Flaw in Crystal Reports Web Viewer affects Visual Studio, Outlook, and CRM

Get the technical details on Microsoft Security Bulletin MS04-017 and see how it could affect the security of your systems.

Microsoft has patched a vulnerability in the Web viewing component of Crystal Reports. This component is used in Visual Studio .NET 2003, Outlook 2003 (when used with Business Contact Manager), and Microsoft's CRM solution.


The source of the threat is a Directory Transversal Vulnerability, CAN-2004-0204. This can result in a denial of service event or a confidential information disclosure.

MBSA (Microsoft Baseline Security Analyzer) can't detect this problem, but the Systems Management Server (SMS) will report if the update is needed.

According to Microsoft Security Bulletin MS04-017, "Vulnerability in Crystal Reports Web Viewer Could Allow Information Disclosure and Denial of Service," the vulnerable component is the CrystalDecisions.Web.dll file earlier than version 9.1.9800.9.

Patches are available, and there are several possible workarounds.


This flaw affects:

  • Visual Studio .NET 2003 (only if IIS was installed at the time VS.NET 2003 was installed).
  • Outlook 2003 with Business Contact Manager (only if installed at a time when IIS was already installed).
  • Microsoft Business Solutions CRM 1.2.

For the first two pieces of software, any authenticated or anonymous user accessing Crystal Reports Web Viewer can attack using this vulnerability. For CRM 1.2, only authenticated users are capable of launching an attack because they are the only ones who can access the Web Viewer. The threats that are dependent on an IIS installation are due to the different default installation triggered by the presence of IIS.

Microsoft reports that no other versions of these programs are affected by this vulnerability.

Risk level—moderate to high

Microsoft rates this as only a moderate threat, but it bases its evaluation in part on how many people are using the affected products. Since the threat in MS04-017 applies to products that don't ship with every Windows computer, the company rates the threat as only moderate.

However, when I determine threat levels, I normally look at the potential damage to those who are using the vulnerable programs. After all, if your systems can be easily compromised by a flaw, it is little consolation if few others are vulnerable. Therefore, I rate the threat level of this vulnerability as high because a successful attacker could view or modify database files, probably without leaving a trace. The actual level of threat would depend in great part on how critical the information stored in the database is; however, a good firewall configuration would greatly reduce the risk.

This isn't one of those really big threats, but it can cause a lot of problems and requires your attention if you are managing the affected products.

Mitigating factors

  1. Only systems with Internet Information Services (IIS) installed are vulnerable.
  1. Good firewall security practices should block this attack.
  1. Microsoft reports, "The attack is only effective against files where the IIS worker process that is hosting the CrystalDecisions.Web.dll file has delete permissions." Whether this means that the exploit couldn't also be used to view unauthorized files wasn't made clear in the bulletin.

Fix—apply the provided patch

One workaround is that since this only affects systems with IIS installed, disabling IIS would block any attack through this vector. According to Microsoft, executing the net stop w3svc command is actually all that is required to disable IIS. This would, of course, terminate Web content access. See the Security Bulletin for additional workarounds, as well as patches for the affected products.

Final word

As usual, I will make every attempt to discover and post any important changes in the discussion section of this article during the week that it is published, but you should always check the current versions of the Microsoft Security Bulletins for more details and also to make certain that there have been no important updates to the information presented here.

Also watch for...

  • MS04-016, "Vulnerability in DirectPlay Could Allow Denial of Service," is a moderate threat causing a denial of service event that affects networked DirectPlay game applications running on almost any Microsoft platform, with the exception of Windows NT 4.0.
  • A recently published Computer Security Institute/FBI statistical study (free, registration required) of 2003 IT security events shows 75 percent of surveyed firms suffering financial losses, but less than half were able to determine the size of the loss. Most losses were of proprietary information. Internet-based attacks were up, but insider attempts to breach security still accounted for a large percentage of security events.
  • The Korgo family of worms attacks the LSASS vulnerability in Microsoft Windows 2000 and XP systems that haven't applied the patch provided in Microsoft Security Bulletin MS04-011. Judging by the number of reported infections, that includes a lot of systems. Symantec reports that some versions of Korgo plant backdoors opening TCP port 113, 3067, and other randomly selected ports.
  • A vulnerability in a number of IBM products lets local users hijack a session and gain access to applications or data. Affected are IBM Tivoli Access Manager for e-business 3.x, 4.x, and 5.x; Tivoli Configuration Manager 4.x; Tivoli Configuration Manager for Automatic Teller Machines 2.x; and Tivoli SecureWay Policy Director 3.x. The IBM advisory gives details and provides patches.
  • Symantec CEO John Thompson sees Microsoft as a "target-rich" environment for virus writers for years to come, downplaying wireless threats. He also said he isn't worried about Microsoft's entry into the antivirus market, stating the Redmond giant has too many irons in the fire to be taken seriously as an antivirus company. Thompson also says that Microsoft code isn't inherently less secure than that of Linux or UNIX, explaining the number of Microsoft attacks by comparing virus writers to graffiti artists and an OS to their "canvas." Thompson said, "If somebody writes graffiti, they're not going to write it on a wall at the end of a dead-end alley. They're going to write it on a train that travels right through the city center." He went on to predict in a speech in England that Microsoft Office would likely be the next big target.
  • Secunia reports that fully qualified domain names (FQDN) exactly eight characters long can be used to access Windows 2000-based servers with expired passwords. See the Knowledge Base Article 830847 for more information and a link to the hotbfix.
  • SpamGUARD is reported by the vendor to have various critical vulnerabilities that can permit an attacker to run arbitrary code on systems running SpamGUARD versions dated prior to March 16, 2004. Check with the vendor.
  • AppleFileServer versions prior to Mac OS X 10.3.4 have an unspecified SSH reporting error. A fix is available by upgrading to 10.3.4. Other Mac OS X vulnerabilities verified by Apple include:
    —An unspecified flaw in package installation
    —An unspecified flaw in LoginWindow
    —An unspecified flaw in NFS
    Since Apple hasn't disclosed any information about the underlying threats or their potential impact, it's impossible to estimate the level of threat posed by these vulnerabilities.
  • GreyMagic has reported a flaw in Opera 7.x versions that lets a shortcut icon (favicon) conceal address spoofing attempts in various browser displays. The fix is to update to the latest version of Opera.
  • MIT's Kerberos V5 authentication protocol has a buffer overflow vulnerability in releases prior to 1.3.3 that can allow remote users to run arbitrary code on the affected systems. The advisory has more information and instructions for disabling the vulnerable library function until version 1.3.4 is released to fix the threat.
  • There is a BugTraq report of a CVS server vulnerability in NetBSD versions prior to May 21, 2004. Affected are NetBSD 1.6.2, 1.6.1, and 1.6. NetBSD 1.5.x isn't affected because it doesn't ship with CVS.
  • If you're feeling a bit harried lately, there's good reason: Sophos has compiled a list and says there were 959 new viruses released in May 2004.

Editor's Picks

Free Newsletters, In your Inbox