Microsoft released an urgent cumulative security bulletin on
Friday, July 30, 2004. The company obviously puts a high priority on the
critical security issues covered in this bulletin since it broke its policy of
releasing all security bulletins for the month on a single day in the first
half of each month. The new bulletin deals with threats to Microsoft Internet
Explorer, and it is an update to the earlier cumulative Security Bulletin MS04-004.
Some or all of the newly addressed vulnerabilities have already been exploited
in the wild.

Details

MS04-025,
“Cumulative Security Update for
Internet Explorer,” includes patches for three new critical
vulnerabilities, all of which allow a remote attacker to run arbitrary code.

  1. Malformed GIF file double-free vulnerability
    CAN-2003-1048
    This is the mshtml.dll denial of service and remote code execution
    “double-free” vulnerability described back in 2003 (see these
    three messages from the Full Disclosure list for more info: message
    1
    , message
    2
    , message
    3
    ). By crafting a special malicious image file, an attacker can force
    a computer to free up already reserved memory space that can corrupt
    memory and allow the attacker to place malicious code (that it will
    attempt to execute later) in that memory segment. This will normally just
    crash a system, but in some circumstances, it can also allow the malicious
    code to run, perhaps giving the attacker complete system control. Microsoft
    reports having seen proof-of-concept code for this vulnerability but not
    having received any notice from customers that it had actually been
    exploited. The attack can take place either through a malicious e-mail
    message or a malicious Web site.
  2. Malformed BMP file buffer overrun vulnerability
    CAN-2004-0566
    This is a buffer overrun vulnerability that is triggered by a poorly
    validated BMP image. Microsoft states that it has received reports that
    the exploit has been seen in the wild, so this is a real-world, ongoing
    threat. It can be exploited either through a malicious e-mail message or a
    malicious Web site.
  3. Navigation method cross-domain vulnerability
    CAN-2004-0549
    This is a remote code execution vulnerability that can give the attacker
    complete control over vulnerable systems because it will allow malicious
    script code to run in the Local Machine security zone. It can be exploited
    either through a malicious e-mail message or a malicious Web site.

Applicability

These flaws affect Internet Explorer 5.01 and later. This
includes:

  • IE
    5.01 with all service packs installed
  • IE 6
    and IE 6 64-bit edition with all service packs installed
  • IE 6
    for Windows Server 2003 and Windows Server 2003 64-bit edition

Risk level – Cumulative risk is critical

The malformed GIF file double-free vulnerability is critical for
all IE versions 5.01 and later.

The malformed BMP file buffer overrun vulnerability is critical
for IE 5.01, IE 5.5, and IE 6 prior to Service Pack 1. The vulnerability doesn’t
apply to IE 6 SP1 or IE 6 in Windows Server 2003.

The navigation method cross-domain vulnerability does not apply
to IE 5.01, is moderate in IE 6 for Windows Server 2003, and critical for the
other versions of IE.

Mitigating factors

For the malformed GIF and malformed BMP vulnerabilities, the
only real mitigating factor is that the attacker would only gain the privileges
of the current user, so following the best practice of running at the lowest
practical user level may reduce the damage caused by this threat, although it
won’t block the attack itself. Opening e-mail in plain text would eliminate the
risk of e-mail attacks, but wouldn’t block attacks from malicious Web sites.

The navigation method cross-domain vulnerability can be executed only with administrator privileges to allow a complete takeover of the system, but
any successful attack might allow the attacker to run code in the Local
security zone. Also, applying the patches in MS04-024 and disabling the
ADODB.Stream object as described in Microsoft Knowledge
Base Article 870669
will reduce this vulnerability. Opening e-mail in plain
text would eliminate the risk of e-mail attacks, but wouldn’t block attacks
from malicious Web sites.

Fix – Apply the provided patches

The only workaround for the malformed GIF flaw is to open
HTML e-mail in plain text. There are no workarounds for Web site-based attacks
where the site hosts a malicious GIF file. The same applies for the malformed
BMP flaw.

Workarounds for the navigation method cross-domain vulnerability
would be to increase Local Machine security settings and setting Internet and
Local Internet security zones to high, so you will be prompted before the
browser runs an ActiveX control. Also, of course, opening e-mail in plain text
would eliminate the threat, although this can cause some unusual actions
triggered by the object model.

Final word

These are obviously extremely critical vulnerabilities. Even
if the facts that one of them has been around since 2003 and that some of the
flaws are already being exploited in the wild aren’t enough, the fact that
Microsoft saw fit to break its recent rule about releasing security bulletins
all at once should be enough to convince skeptical administrators that they
need to pay special attention to this set of patches.


Also watch for …

  • XLineSoft’s ASPRunner (2.4 and earlier), a popular $99 Windows utility
    that creates a set of ASP pages to access and modify ODBC databases (including
    Oracle, SQL Server, Access, DB2, MySQL, or FileMaker), has been hit by
    several flaws. HNS net-security reports multiple
    critical vulnerabilities in ASPRunner, including
    SQL Injection (moderately critical), Information Disclosure (low critical),
    XSS Cross Site Scripting (low critical), and Database Download. Ferruh
    Mavituna
    discovered these vulnerabilities on July 4, 2004, reported
    them to the vendor on July 5, and made them public on July 26. There were
    no known fixes or workarounds at the time this article was published, but
    check with the vendor for the latest updates.
  • Secunia
    reports a moderately
    critical spoofing vulnerability in Mozilla 1.7.x (Windows) and Mozilla
    Firefox 0.9.x (Windows and Linux versions). There is proof-of-concept code
    posted on securiteam.com.
    The bug can allow an attacker to abuse SSL certificates that belong to
    other sites. You can check the certificate URL with the one displayed in
    the browser, which accurately shows the malicious Web site URL.
  • Opera Web
    browser version 7.53 build 3850 has a moderately critical phishing-related
    vulnerability that causes the browser to load the content of one Web site
    while displaying the URL of a different site. This was also reported in Secunia. If
    this sounds like a broken record, I should mention that this is the fourth
    similar address bar spoofing vulnerability reported in Opera since mid-May
    of this year. Opera keeps patching them and new ones keep appearing.
  • Secunia
    reports Ziv Kamir has
    found a problem with FTPGlide that exposes usernames and passwords.
  • There
    is an update
    for SCO OpenServer 5.x sendmail to correct an extremely critical
    vulnerability that triggers a denial-of-service event or results in
    complete compromise of a system. Contact the vendor.
  • There
    is also a new highly
    critical Mandrake update
    for mod_ssl that addresses a flaw that can
    allow complete access to a vulnerable system. There is another, less
    critical, Mandrake update
    for sox
    .