Re: MS01-058/IE patch - why is it rated critical on servers?

From: Bronek Kozicki (brok@rubikon.pl)
Date: 12/20/01


From: "Bronek Kozicki" <brok@rubikon.pl>
To: "Ogle Ron (Rennes)" <OgleR@thmulti.com>
Date: Thu, 20 Dec 2001 10:15:05 +0100


> The firewall won't help because we use a proxy before we get to the
> firewall. We could block those server addresses on the Proxy though.

At least some of IE vulnerabilities can be exploited without browsing
Internet at all. That's because these vulnerabilities affect Outlook
Express as well. It's enough to read your mail, or just open .eml or
.nws file . If you have SMTP or NNTP server running locally, you will
probably have plenty of these files floating in your \Inetpub directory.

> I just thought that there maybe a way to disable, delete, or
unregister
> some IE component that would disable the user interface of the
browser.

Good point. However, if you take careful look into "Add/Remove Programs"
applet in Control Panel, you will find that it's HTML control, running
in MSHTA.exe process. If you "disable" IE, this applet will not work.
It's just an example, how deeply IE5 is integrated with Win2K (not only
integrated, but also unsupported, actually) . Coming back to your
question: simplest and safe (i.e.. undo-able) way to disable IE would be
to revoke access for its most important DLLs: mshtml.dll , url.dll,
urlmon.dll , wininet.dll and shdocvw.dll . One way would be to put very
restrictive ACL, another to create local account (especially for this
purpose) and use it to encrypt these files. Both can be rolled back in
case someone comes with better solution, or you find up that Win2K does
not work without IE.

I also have question regarding MS01-058 . Jouko Pynnonen claims (here:
http://www.solutions.fi/index.cgi/news_2001_12_14?lang=eng ) that this
vulnerability applies to IE5.0 . Unfortunately, there's no way to
validate this (no sample exploit available). Microsoft discontinued
support for IE5.01 and is not going to evaluate any security problems
with it. Can anybody confirm or deny, that "Arbitrary File Execution"
vulnerability affects IE5.01 SP2? If so, there should be way to protect
without installing newer IE version. Or force Microsoft to fully support
Win2K with all "features" they put inside it.

Regards

B.



Relevant Pages

  • Re: Open source firewalls
    ... > it on to the real server! ... Some of the validations can be done at proxy end. ... mean to say is it can't garantee avoiding buffer overflows. ... > are usually avoided in the firewall proxy itself. ...
    (Linux-Kernel)
  • Re: [fw-wiz] httport 3snf
    ... >> wouldn't have gotten SSH out of my firewall. ... > Postfix SMTP server with a wildcard MX that handed the mail that wasn't ... > destined to me off to the downstream MS stuff, and an HTTP proxy server ... All it needs is a written policx "Internet access is ...
    (Firewall-Wizards)
  • Re: An application gateway firewall based on Linux - ITShield firewall
    ... "Proxy" in application gateway firewall is different from proxy in HTTP ... proxy server or FTP proxy server. ... the session (I mean "session", ...
    (comp.security.firewalls)
  • Re: Bypass ISA?
    ... >> Firewall aspect of ISA Server. ... >> the Proxy Server side of things though. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant access our DMZ websites via web proxy...?
    ... So your ISA is a "one legged" caching server? ... The firewall allows HTTP between LAN and DMZ etc.> ... However, if we disable the browser proxy> settings, and just use the ISA Firewall Client - then the websites all> work perfectly. ...
    (microsoft.public.isa)