-domain vulnerability has been
       exploited. There may be other ways for an attacker to write arbitrary
       data or execute commands.

    Maintain updated anti-virus software

       Anti-virus software with updated virus definitions may identify and
       prevent some exploit attempts. Variations of exploits or attack
       vectors may not be detected. Do not rely solely on anti-virus software
       to defend against this vulnerability. More information about viruses
       and anti-virus vendors is available on the US-CERT Computer Virus
       Resources page.

    Appendix A. Vendor Information

    Microsoft Corporation

         Please see What You Should Know About Download.Ject and Microsoft
         Knowledge Base Article 870669.

    Appendix B. References

         * US-CERT Technical Alert TA04-163A -
           <http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
         * US-CERT Vulnerability Note VU#713878 -
           <http://www.kb.cert.org/vuls/id/713878>
         * Malicious Web Scripts FAQ -
           <http://www.cert.org/tech_tips/malicious_code_FAQ.html>
         * Results of the Security in ActiveX Workshop (PDF)
           <http://www.cert.org/reports/activeX_report.pdf>
         * What You Should Know About Download.Ject -
           <http://www.microsoft.com/security/incident/download_ject.mspx>
         * Increase Your Browsing and E-Mail Safety -
           <http://www.microsoft.com/security/incident/settings.mspx>
         * Working with Internet Explorer 6 Security Settings -
           <http://www.microsoft.com/windows/ie/using/howto/security/settings
           .mspx>
         * Microsoft Knowledge Base Article 870669 -
           <http://support.microsoft.com/default.aspx?kbid=870669>
         * Microsoft Knowledge Base Article 833633 -
           <http://support.microsoft.com/default.aspx?kbid=833633>
         * Microsoft Knowledge Base Article 182569 -
           <http://support.microsoft.com/default.aspx?kbid=182569>
         * Microsoft Knowledge Base Article 240797 -
           <http://support.microsoft.com/default.aspx?kbid=240797>
         * Windows XP Service Pack 2 Release Candidate 2 Preview -
           <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.
           mspx>

       Feedback can be directed to the author: Art Manion
         _________________________________________________________________

       The most current version of this alert can be found at

       <http://www.us-cert.gov/cas/techalerts/TA04-184A.html>

       Copyright 2004 Carnegie Mellon University.

       Terms of use: <http://www.us-cert.gov/legal.html>

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQFA5eRhXlvNRxAkFWARAoJ2AJ4li8P3oDahkS8wx7TwaxEENVSB2QCeOAx/
    XqyJQKuWUPfNwdlZLklcTDc=
    =I1vr
    -----END PGP SIGNATURE-----


  • Next message: CERT Advisory: "US-CERT Technical Cyber Security Alert TA04-196A -- Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express"

    Relevant Pages

    • Re: Microsoft warns of serious security hole
      ... Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution ... Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX control could allow remote code execution ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Microsoft warns of serious security hole
      ... Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code ... Microsoft Security Advisory: ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Pop-up Message from Microsoft www.winpatch.net
      ... (Merely disabling the messenger service, ... the security gap represented by these messages is particularly ... Messenger Service of Windows ... > from Microsoft Security Bulletin MS03043 and go to www.winpatch.net. ...
      (microsoft.public.security.virus)
    • contacting Microsot
      ... (Merely disabling the messenger service, ... just "putting up with" the security gap represented by ... Messenger Service of Windows ... >But I've been told that Microsoft does NOT offer ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Microsoft warns of serious security hole
      ... Vulnerability in Microsoft Video ActiveX Control Could Allow Remote ... Microsoft Security Advisory: Vulnerability in Microsoft Video ActiveX ...
      (microsoft.public.windowsxp.security_admin)