Microsoft released an urgent cumulative security bulletin on
Friday, July 30, 2004. The company obviously puts a high priority on the
critical security issues covered in this bulletin since it broke its policy of
releasing all security bulletins for the month on a single day in the first
half of each month. The new bulletin deals with threats to Microsoft Internet
Explorer, and it is an update to the earlier cumulative Security Bulletin MS04-004.
Some or all of the newly addressed vulnerabilities have already been exploited
in the wild.
“Cumulative Security Update for
Internet Explorer,” includes patches for three new critical
vulnerabilities, all of which allow a remote attacker to run arbitrary code.
- Malformed GIF file double-free vulnerability
This is the mshtml.dll denial of service and remote code execution
“double-free” vulnerability described back in 2003 (see these
three messages from the Full Disclosure list for more info: message
3). By crafting a special malicious image file, an attacker can force
a computer to free up already reserved memory space that can corrupt
memory and allow the attacker to place malicious code (that it will
attempt to execute later) in that memory segment. This will normally just
crash a system, but in some circumstances, it can also allow the malicious
code to run, perhaps giving the attacker complete system control. Microsoft
reports having seen proof-of-concept code for this vulnerability but not
having received any notice from customers that it had actually been
exploited. The attack can take place either through a malicious e-mail
message or a malicious Web site.
- Malformed BMP file buffer overrun vulnerability
This is a buffer overrun vulnerability that is triggered by a poorly
validated BMP image. Microsoft states that it has received reports that
the exploit has been seen in the wild, so this is a real-world, ongoing
threat. It can be exploited either through a malicious e-mail message or a
malicious Web site.
- Navigation method cross-domain vulnerability
This is a remote code execution vulnerability that can give the attacker
complete control over vulnerable systems because it will allow malicious
script code to run in the Local Machine security zone. It can be exploited
either through a malicious e-mail message or a malicious Web site.
These flaws affect Internet Explorer 5.01 and later. This
5.01 with all service packs installed
- IE 6
and IE 6 64-bit edition with all service packs installed
- IE 6
for Windows Server 2003 and Windows Server 2003 64-bit edition
Risk level – Cumulative risk is critical
The malformed GIF file double-free vulnerability is critical for
all IE versions 5.01 and later.
The malformed BMP file buffer overrun vulnerability is critical
for IE 5.01, IE 5.5, and IE 6 prior to Service Pack 1. The vulnerability doesn’t
apply to IE 6 SP1 or IE 6 in Windows Server 2003.
The navigation method cross-domain vulnerability does not apply
to IE 5.01, is moderate in IE 6 for Windows Server 2003, and critical for the
other versions of IE.
For the malformed GIF and malformed BMP vulnerabilities, the
only real mitigating factor is that the attacker would only gain the privileges
of the current user, so following the best practice of running at the lowest
practical user level may reduce the damage caused by this threat, although it
won’t block the attack itself. Opening e-mail in plain text would eliminate the
risk of e-mail attacks, but wouldn’t block attacks from malicious Web sites.
The navigation method cross-domain vulnerability can be executed only with administrator privileges to allow a complete takeover of the system, but
any successful attack might allow the attacker to run code in the Local
security zone. Also, applying the patches in MS04-024 and disabling the
ADODB.Stream object as described in Microsoft Knowledge
Base Article 870669 will reduce this vulnerability. Opening e-mail in plain
text would eliminate the risk of e-mail attacks, but wouldn’t block attacks
from malicious Web sites.
Fix – Apply the provided patches
The only workaround for the malformed GIF flaw is to open
HTML e-mail in plain text. There are no workarounds for Web site-based attacks
where the site hosts a malicious GIF file. The same applies for the malformed
Workarounds for the navigation method cross-domain vulnerability
would be to increase Local Machine security settings and setting Internet and
Local Internet security zones to high, so you will be prompted before the
browser runs an ActiveX control. Also, of course, opening e-mail in plain text
would eliminate the threat, although this can cause some unusual actions
triggered by the object model.
These are obviously extremely critical vulnerabilities. Even
if the facts that one of them has been around since 2003 and that some of the
flaws are already being exploited in the wild aren’t enough, the fact that
Microsoft saw fit to break its recent rule about releasing security bulletins
all at once should be enough to convince skeptical administrators that they
need to pay special attention to this set of patches.
Also watch for …
- XLineSoft’s ASPRunner (2.4 and earlier), a popular $99 Windows utility
that creates a set of ASP pages to access and modify ODBC databases (including
Oracle, SQL Server, Access, DB2, MySQL, or FileMaker), has been hit by
several flaws. HNS net-security reports multiple
critical vulnerabilities in ASPRunner, including
SQL Injection (moderately critical), Information Disclosure (low critical),
XSS Cross Site Scripting (low critical), and Database Download. Ferruh
Mavituna discovered these vulnerabilities on July 4, 2004, reported
them to the vendor on July 5, and made them public on July 26. There were
no known fixes or workarounds at the time this article was published, but
check with the vendor for the latest updates.
reports a moderately
critical spoofing vulnerability in Mozilla 1.7.x (Windows) and Mozilla
Firefox 0.9.x (Windows and Linux versions). There is proof-of-concept code
posted on securiteam.com.
The bug can allow an attacker to abuse SSL certificates that belong to
other sites. You can check the certificate URL with the one displayed in
the browser, which accurately shows the malicious Web site URL.
- Opera Web
browser version 7.53 build 3850 has a moderately critical phishing-related
vulnerability that causes the browser to load the content of one Web site
while displaying the URL of a different site. This was also reported in Secunia. If
this sounds like a broken record, I should mention that this is the fourth
similar address bar spoofing vulnerability reported in Opera since mid-May
of this year. Opera keeps patching them and new ones keep appearing.
reports Ziv Kamir has
found a problem with FTPGlide that exposes usernames and passwords.
is an update
for SCO OpenServer 5.x sendmail to correct an extremely critical
vulnerability that triggers a denial-of-service event or results in
complete compromise of a system. Contact the vendor.
is also a new highly
critical Mandrake update for mod_ssl that addresses a flaw that can
allow complete access to a vulnerable system. There is another, less
critical, Mandrake update