Advisory CA-2000-16

2000-08-12T00:00:00
ID SECURITYVULNS:DOC:542
Type securityvulns
Reporter Securityvulns
Modified 2000-08-12T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CERT Advisory CA-2000-16 Microsoft 'IE Script'/Access/OBJECT Tag Vulnerability

Original release date: August 11, 2000 Last revised: -- Source: CERT/CC

A complete revision history is at the end of this file.

Systems Affected

 * Internet Explorer 4.x, 5.x
 * Microsoft Access 97 or 2000

Overview

Under certain conditions, Internet Explorer can open Microsoft Access database or project files containing malicious code and execute the code without giving a user prior warning. Access files that are referenced by OBJECT tags in HTML documents can allow attackers to execute arbitrary commands using Visual Basic for Applications (VBA) or macros.

A patch which protects against all known variants of attack exploiting this vulnerability is now available. A workaround which was previously suggested provided protection against one specific publicly-available exploit using .mdb files but did not protect against attack using many other Access file types. (See Appendix B for a complete list of file types.)

I. Description

Last month, a workaround for the "IE Script" vulnerability was addressed in Microsoft Security Bulletin MS00-049: Subsection "Workaround for 'The IE Script' Vulnerability." Microsoft has just re-released MS00-049, which now includes information about a patch for this vulnerability. The CERT Coordination Center is issuing this advisory to raise awareness in the Internet community about the need to apply this patch to protect IE users against all variants of attacks which can exploit this particular vulnerability.

Initial Findings

Many of the initial public details about the vulnerability were discussed on the SecurityFocus Bugtraq mailing list, as well as in a SANS Flash Advisory:

    http://www.securityfocus.com/bid/1398
    http://www.sans.org/newlook/resources/win_flaw.htm

This vulnerability in IE can be used to open Access data or project files. (See Appendix B for a complete list of file types.) Visual Basic for Application (VBA) code embedded within these files will then execute. If a warning message appears (depending on the security settings in IE), it will only do so after the code has been run.

Attackers exploit this vulnerability by placing OBJECT tags in HTML files posted on malicious Web sites or transmitted via email or via newsgroup postings. The OBJECT tag can look like

    <OBJECT data="database.mdb" id="d1"></OBJECT">

Note, however, the file extension does not have to be .mdb; an attacker may use any of the ones listed in Appendix B.

The Access file can then open before any warning messages are displayed, regardless of the default security settings in either IE or Access. Since Access files can contain VBA or macro code executed upon opening the file, arbitrary code can be run by a remote intruder on a victim machine without prior warning.

While this is not an ActiveX issue per se, since all Microsoft Office documents are normally treated like ActiveX controls, by default Microsoft Access files are treated as unsafe for scripting within the IE Security Zone model. This vulnerability, however, can be used to reference an Access file and execute VBA or macro code even if scripting has been disabled in Internet Explorer.

Other Vulnerable OBJECT tag extensions

In Microsoft Security Bulletin MS00-049, Microsoft initially provided a workaround for this vulnerability which involved setting the Admin password in MS Access. However, unlike with Access data files, setting the Admin password will not protect against exploits using project files (.ade, .adp). (See Appendix B.)

Because Access project files rely on SQL backends to authenticate their requests, project files created without SQL content can bypass the default authentication for such requests in MS Access. For more information regarding Access project files, see

    http://msdn.microsoft.com/library/techart/acaccessprojects.htm

II. Impact

A remote intruder can send malicious HTML via an email message, newsgroup posting, or downloaded Web page and may be able to execute arbitrary code on a victim machine.

III. Solution

Apply the patch provided by Microsoft

Microsoft has released the following patch which addresses the "IE Script" vulnerability, as well as others:

    http://www.microsoft.com/windows/ie/download/critical/patch11.htm

Please see MS00-055 "Patch Available for 'Scriptlet Rendering' Vulnerability" for additional information regarding other issues addressed by this patch:

    http://www.microsoft.com/technet/security/bulletin/ms00-055.asp

Note that the OBJECT tag issues addressed by MS00-049, MS00-055, and this advisory are separate from those addressed by the recently released MS00-056: "Patch Available for 'Microsoft Office HTML Object Tag' Vulnerability."

Microsoft's initial workaround for this issue was for users to set the Admin password for Access. Since Access does not allow a user to disable VBA code embedded in Access data and project files, the CERT Coordination Center recommends that users follow the suggested workaround and set the Admin password even after the patch for this vulnerability has been applied.

Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly.

Appendix A. Vendor Information

Microsoft Corporation

Microsoft has published the following documents regarding this issue:

    http://www.microsoft.com/technet/security/bulletin/ms00-049.asp
    http://www.microsoft.com/technet/security/bulletin/fq00-049.asp
    http://www.microsoft.com/technet/support/kb.asp?ID=269368

Appendix B. Additional Information

The full list of OBJECT tag extensions which may be used to exploit this vulnerability is listed below:

 * .adp - Microsoft Access project file
 * .ade - ADP file with all modules compiled and all editable source
          code removed

 * .mdb - Microsoft Access database file
 * .mde - MDB file with all modules compiled and all editable source
          code removed
 * .mda - Microsoft Access VBA add-in

 * .mdw - Microsoft Access workgroup information file synonym for
          the system database used to store group and user account
          names and the passwords used to authenticate users when
          they log on to an Access database or MDE file secured
          with user-level security

The patch provided by Microsoft addresses all the file extensions identified above.

Please consult the following resources for further information regarding the other file types involved in exploited this vulnerability:

 * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adefile
 * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adpfile
 * http://msdn.microsoft.com/library/officedev/off2000/defAddIn.htm
 * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdbfile
 * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdefile
 * http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#workgroupinformationfile
   _____________________________________________________________

   The CERT Coordination Center thanks Timothy Mullen, Alan Paller
   and the SANS Research Office, and the Microsoft Security Response
   Center for their help in developing this advisory.
   _____________________________________________________________

   Author: Jeffrey S. Havrilla
   __________________________________________________________________

   This document is available from:

        http://www.cert.org/advisories/CA-2000-16.html
   __________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
            Phone: +1 412-268-7090 (24-hour hotline)
            Fax: +1 412-268-6989
            Postal address:
            CERT Coordination Center
            Software Engineering Institute
            Carnegie Mellon University
            Pittsburgh PA 15213-3890
            U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by
   email. Our public PGP key is available from

    http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available
   from our web site

    http://www.cert.org/

   To be added to our mailing list for advisories and bulletins,
   send email to cert-advisory-request@cert.org and include
   SUBSCRIBE your-email-address in the subject of your message.
  • "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ___________

Conditions for use, disclaimers, and sponsorship information

Copyright 2000 Carnegie Mellon University.

Revision History

August 11, 2000: Initial release

-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv

iQA/AwUBOZRPDFr9kb5qlZHQEQJLaACeI4QH03vr031yaAlOisX4Z3LdoCQAnjKx kSf3jAgm5d/btu6rqpl/LsQ0 =eqtt -----END PGP SIGNATURE-----