Security

Microsoft remains in spotlight with new patches, delayed SSL fix

It's a busy time for Windows admins. Microsoft has released a group of new Security Bulletins, and a patch for the recently discovered SSL-IE flaw is finally available. This edition of The Locksmith has the details.


A flurry of new Microsoft Security Bulletins, updates, and patches is following closely on the heels of the ground-shaking revelation that Internet Explorer has a critical flaw in the way it handles SSL.

Although Microsoft initially released an aloof response about the SSL threat and said it was difficult to exploit, a white hat hacker reportedly demonstrated that the vulnerability is easily exploited. Finally, on Sept. 4, Microsoft released a patch for the SSL flaw and labeled it a "critical" upgrade.

New flaws and patches
Digital certificate deletion, covered in Security Bulletin MS02-048, relates to a flaw in the ActiveX Certificate Enrollment Control, which downloads and manages PKCS#10-compliant certificate requests in Windows. This flaw can trigger a denial of service event, but not for the entire system, just for digital certificate features. According to the Microsoft Bulletin, a successful attack would corrupt trusted root certificates, EFS encryptions certificates, e-mail signatures, and others, locking out this feature entirely.

Cumulative Patch for Internet Explorer (MS02-047) does not include the patch contained in MS02-048—nor does it address the SSL vulnerability. Rather, this patch covers the following vulnerabilities:
  • Buffer Overrun in Gopher Protocol Handler (CAN-2002-0646) (Note: Details on this candidate hadn't been posted on the CVE list at the time of this writing.)
  • Buffer Overrun in Legacy Text Formatting ActiveX Control (CAN-2002-0647)
  • XML File Reading via Redirect (CAN-2002-0648)
  • File Origin Spoofing (CAN-2002-0722)
  • Cross-Domain Verification in Object Tag (CAN-2002-0723)
  • Variant of Cross-Site Scripting in Local HTML Resource (CAN-2002-0691)

Buffer Overrun in TSAC ActiveX Control (MS02-046) applies to both Web site administrators and end users. The Terminal Services Advanced Client ActiveX control is used to run Terminal Services and provide that capability over the Web.

Unchecked Buffer in Network Share Provider (MS02-045) is a denial of service vulnerability. Microsoft says that network administrators should “consider” installing this patch. It doesn’t appear to be a serious problem.

Unsafe Functions in Office Web Components (MS02-044) addresses three vulnerabilities that would allow an attacker to run arbitrary code on a client system, read files, and read the contents of the local clipboard.

Applicability
Digital certificate deletion
This problem affects Windows 98, NT4, and all later versions of Windows.

Cumulative IE Patch
This patch affects Internet Explorer versions 5.01, 5.5, and 6.0. All of the vulnerabilities apply to nearly all of these versions.

Buffer Overrun in TSAC
To learn if this component is installed on your system(s), check out the detailed procedure in MS02-046. See the mitigating factors below for some more details about what is affected.

Unchecked Buffer in Network Share Provider
This problem affects:
  • Windows NT 4.0 Workstation, Server, and Terminal Server Edition.
  • Windows 2000 Professional, Server, and Advanced Server.
  • Windows XP Professional.

Earlier versions of Windows are also probably vulnerable, but Microsoft no longer supports them and didn’t test them for vulnerabilities.

Unsafe Functions in Office Web Components
Affected software includes Microsoft Office Web Components 2000 and Office Web Components 2002. These are available by download but are already included with:
  • BackOffice Server 2000
  • BizTalk Server 2000
  • BizTalk Server 2002
  • Commerce Server 2000
  • Commerce Server 2002
  • Internet Security and Acceleration Server 2000
  • Money 2002
  • Money 2003
  • Office 2000
  • Office XP
  • Project 2002
  • Project Server 2002
  • Small Business Server 2000

Risk levels
  • Digital certificate deletion—Critical for client systems, low for servers
  • Cumulative Patch for Internet Explorer—Critical for many of the vulnerabilities
  • Buffer Overrun in TSAC—Low for servers, moderate for clients
  • Unchecked Buffer in Network Share Provider—Low for all Internet servers, moderate for all intranet servers and client systems
  • Unsafe Functions in Office Web Components—Critical for clients, low to moderate for servers

Mitigating factors
Digital certificate deletion
Microsoft says in the Security Bulletin that it is difficult to exploit this vulnerability, which can take place through a Web page or by opening an HTML e-mail. There is also a flaw in the SmartCard Enrollment feature, but this will not delete or alter the information on the card even if one is inserted at the time of the attack.

Various combinations of newer software and new and older operating systems may have default installations that open HTML e-mail and Web sites in security zones that will block this attack. Details are included in the bulletin, but the versions are still vulnerable if the default installation is altered, so the patch is still recommended if you are managing a number of different client systems.

Cumulative Patch for Internet Explorer
Because this patch covers so many different problems, going back as far as MS02-015, it wouldn’t really be practical to discuss all the mitigating factors here. I will simply refer you to Security Bulletin MS02-047 for details.

Buffer Overrun in TSAC
This problem poses no threat to servers hosting the services. It's a threat only if the TSAC control was installed by an IIS server that hosts the service. Further, this component is not installed by default on any system. Users of Outlook 98 and 2000 with the Outlook E-mail Security Update are not vulnerable. Neither are users of Outlook Express 6 or Outlook 2002.

Unchecked Buffer in Network Share Provider
Some mitigating factors are detailed in the Security Bulletin for this problem, but they involve turning off important file sharing and print services so are not applicable to most network installations. You can also turn off anonymous access to block some threat vectors, but that won't prevent the exploitation of this vulnerability by legitimate users.

Unsafe Functions in Office Web Components
This flaw entails various, complex sets of mitigating factors, which are detailed in the MS02-044 bulletin.

Fixes
Digital certificate deletion
A patch is available that replaces this ActiveX component with a repaired version, but it can be applied only to IE 5 or later. In addition, Webmasters who use Certificate Enrollment Control on their sites must also make some changes to accommodate the new component. Another flaw, found only in XP and Windows 2000, relates to SmartCard Enrollment and is also fixed with this patch. See MS02-048 for specific patch information and links.

Cumulative Patch for Internet Explorer
Read MS02-047 carefully before applying these patches, because some earlier problems must be addressed before installation. In particular, you may need to install the patches described in MS02-022 and MS02-046 if you haven’t done so already.

Buffer Overrun in TSAC
Apply the patch or set the kill bit manually following the instructions given in MS02-046. The fix just repairs the way the TSAC ActiveX control handles input data checking.

Unchecked Buffer in Network Share Provider
See MS02-045 for links to specific version patches. This fix will be included in Windows 2000 Service Pack 4 and Windows XP Service Pack 1.

Unsafe Functions in Office Web Components
Install Office XP SP2 from Office Product Updates. Install general and/or specific patches or updates as detailed in MS02-044.

The long-awaited patch
As mentioned above, Microsoft initially crafted a response that downplayed the SSL threat and repeated the contention that it is difficult to exploit. Microsoft outlined three reasons for this claim:
  • The attacker must be able to spoof a Web site.
  • The attacker could be caught.
  • Users would see the attack because it can be discovered by carefully checking the digital certificate every time you move to a different page.

But in an apparent contradiction of Microsoft's early assurances, a Reuters report said that a Swedish white hat hacker demonstrated an exploit of this SSL attack by penetrating several Swedish bank servers (three of the top four) “in quick succession.” According to the report, he then erased traces of his attack, and the banks said that they are unaware of it.

"It's a protocol which is very easy to break through," the computer expert said. "The protocol doesn't provide the security the users think it does."

Microsoft’s Swedish representative denied that the attack could take place as described and added that he couldn’t even see any theoretical way to exploit this vulnerability. However, the release of Security Bulletin MS02-050 would seem to indicate that the SSL threat is indeed quite serious.

Editor's Picks