Re: MS01-058/IE patch - why is it rated critical on servers?

From: Bronek Kozicki (brok@rubikon.pl)
Date: 12/20/01


From: "Bronek Kozicki" <brok@rubikon.pl>
To: "Ogle Ron (Rennes)" <OgleR@thmulti.com>
Date: Thu, 20 Dec 2001 10:15:05 +0100


> The firewall won't help because we use a proxy before we get to the
> firewall. We could block those server addresses on the Proxy though.

At least some of IE vulnerabilities can be exploited without browsing
Internet at all. That's because these vulnerabilities affect Outlook
Express as well. It's enough to read your mail, or just open .eml or
.nws file . If you have SMTP or NNTP server running locally, you will
probably have plenty of these files floating in your \Inetpub directory.

> I just thought that there maybe a way to disable, delete, or
unregister
> some IE component that would disable the user interface of the
browser.

Good point. However, if you take careful look into "Add/Remove Programs"
applet in Control Panel, you will find that it's HTML control, running
in MSHTA.exe process. If you "disable" IE, this applet will not work.
It's just an example, how deeply IE5 is integrated with Win2K (not only
integrated, but also unsupported, actually) . Coming back to your
question: simplest and safe (i.e.. undo-able) way to disable IE would be
to revoke access for its most important DLLs: mshtml.dll , url.dll,
urlmon.dll , wininet.dll and shdocvw.dll . One way would be to put very
restrictive ACL, another to create local account (especially for this
purpose) and use it to encrypt these files. Both can be rolled back in
case someone comes with better solution, or you find up that Win2K does
not work without IE.

I also have question regarding MS01-058 . Jouko Pynnonen claims (here:
http://www.solutions.fi/index.cgi/news_2001_12_14?lang=eng ) that this
vulnerability applies to IE5.0 . Unfortunately, there's no way to
validate this (no sample exploit available). Microsoft discontinued
support for IE5.01 and is not going to evaluate any security problems
with it. Can anybody confirm or deny, that "Arbitrary File Execution"
vulnerability affects IE5.01 SP2? If so, there should be way to protect
without installing newer IE version. Or force Microsoft to fully support
Win2K with all "features" they put inside it.

Regards

B.