:: NORMAN :: Antivirus | Firewall

Home

Nieuws

Producten en diensten

Virussen en beveiliging

Support

Download

Verkooppunten

Aanschaf

Selecteer uw land

Selecteer product

Virussen en beveiliging » Beveiligingsinformatie » 2000 » Serious vulnerability in Windows (95, 98, NT, 2000) discovered

Serious vulnerability in Windows (95, 98, NT, 2000) discovered

Toevoegen aan Mijn Norman Bookmarks

Security Information Week 29, 2000

Introduction

This week SANS institute issued a special FLASH message warning about what they describe as

"(...) probably the most dangerous programming error in Windows workstation (all varieties -- 95, 98, 2000, NT 4.0) that Microsoft has made."

When this is written there is no fix available. However, Microsoft has published a workaround for this vulnerability. See below.

Vulnerable systems are those which have installed

Microsoft Access 97 and 2000 and
Microsoft Internet Explorer - all version from 4.0 (including the newly released 5.5)

The issue

The vulnerability implies that you are affected by just viewing or reading an email or a web page.

Microsoft Internet Explorer allows an HTML tag in a web page or email to load ActiveX controls. Microsoft Office documents (e.g. Access databases) are examples of ActiveX controls. By default Internet Explorer loads such controls without prompting the user. However, several users have configured Internet Explorer to prompt before opening such controls, as there have been lots of security issues involved with silently executing ActiveX controls. Others have disabled Active Scripting in Internet Explorer, thus disabling executing ActiveX controls.

The vulnerability here on the other hand, is not avoided by either configuring Internet Explorer to prompt before executing ActiveX controls, or disabling Active Scripting altogether. This vulnerability is a result of an error in the sequence which Internet Explorer handles .MDB files (Access databases).

It appears that what happens is in this order:

Internet Explorer opens a web page or email with an object tag which attempts to open an .MDB file.
The .MDB file is downloaded and Access is called to open the database.
Internet Explorer prompts the user to open the database (if IE is set up to prompt) or
Internet Explorer informs the user that there is an unsafe ActiveX control on the page (if IE is set up to disable scripting altogether).

The problem here is that event 2 occurs before 3. The database (.MDB file) is already opened before the users has the option to say yes or no.

Given the fact that Access databases support Visual Basic for Applications (.VBA files), a computer which is set up as described in the introduction above, is vulnerable to almost anything.

This exploit can be executed from web pages and emails which supports HTML, e.g. MS Outlook, Outlook express and the popular email client Eudora from Qualcomm.

How to secure the workstations

As mentioned above there is currently no fix from Microsoft available.

However, Microsoft has published a workaround to secure the affected workstations:

Start Access 2000 but don't open any databases
From the Tools menu, choose Security
Select User and Group Accounts
Select the Admin user, which should be defined by default
Go to the Change Logon Password tab
The Admin password should be blank if it has never been changed
Assign a password to the Admin user
Click OK to exit the menu

More information here:

SANS Flash advisory: Dangerous Windows Flaw
Microsoft's Frequently Asked Questions about Security Bulletin MS00-049
Microsoft's Security Bulletin MS00-049
Note that all these documents describe two different vulnerabilities. The one described in this Security Information, and considered by far the most dangerous, is what Microsoft (a bit misleading) has called the "IE Script vulnerability" Note also that according to SANS the vulnerability affects versions of IE from 4.0 and above, while Microsoft says that IE from 4.01 SP 2 and above are vulnerable. Similarly SANS says that both Access 97 and 2000 are vulnerable, while Microsoft says that this only affects Access 2000.

Food for thought

Sans is offering a small prize for anyone who can fix this problem automatically. According to their web page:

"It may be possible to fix this vulnerability automatically, via an email without asking every user to take action. The concept is similar to using a slightly modified version of a virus to provide immunity against infection."

This may be interpreted as an encouragement to create a virus to solve the problem automatically . In Norman's view this would not be a good concept to solve the problem. The creation of self-replicating programs (viruses) should not be encouraged even if the intention may be good.

It is much safer, and more in compliance with computer security, to create a program which fixes this security issue only, without any kind of additional viral program code.

Presumably SANS did not intend to encourage to solve the problem by using viral techniques, but a technique which implemented the workaround with minor interference from the users being protected.

Per Olav Førland

VIRUS- WAARSCHUWINGEN

Medium risk
15	Aug	08	AntiVirus 2008
24	Oct	07	Pidief.A
24	Jan	07	Tibs
25	Sep	06	Stration
18	Jan	06	Small.KI
12	Sep	05	Bagle.CS
17	Aug	05	Zotob.B
08	Jun	05	Mytob
17	Feb	05	MyDoom.AQ
26	Jul	04	MyDoom.L
25	Mar	04	Netsky.P
Low risk
05	Mar	07	Viking.GT
27	Jan	06	Feebs
16	Jan	05	MyDoom.AH
22	Apr	04	SDBot
30	Mar	04	Netsky.Q

Laatste virusdefinitie- bestanden

>>	2008-12-02

Beveiligingsinformatie

>>	Internet gaming - new opportunities for the (shady) visionary
>>	Fighting malware on two ends

Beveiligingsadvies

>>	One critical update for Microsoft systems in November 2008
>>	Unscheduled update for Microsoft systems

Norman is een van de toonaangevende organisaties ter wereld op het gebied van gegevensbeveiliging. Met producten als antivirus, personal firewall, antispam, data recovery en gecertificeerde data verwijdering, speelt het bedrijf een belangrijke rol in de computergegevens industrie.