RE: Microsoft Baseline Security Analyzer exploit (Exposed vulnerabilities' list)

From: Deus, Attonbitus (
Date: 04/26/02

Date: Fri, 26 Apr 2002 07:54:43 -0700
To: "Menashe Eliezer" <>, "3APA3A" <3APA3A@SECURITY.NNOV.RU>
From: "Deus, Attonbitus" <>

Hash: SHA1

At 10:18 AM 4/25/2002, Menashe Eliezer wrote:
>The vulnerabilities' list is accessible even by unprivileged user account.

Only on a FAT drive- by default, only system, admin and the user have
permissions to access the file.

>The ability of active content to access this report depends on
>security setting of the browser.
>For example, signed ActiveX that runs in browser with low security
>setting, doesn't need user's approval. User can also choose not be asked
>whether to launch ActiveX that is signed by a specific signer. In such case,
>The ActiveX doesn't have to be safe for scripting. The ActiveX can do
>without being scripted at all.there's no need for low security setting of
>the browser.

Please just stop it. This has *nothing* to do with MBSA. If people have a
low browser security setting and go around downloading signed (or unsigned
for that matter) ActiveX controls then that it their problem, not
MBSA's. Even the examples on your web site require much interaction of the
user and the explicit loading and executing of the controls. This is bogus.

There IS a need for low security for the rouge ActiveX control to be
downloaded in the first place. The reason the "safe for scripting" issue
was raised by 3APA3A is that he knows some may have the "Script ActiveX
controls marked safe for scripting" turned on... In that case, only these
types of controls could be used to access the information, and they would
already have to be installed and marked "safe for scripting."

>You can access this report even without active content.
>All you need is a limited exploit that just allows you to read a file.
>Deus Attonbitus wrote:
>DA>but the script would also have to be able to discern the currently logged
>DA>on user in order to see where to look in the "Documents and Settings"
>1. Discern the currently logged on user - It's a simple Win32 API.
>2. Code can simply look for "Security Scans" folder in tree.

You contradict yourself... Without the ActiveX control, your "limited
exploit" to read the file would not be able to run the API call to find out
the username. You might be able to use something old to known filename in
a known location, but where is the "limited exploit" that allows directory
recursion? Besides, you don't even know the name of the XML file- unless
you also guess the domain, the computer name scanned, and the exact date
and time (to the second) that the scan was made.

Let's break it down... Here is what would have to happen:

1) Admin downloads and runs MBSA.
2) MBSA tells Admin that he is running on FAT, that the IE Internet zone
security is low, that the Outlook security zone is low, and that he has
missing patches for known issues.
3) Admin ignores all messages, does nothing to secure his system, and goes
about his day whistling "Jimmy crack corn and I don't care."
4) You magically discern who this admin is, and get him to visit your web
site using Jedi Mind Trick.
5) You got Microsoft sign an ActiveX control that allows you to take full
control over user's box.
6) User downloads control.
7) You use this control to read the MBSA XML file, when you already had
full control over the box.
8) You find out what patches are missing and then fire off another exploit
against user to further compromise system even though the game was already

Is that about right?


Version: PGP 7.1


Relevant Pages

  • Re: Embedding Simple MFC GUI app into website
    ... particular technology is "evil" goes beyond common sense and increases the ... permission or control. ... I suggest that you try to download an ActiveX control from the Microsoft web ... I have said for years the problems with OS security is that we are doing ...
  • Re: Active x problems
    ... In Internet Explorer, from main menu, select Tools,Internet Options, ... I presume you did a right-click on message bar, to allow acceptance of Active control. ... Do indicate if you are running some added security software utility that blocks or restricts ActiveX. ...
  • Re: what is ActiveX?
    ... Internet security zone set to prompt or deny before an activex control ... anonymous activex technology is an abomination. ... Microsoft MVP for Windows Security ...
  • Re: AciveX in webpage + security warning
    ... You mean you want to bypass all the IE security settings? ... control to execute on my machine even if I set my IE browser to warn me ... i want to load that activeX and want that security warning ...
  • tools options greyed out
    ... I am the admin of this XP box. ... The security says I have full control of my ... I cannot delete worksheets either. ...