Microsoft released an urgent cumulative security bulletin on Friday, July 30, 2004. The company obviously puts a high priority on the critical security issues covered in this bulletin since it broke its policy of releasing all security bulletins for the month on a single day in the first half of each month. The new bulletin deals with threats to Microsoft Internet Explorer, and it is an update to the earlier cumulative Security Bulletin MS04-004. Some or all of the newly addressed vulnerabilities have already been exploited in the wild.
MS04-025, "Cumulative Security Update for Internet Explorer," includes patches for three new critical vulnerabilities, all of which allow a remote attacker to run arbitrary code.
- Malformed GIF file double-free vulnerability
This is the mshtml.dll denial of service and remote code execution "double-free" vulnerability described back in 2003 (see these three messages from the Full Disclosure list for more info: message 1, message 2, message 3). By crafting a special malicious image file, an attacker can force a computer to free up already reserved memory space that can corrupt memory and allow the attacker to place malicious code (that it will attempt to execute later) in that memory segment. This will normally just crash a system, but in some circumstances, it can also allow the malicious code to run, perhaps giving the attacker complete system control. Microsoft reports having seen proof-of-concept code for this vulnerability but not having received any notice from customers that it had actually been exploited. The attack can take place either through a malicious e-mail message or a malicious Web site.
- Malformed BMP file buffer overrun vulnerability
This is a buffer overrun vulnerability that is triggered by a poorly validated BMP image. Microsoft states that it has received reports that the exploit has been seen in the wild, so this is a real-world, ongoing threat. It can be exploited either through a malicious e-mail message or a malicious Web site.
- Navigation method cross-domain vulnerability
This is a remote code execution vulnerability that can give the attacker complete control over vulnerable systems because it will allow malicious script code to run in the Local Machine security zone. It can be exploited either through a malicious e-mail message or a malicious Web site.
These flaws affect Internet Explorer 5.01 and later. This includes:
- IE 5.01 with all service packs installed
- IE 6 and IE 6 64-bit edition with all service packs installed
- IE 6 for Windows Server 2003 and Windows Server 2003 64-bit edition
Risk level – Cumulative risk is critical
The malformed GIF file double-free vulnerability is critical for all IE versions 5.01 and later.
The malformed BMP file buffer overrun vulnerability is critical for IE 5.01, IE 5.5, and IE 6 prior to Service Pack 1. The vulnerability doesn't apply to IE 6 SP1 or IE 6 in Windows Server 2003.
The navigation method cross-domain vulnerability does not apply to IE 5.01, is moderate in IE 6 for Windows Server 2003, and critical for the other versions of IE.
For the malformed GIF and malformed BMP vulnerabilities, the only real mitigating factor is that the attacker would only gain the privileges of the current user, so following the best practice of running at the lowest practical user level may reduce the damage caused by this threat, although it won't block the attack itself. Opening e-mail in plain text would eliminate the risk of e-mail attacks, but wouldn't block attacks from malicious Web sites.
The navigation method cross-domain vulnerability can be executed only with administrator privileges to allow a complete takeover of the system, but any successful attack might allow the attacker to run code in the Local security zone. Also, applying the patches in MS04-024 and disabling the ADODB.Stream object as described in Microsoft Knowledge Base Article 870669 will reduce this vulnerability. Opening e-mail in plain text would eliminate the risk of e-mail attacks, but wouldn't block attacks from malicious Web sites.
Fix – Apply the provided patches
The only workaround for the malformed GIF flaw is to open HTML e-mail in plain text. There are no workarounds for Web site-based attacks where the site hosts a malicious GIF file. The same applies for the malformed BMP flaw.
Workarounds for the navigation method cross-domain vulnerability would be to increase Local Machine security settings and setting Internet and Local Internet security zones to high, so you will be prompted before the browser runs an ActiveX control. Also, of course, opening e-mail in plain text would eliminate the threat, although this can cause some unusual actions triggered by the object model.
These are obviously extremely critical vulnerabilities. Even if the facts that one of them has been around since 2003 and that some of the flaws are already being exploited in the wild aren't enough, the fact that Microsoft saw fit to break its recent rule about releasing security bulletins all at once should be enough to convince skeptical administrators that they need to pay special attention to this set of patches.
Also watch for …
- XLineSoft's ASPRunner (2.4 and earlier), a popular $99 Windows utility that creates a set of ASP pages to access and modify ODBC databases (including Oracle, SQL Server, Access, DB2, MySQL, or FileMaker), has been hit by several flaws. HNS net-security reports multiple critical vulnerabilities in ASPRunner, including SQL Injection (moderately critical), Information Disclosure (low critical), XSS Cross Site Scripting (low critical), and Database Download. Ferruh Mavituna discovered these vulnerabilities on July 4, 2004, reported them to the vendor on July 5, and made them public on July 26. There were no known fixes or workarounds at the time this article was published, but check with the vendor for the latest updates.
- Secunia reports a moderately critical spoofing vulnerability in Mozilla 1.7.x (Windows) and Mozilla Firefox 0.9.x (Windows and Linux versions). There is proof-of-concept code posted on securiteam.com. The bug can allow an attacker to abuse SSL certificates that belong to other sites. You can check the certificate URL with the one displayed in the browser, which accurately shows the malicious Web site URL.
- Opera Web browser version 7.53 build 3850 has a moderately critical phishing-related vulnerability that causes the browser to load the content of one Web site while displaying the URL of a different site. This was also reported in Secunia. If this sounds like a broken record, I should mention that this is the fourth similar address bar spoofing vulnerability reported in Opera since mid-May of this year. Opera keeps patching them and new ones keep appearing.
- Secunia reports Ziv Kamir has found a problem with FTPGlide that exposes usernames and passwords.
- There is an update for SCO OpenServer 5.x sendmail to correct an extremely critical vulnerability that triggers a denial-of-service event or results in complete compromise of a system. Contact the vendor.
- There is also a new highly critical Mandrake update for mod_ssl that addresses a flaw that can allow complete access to a vulnerable system. There is another, less critical, Mandrake update for sox.