RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow

From: Chris Wysopal (weld_at_vulnwatch.org)
Date: 06/24/03

  • Next message: Brett Moore: "[VulnWatch] Windows Media Services Remote Command Execution #2"
    Date: Tue, 24 Jun 2003 20:51:20 +0000 (GMT)
    To: Jason Coombs <jasonc@science.org>
    
    

    On Tue, 24 Jun 2003, Jason Coombs wrote:

    > 1) Does this ActiveX control bear a digital signature? If so, the problem it
    > causes does not go away simply because there is a new version available from
    > Symantec. An attacker in possession of the bad code with its attached digital
    > signature can fool a victim whose computer does not currently have the
    > vulnerable code installed into trusting the ActiveX control due to the fact
    > that Symantec's digital signature will validate against the trusted root CA
    > certificate present by default in Windows -- the existence of the digital
    > signature on the bad code effectively transfers ownership of millions of other
    > people's computers to anyone who should become interested in attacking those
    > computers; it is extremely important that Symantec take further action above
    > and beyond compiling a new version of the affected code because of the ongoing
    > threat posed for the duration of the validity of the digital signature.

    You are absolutely right about attackers using the old control to carry out
    an attack.

    The new control should have a new CLSID and the kill bit should be set for
    the old control's CLSID. Information from the Microsoft knowledge base on
    how to set the kill bit is here:

    http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q240/7/97.asp&NoWebContent=1

    Unfortunately the only way to get this kill bit to be set on the majority
    of machines is to get Microsoft to do it through a Windows update. Until
    that happens the old signed control can be used by attackers.

    This is the real flaw in the system. The kill bit is only useful to
    Microsoft as Symantec has no way of getting all Windows users to set this
    bit on the bad CLSID before they are attacked. Perhaps Microsoft should
    allow other vendors to send them CLSIDs to kill. Or maybe they already do
    allow this but it is not publicized.

    -Chris

    > Sincerely,
    >
    > Jason Coombs
    > jasonc@science.org


  • Next message: Brett Moore: "[VulnWatch] Windows Media Services Remote Command Execution #2"

    Relevant Pages

    • RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow
      ... it is extremely important that Symantec take further action above ... You are absolutely right about attackers using the old control to carry out ... how to set the kill bit is here: ... of machines is to get Microsoft to do it through a Windows update. ...
      (Bugtraq)
    • Re: Battlefield 3 DICE servers
      ... I was in a Gulf of Oman Conquest round, and shortly after the start I noticed ... the attack at the last MCOM of the second to last base and I think I managed ... of my mines getting a vehicle kill as well as a double kill. ... because in the end there were only six attackers. ...
      (uk.games.video.misc)
    • Re: XXX is under attack - whats the relevance?
      ... settlement only to see the guards fighting with some attackers. ... we would kill the NPC's and any horde PCs that were unlucky ...
      (alt.games.warcraft)
    • RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow
      ... Sitelocking can help prevent your control from being illegitimately used ... [Symantec Security Advisor] Symantec Security Check ActiveX ... You are absolutely right about attackers using the old control to carry ... The new control should have a new CLSID and the kill bit should be set ...
      (Bugtraq)
    • Re: semi-OT: Youth thugs
      ... with the belt, no one individual was doing anything likely to kill him. ... more of his attackers (higher burden of proof in a criminal case, ... pierce the deep pockets of the casino, and thus ensure a great payday ...
      (alt.vacation.las-vegas)