[NT] Vulnerability in Authenticode Verification Could Allow Remote Code Execution (MS03-041)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/16/03

  • Next message: SecuriTeam: "[NT] Buffer Overrun in Messenger Service Could Allow Code Execution (MS03-043)" 
    To: list@securiteam.com
Date: 16 Oct 2003 14:38:56 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in Authenticode Verification Could Allow Remote Code
    Execution (MS03-041)
    ------------------------------------------------------------------------

    SUMMARY

    Authenticode is a technology which allows users to verify the publisher of
    an ActiveX control. Authenticode checks for authorization when prompting a
    user to install an ActiveX control.
    There is a vulnerability in Authenticode that, under certain low memory
    conditions, could allow an ActiveX control to download and install without
    presenting the user with an approval dialog.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows NT Workstation 4.0, Service Pack 6a
     * Microsoft Windows NT Server 4.0, Service Pack 6a
     * Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack
    6
     * Microsoft Windows 2000, Service Pack 2
     * Microsoft Windows 2000, Service Pack 3, Service Pack 4
     * Microsoft Windows XP Gold, Service Pack 1
     * Microsoft Windows XP 64-bit Edition
     * Microsoft Windows XP 64-bit Edition Version 2003
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-bit Edition

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0660>
    CAN-2003-0660

    Immune Systems:
     * Microsoft Windows Millennium Edition

    Patch Availability:
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=921466F5-BC40-4E8E-BB57-6B81B57C21B6&displaylang=en> Microsoft Windows NT Workstation 4.0, Service Pack 6a
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=21F64FF0-9175-42BE-A8E4-BDC59A98BDF2&displaylang=en> Microsoft Windows NT Server 4.0, Service Pack 6a
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=C6688576-4682-4A30-BBD7-1817F2944890&displaylang=en> Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=C862E049-58B2-4486-8D98-23183D7EE17D&displaylang=en> Microsoft Windows 2000, Service Pack 2
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=90D27AEC-7D2A-45FD-B85A-E98E574338F1&displaylang=en> Microsoft Windows 2000, Service Pack 3, Service Pack 4
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=6CDF5303-D767-4D68-9BA7-055E93E87847&displaylang=en> Microsoft Windows XP Gold, Service Pack 1
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=D92EF2E8-C03A-43C0-B428-D76C4B669151&displaylang=en> Microsoft Windows XP 64-bit Edition
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=4DFF5AAB-FA62-4B81-9C08-5C9FCB905E11&displaylang=en> Microsoft Windows XP 64-bit Edition Version 2003
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=135D8C00-7B4B-4C21-8EAA-D58814635E0D&displaylang=en> Microsoft Windows Server 2003
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=4DFF5AAB-FA62-4B81-9C08-5C9FCB905E11&displaylang=en> Microsoft Windows Server 2003 64-bit Edition

    To exploit this vulnerability, an attacker could host a malicious Web Site
    designed to exploit this vulnerability. If an attacker then persuaded a
    user to visit that site an ActiveX control could be installed and executed
    on the userâs system. Alternatively, an attacker could create a specially
    formed HTML e-mail and send it to the user. If the user viewed the HTML
    e-mail an unauthorized ActiveX control could be installed and executed on
    the userâs system. In both scenarios the vulnerability in Authenticode
    could allow an unauthorized ActiveX control to be installed and executed
    on the userâs system, with the same permissions as the user, without
    prompting the user for approval.

    The risk of attack from the HTML email vector can be significantly reduced
    if the following conditions are met:
     * You have applied the patch included with Microsoft Security bulletin
    <http://www.microsoft.com/technet/security/bulletin/MS03-040.asp> MS03-040
     * You are using Internet Explorer 6 or later
     * You are using the Microsoft Outlook Email Security Update or Microsoft
    Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in
    their default configuration.

    Mitigating factors:
     * By default, Internet Explorer on Windows Server 2003 runs in Enhanced
    Security Configuration. This default configuration of Internet Explorer
    blocks automatic exploitation of this attack. If Internet Explorer
    Enhanced Security Configuration has been disabled, the protections put in
    place that prevent this vulnerability from being automatically exploited
    would be removed.
     * In the Web-based attack scenario, the attacker would have to host a Web
    site that contained a Web page used to exploit this vulnerability. An
    attacker would have no way to force a user to visit a malicious Web Site.
    Instead, the attacker would need to lure them there, typically by getting
    them to click a link that would take them to the attacker's site.
     * By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the
    Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in
    the Restricted Sites Zone if the Outlook Email Security Update has been
    installed. Customers who use any of these products would be at a reduced
    risk from an e-mail borne attack that attempted to exploit this
    vulnerability unless the user clicked a malicious link in the email.
     * Exploiting the vulnerability would allow the attacker only the same
    privileges as the user. Users whose accounts are configured to have few
    privileges on the system would be at less risk than ones who operate with
    administrative privileges.

    Workarounds
    Microsoft has tested the following workarounds. These workarounds will not
    correct the underlying vulnerability however they help block known attack
    vectors. Workarounds may cause a reduction in functionality in some cases
    - in such situations this is identified below.
     * Disable downloading of ActiveX controls in the Internet zone:
    You can help protect against this vulnerability by changing your settings
    for the Internet security zone to disable the downloading of ActiveX
    components. To do this, perform the following steps:
    1. In Internet Explorer, select Tools, Internet Options
    2. Click on the Security tab
    3. Highlight the Internet icon and click on the Custom Level button
    4. Scroll through the list to the ActiveX controls and plugins section
    5. Under Download signed ActiveX controls click Disable
    6. Click OK, then click OK again to return to Internet Explorer

    Impact of Workaround:
    Many Web sites on the Internet use ActiveX to provide additional
    functionality. For instance, an online e-commerce site or banking site
    might use ActiveX controls to provide menus, ordering forms, or even
    account statements.

    Disabling the downloading of ActiveX controls is a global setting for all
    Internet sites. If you feel that there are sites on the Internet where you
    require the page to download ActiveX components, you can instead use the
    "Restrict Web sites to only your trusted Web sites" workaround.
     * Restrict Web sites to only your trusted Web sites
    After disabling the downloading of ActiveX in the Internet zone, you can
    add sites that you trust into Internet Explorer's Trusted sites. This will
    allow you to continue using trusted Web sites exactly as you do today,
    while helping protect you from this attack on untrusted sites. When you
    are able to deploy the patch, you can safely re-enable the downloading of
    ActiveX in the Internet zone.
    To do this, perform the following steps:
    1. In Internet Explorer, select Tools, then Internet Options. Click the
    Security tab.
    2. In the box labeled Select a Web content zone to specify its current
    security settings, click Trusted Sites, then click Sites
    3. If you want to add sites that do not require an encrypted channel,
    click to clear the Require server verification (https:) for all sites in
    this zone check box.
    4. In the box labeled Add this Web Site to the zone, type the URL of a
    site that you trust, then click the Add button. Repeat for each site that
    you want to add to the zone.
    5. Click OK twice to accept the changes and return to Internet Explorer.
    Add any sites that you trust not to take malicious action on your
    computer. One in particular that you may want to add is
    https://*.windowsupdate.microsoft.com. This is the site that hosts the
    patch, and it requires the use of an ActiveX control to install the patch.

    Note that there is generally a trade-off between ease-of-use and security;
    by selecting a high-security configuration, you could make it extremely
    unlikely that a malicious Web site could take action against you, but at
    the cost of missing a lot of rich functionality. The appropriate balance
    between security and ease-of-use is different for everyone, and you should
    pick a configuration that fits your needs.

    Impact of Workaround:
    For those sites you have not configured to be in your Trusted sites zone,
    their functionality will be impaired if they require ActiveX controls to
    function properly. Adding sites to your Trusted sites zone will allow them
    to be able to download the ActiveX control required to function correctly.
    However you should only add Web sites you trust to the Trusted sites zone.
     * Install Outlook Email Security Update if you are using Outlook 2000 SP1
    or Earlier.
    The Outlook Email Security Update causes Outlook 98 and 2000 to open HTML
    mail in the Restricted Sites Zone by default. Outlook Express 6.0 and
    Outlook 2002 by default open HTML mail in the Restricted Sites Zone.
    Customers who use any of these products would be at reduced risk from an
    e-mail borne attack that attempts to exploit this vulnerability unless the
    user clicks a malicious link in the email.

     * If you are using Outlook 2002 or Outlook Express 6.0 or higher, to help
    protect yourself from the HTML email attack vector, read email in plain
    text format.
    Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied
    Service Pack 1 and or higher can enable a feature to view all
    nondigitally-signed e-mail or nonencrypted e-mail messages in plain text
    only. Digitally signed e-mail or encrypted e-mail messages are not
    affected by the setting and may be read in their original formats.
    Information on enabling this setting in Outlook 2002 can be found in the
    following Knowledge Base article:
     <http://support.microsoft.com/default.aspx?scid=kb;en-us;307594>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;307594
    Information on enabling this setting in Outlook Express 6.0 can be found
    in the following Knowledge Base article:
     <http://support.microsoft.com/?kbid=291387>
    http://support.microsoft.com/?kbid=291387

    Impact of Workaround:
    E-mail viewed in plain text format cannot contain pictures, specialized
    fonts, animations, or other rich content. In addition:
     * The changes are applied to the preview pane and open messages.
     * Pictures become attachments to avoid loss.
     * Since the message is still in Rich Text or HTML format in the store,
    the object model (custom code solutions) may behave unexpectedly because
    the message is still in Rich Text or HTML format in the mail store.

    Frequently Asked Questions
    What's the scope of the vulnerability?
    This is a remote attack vulnerability. If an attacker were to successfully
    exploit this vulnerability then the attacker could execute arbitrary code
    in the context of the logged on user.

    What causes the vulnerability?
    The vulnerability results because of the method in which Authenticode
    checks for authorization when prompting a user to install an ActiveX
    control.

    What is Authenticode?
    Authenticode is a technology which allows users to verify the publisher of
    an ActiveX control. Through its code signing mechanisms, Authenticode
    identifies the publisher of the signed software and verifies that it
    hasn't been tampered with, before users download the software to their
    systems. Based on this knowledge the end user can then make a decision on
    whether or not to download and install the code.

    What is ActiveX?
    ActiveX is a technology that allows programmers to develop self-contained
    software modules called controls, that perform a single task or a
    collection of related tasks. An ActiveX control can be called by programs
    or web sites that need the functionality it provides.

    What's wrong with Authenticode?
    By default, Authenticode prompts a user prior to the installation of an
    ActiveX control. Authenticode prevents ActiveX controls from installing
    automatically on a user's system by presenting the user with a dialog
    requiring the user to confirm that they trust the publisher of a control
    and that they want to install the control on their system. Only when the
    user clicks "Yes" is the ActiveX control downloaded and installed on the
    user's system. There is a vulnerability in Authenticode that, under
    certain low memory conditions, could allow an ActiveX control to download
    and install without presenting the user with the dialog discussed above.

    What could this vulnerability enable an attacker to do?
    This vulnerability could enable an attacker to install and execute an
    unauthorized ActiveX control on the user's system. This could allow an
    attacker to take any action on a user's system in the security context of
    the currently logged in user.

    How could an attacker exploit this vulnerability?
    An attacker could seek to exploit this vulnerability in one of two ways:
     * By hosting a specially constructed Web Page. If the attacker lured a
    user to this Web Page, the Authenticode checks could fail and could allow
    arbitrary code to execute in the context of the user.
     * By sending a user a specially crafted HTML email. If a user viewed this
    E-mail, the Authenticode checks could fail and could allow arbitrary code
    to execute in the context of the user.

    Does this mean the vulnerability is in Internet Explorer?
    No - the vulnerability is in the underlying Authenticode technology in
    Microsoft Windows. Internet Explorer is one product that uses this
    underlying Authenticode technology

    I'm not using Internet Explorer as my web browser, do I need the patch?
    Yes - the vulnerability is in the underlying Authenticode technology in
    Microsoft Windows. Any application that uses Authenticode technology could
    be vulnerable.

    I am running Internet Explorer on Windows Server 2003. Does this mitigate
    this vulnerability?
    Yes. By default, Internet Explorer on Windows Server 2003 runs in a
    restricted mode known as Enhanced Security Configuration.

    What is Internet Explorer Enhanced Security Configuration?
    Internet Explorer Enhanced Security Configuration is a group of
    preconfigured Internet Explorer settings that reduce the likelihood of a
    user or administrator downloading and running malicious Web content on a
    server. Internet Explorer Enhanced Security Configuration reduces this
    risk by modifying numerous security-related settings, including Security
    and Advanced tab settings in Internet Options. Some of the key
    modifications include:
     * Security level for the Internet zone is set to High. This setting
    disables scripts, ActiveX Controls, Microsoft Java Virtual Machine (MSJVM)
    HTML content, and file downloads.
     * Automatic detection of intranet sites is disabled. This setting assigns
    all intranet Web sites and all Universal Naming Convention (UNC) paths
    that are not explicitly listed in the Local intranet zone to the Internet
    zone.
     * Install On Demand and non-Microsoft browser extensions are disabled.
    This setting prevents Web pages from automatically installing components
    and prevents non-Microsoft extensions from running.
     * Multimedia content is disabled. This setting prevents music,
    animations, and video clips from running.
    Disabling Internet Explorer Enhanced Security Configuration would remove
    the protections put in place that help prevent these vulnerabilities from
    being exploited. For more information regarding Internet Explorer Enhanced
    Security Configuration, please consult the Managing Internet Explorer
    Enhanced Security Configuration guide, which can be found at the following
    location:
     
    <http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en> http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

    Is there any configuration of Windows Server 2003 that is likely to have
    Internet Explorer Enhanced Security Configuration Disabled?
    Yes. Systems Administrators who have deployed Windows Server 2003 as a
    Terminal Server would likely disable Internet Explorer Enhanced Security
    Configuration to allow users of the Terminal Server to use Internet
    Explorer in an unrestricted mode.

    Is there anything that helps mitigate the risk of an HTML email attack?
    The risk of attack from the HTML email vector can be significantly reduced
    if the following conditions are met:
     * You have applied the patch included with Microsoft Security bulletin
    <http://www.microsoft.com/technet/security/bulletin/MS03-040.asp> MS03-040
     * You are using Internet Explorer 6 or later
     * You are using the Microsoft Outlook Email Security Update or Microsoft
    Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in
    their default configuration.

    What does the patch do?
    The patch addresses the vulnerability by ensuring Authenticode always
    correctly prompts the user prior to the installation of an ActiveX
    control.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS03-041.asp>
    http://www.microsoft.com/technet/security/bulletin/MS03-041.asp

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Buffer Overrun in Messenger Service Could Allow Code Execution (MS03-043)"

    Relevant Pages