Microsoft Security Bulletin MS03-042
Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232) Issued: October 15, 2003 Version Number: 1.0
Summary Who Should Read This Document: Customers using Microsoft® Windows®
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the patch immediately
Patch Replacement: None
Tested Software and Patch Download Locations:
Affected Software: Microsoft Windows 2000, Service Pack 2 – Download the patch Microsoft Windows 2000, Service Pack 3, Service Pack 4 – Download the Patch Non Affected Software: Microsoft Windows NT 4.0 Microsoft Windows NT Server 4.0, Terminal Server Edition Microsoft Windows Millennium Edition Microsoft Windows XP Microsoft Windows Server 2003 The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.
Technical Details Technical Description:
A security vulnerability exists in the Microsoft Local Troubleshooter ActiveX control. The vulnerability exists because the ActiveX control (Tshoot.ocx) contains a buffer overflow that could allow an attacker to run code of their choice on a user’s system. Because this control is marked "safe for scripting", an attacker could exploit this vulnerability by convincing a user to view a specially crafted HTML page that references this ActiveX control. The Microsoft Local Troubleshooter ActiveX control is installed as a default part of the operating system on Windows 2000.
To exploit this vulnerability, the attacker would have to create a specially formed HTML–based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability.
In the worst case, this vulnerability could allow an attacker to load malicious code onto a user's system and then to execute the code. The code would run in the context of the user. Therefore, the code is limited to any action that the legitimate user could take on the system. Any limitations on the user's account would also limit the actions of any arbitrary code that the attacker could execute.
The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:
You have applied the patch included with Microsoft Security bulletin MS03-040 You are using Internet Explorer 6 or later You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration. Mitigating factors:
A Web–based attack would only be successful if the attacker creates a Web site that contains a Web page that they use to exploit this vulnerability. An attacker would have no way to force users to visit the malicious Web site. Instead, the attacker would have to lure them there, typically by getting them to click a link in an email message that would takes them to the attacker's site. By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in the Restricted Sites Zone if the Outlook Email Security Update has been installed. Customers who use any of these products would be at a reduced risk from an e-mail borne attack that attempted to exploit this vulnerability unless the user clicked a malicious link in the email. An attacker’s code could only run with the same permissions as the logged on user. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges granted to the user. Any limitations on the user's account would also limit the actions of any arbitrary code executed by this vulnerability.
Microsoft Windows 2000 Critical
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0661
Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases – in such situations this is identified below.
Prompt before running of ActiveX controls in the Internet and Intranet zones: You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX components. To do this, perform the following steps: In Internet Explorer, select Tools, Internet Options Click on the Security tab Highlight the Internet icon and click on the Custom Level button Scroll through the list to the Active X controls and plug-ins section Under Run ActiveX controls and plug-ins click Prompt Click OK Highlight the Local Intranet icon and click on the Custom Level button Scroll through the list to the Active X controls and plug-ins section Under Run ActiveX controls and plug-ins click Prompt Click OK; then click OK again to return to Internet Explorer Impact of Workaround: Many Web sites on the Internet use ActiveX to provide additional functionality. For instance, an online e-commerce site or banking site might use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting for all Internet and Intranet sites. You will be prompted frequently when you enable this work-around. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX components. If you do not want to be prompted for all of these sites, you can instead use the "Restrict Web sites to only your trusted Web sites" workaround.
Restrict Web sites to only your trusted Web sites. After requiring a prompt before running ActiveX in the Internet and Intranet zone, you can add sites that you trust into Internet Explorer’s Trusted sites. This will allow you to continue using trusted Web sites exactly as you do today, while protecting you from this attack on untrusted sites. Microsoft recommends that you only add sites that you trust to the trusted sites zone. To do this, perform the following steps:
In Internet Explorer, select Tools, then Internet Options. Click the Security tab. In the box labeled Select a Web content zone to specify its current security settings, click Trusted Sites, then click Sites. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box. In the box labeled Add this Web Site to the zone, type the URL of a site that you trust, then click the Add button. Repeat for each site that you want to add to the zone.
Click OK twice to accept the changes and return to Internet Explorer. Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is "*.windowsupdate.microsoft.com" (without the quotes). This is the site that will host the patch, and it requires the use of an ActiveX control to install the patch. Impact of Workaround: For those sites you have not configured to be in your Trusted sites zone, their functionality will be impaired if they require ActiveX controls to function properly. Adding sites to your Trusted sites zone will allow them to be able to download the ActiveX control required to function correctly. However you should only add Web sites you trust to the Trusted sites zone.
Install Outlook Email Security Update if you are using Outlook 2000 SP1 or Earlier. The Outlook Email Security Update causes Outlook 98 and 2000 to open HTML mail in the Restricted Sites Zone by default. Outlook Express 6.0 and Outlook 2002 by default open HTML mail in the Restricted Sites Zone. Customers who use any of these products would be at a reduced risk from an e-mail borne attack that attempts to exploit this vulnerability unless the user clicks a malicious link in the email
If you are using Outlook 2002 or Outlook Express 6.0SP1 or higher, to help protect yourself from the HTML email attack vector, read email in plain text format. Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied Service Pack 1 and or higher can enable a feature to view all non-digitally-signed e-mail or non-encrypted e-mail messages in plain text only.
Digitally signed e-mail or encrypted e-mail messages are not affected by the setting and may be read in their original formats. Information on enabling this setting in Outlook 2002 can be found in the following Knowledge Base article:
Information on enabling this setting in Outlook Express 6.0 can be found in the following Knowledge Base article:
Impact of Workaround: E-mail viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. In addition:
The changes are applied to the preview pane and open messages. Pictures become attachments to avoid loss. Since the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text or HTML format in the mail store.
Frequently Asked Questions What is the scope of the vulnerability? This is a buffer overrun vulnerability. An attacker who successfully exploited the vulnerability could, in the worst case, run code of their choice on a user’s system. This would enable an attacker to take any action the legitimate user could take. This could include creating, modifying or deleting data, This could also include reconfiguring the system, or reformatting the hard disk.
What causes the vulnerability? The vulnerability results because the Microsoft Local Troubleshooter ActiveX control (Tshoot.ocx) does not correctly validate parameters under certain circumstances. By luring a user into viewing a specially-crafted Web page, or by sending them a specially-crafted email, an attacker could cause the ActiveX control to fail in such a way that could allow an attacker to run arbitrary code.
What's ActiveX? ActiveX® is a technology that enables developers to write small programs that are named controls. Web pages, Visual Basic® programs, and other applications can use controls. An ActiveX control performs a small number of related tasks and can be used as building blocks in much more complex programs.
Developers can build custom ActiveX controls. If developers build custom ActiveX controls, the controls must be distributed to each user. However, Microsoft and many third-party software vendors include ActiveX controls with their products, to enable these products to be easily extended. The vulnerability in this case involves an ActiveX control that installs by default as part of the operating system.
Which ActiveX controls contain the vulnerability? The Microsoft Windows Help system is a default component of Windows. This Help system features documentation and interactive troubleshooting wizards that help users diagnose common problems. In Windows 2000, the Microsoft Windows Troubleshooting and Help System uses an ActiveX control that is named the Microsoft Local Troubleshooter (Tshoot.ocx). The Microsoft Windows Troubleshooting and Help System uses an ActiveX control that is named the Microsoft Local Troubleshooter (Tshoot.ocx). Microsoft Local Troubleshooter interacts with the local computer to help diagnose problems. This ActiveX control was designed to be used only by the Windows Troubleshooting and Help System.
What is wrong with the affected ActiveX controls? The affected ActiveX control contain a buffer overrun. Because the control is marked "safe for scripting’" after installation, Internet Explorer, even in the Internet security zone, can load the control without any user interaction. By luring a user to view a specially-crafted Web page, an attacker could cause the control to fail in such a way that would allow arbitrary code to be run.
What are Internet Explorer security zones?
Internet Explorer security zones are a system that divides online content into categories or zones based on its trustworthiness. Specific Web domains can be assigned to a zone, depending on how much trust is placed in the content of each domain. The zone then restricts the capabilities of the Web content, based on the zone's settings.
By default, most Internet domains are treated as part of the Internet security zone, which has settings that prevent scripts and other active code from accessing resources on the local system. Conversely, the My Computer zone is a much less restricted zone which allows content to access and to make changes to content that is on the local system. By default, files that are stored on the local computer are run in the My Computer zone.
What could this vulnerability enable an attacker to do? An attacker who successfully exploited this vulnerability could, in the worst case, run code of their choice on a user’s system. This would enable an attacker to take any action the legitimate user could take. This could include creating, modifying or deleting data. This could also include reconfiguring the system, or reformatting the hard disk.
How could an attacker exploit the vulnerability? To exploit this vulnerability, the attacker would have to create a specially formed HTML–based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability.
Is there anything that helps mitigate the risk of an HTML email attack? The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:
You have applied the patch included with Microsoft Security bulletin MS03-040 You are using Internet Explorer 6 or later You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration. What does the patch do? The patch helps remove the vulnerability by making sure that the ActiveX control validates all parameters correctly.
Security Patch Information Installation platforms and Prerequisites:
For information about the specific security patch for your platform, click the appropriate link:
Windows 2000 (all versions) Prerequisites:
For Windows 2000 this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).
For information about the Windows desktop product life cycle, visit the following Microsoft Web site: http://microsoft.com/windows/lifecycle/desktop/consumer/components.mspx.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base: 260910 How to Obtain the Latest Windows 2000 Service Pack
This security patch supports the following Setup switches:
/?: Show the list of installation switches. /u: Use Unattended mode. /f: Force other programs to quit when the computer shuts down. /n: Do not back up files for removal. /o: Overwrite OEM files without prompting. /z: Do not restart when the installation is complete. /q: Use Quiet mode (no user interaction). /l: List the installed hotfixes. /x: Extract the files without running Setup.
To install the security patch without any user intervention, use the following command line:
For Windows 2000 Service Pack 3, Windows 2000 Service Pack 4: Windows2000-kb826232-x86-enu /u /q For Windows 2000 Service Pack 2: Windows2000-kb826232-x86-enu-customservicepacksupport /u /q To install the security patch without forcing the computer to restart, use the following command line:
For Windows 2000 Service Pack 3, Windows 2000 Service Pack 4: Windows2000-kb826232-x86-enu /z For Windows 2000 Service Pack 2: Windows2000-kb826232-x86-enu-customservicepacksupport /z Note: You can combine these switches into one command line.
For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx Restart Requirement:
You must restart your computer after you apply this security patch.
To remove this security patch, use the Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB826232$\Spuninst folder, and it supports the following Setup switches:
/?: Show the list of installation switches. /u: Use unattended mode. /f: Force other programs to quit when the computer shuts down. /z: Do not restart when the installation is complete. /q: Use Quiet mode (no user interaction).
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:
Date Time Version Size File Name 07-Oct-2003 23:08 18.104.22.1685 107,792 tshoot.ocx
Verifying patch installation:
To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:
320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available
You may also be able to verify the files that this security patch installed by reviewing the following registry key:
Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.
Microsoft thanks the following for working with us to protect customers:
Greg Jones of KPMG UK and Cesar Cerrudo for reporting the issue described in MS03-042. Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site Support:
Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches. Security Resources:
The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Microsoft Software Update Services: http://www.microsoft.com/sus/ Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool. Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/officeupdate/ Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions:
1.0 (October 15, 2003): Bulletin published