O-006: Microsoft Authenticode Verification Vulnerability

REVISION HISTORY:
10/17/03 - added link to CERT Advisory CA-2003-27.


[***** Start Microsoft Security Bulletin MS03-041 *****]

Microsoft Security Bulletin MS03-041 

Vulnerability in Authenticode Verification Could Allow Remote Code Execution 
(823182)
Issued: October 15, 2003 
Version Number: 1.0 

Summary
Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the patch immediately

Patch Replacement: None

Caveats: None

Tested Software and Patch Download Locations: 

Affected Software: 

Microsoft Windows NT Workstation 4.0, Service Pack 6a 
   - Download the patch 
Microsoft Windows NT Server 4.0, Service Pack 6a 
   - Download the patch 
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 
   - Download the patch 
Microsoft Windows 2000, Service Pack 2 
   - Download the patch 
Microsoft Windows 2000, Service Pack 3, Service Pack 4 
   - Download the patch 
Microsoft Windows XP Gold, Service Pack 1 
   - Download the patch 
Microsoft Windows XP 64-bit Edition 
   - Download the patch 
Microsoft Windows XP 64-bit Edition Version 2003 
   - Download the patch 
Microsoft Windows Server 2003 
   - Download the patch 
Microsoft Windows Server 2003 64-bit Edition 
   - Download the patch 

Non Affected Software: 
Microsoft Windows Millennium Edition 

The software listed above has been tested to determine if the versions 
are affected. Other versions are no longer supported, and may or may not 
be affected. 


Technical Details
Technical Description:

There is a vulnerability in Authenticode that, under certain low memory 
conditions, could allow an ActiveX control to download and install without 
presenting the user with an approval dialog.

To exploit this vulnerability, an attacker could host a malicious Web Site 
designed to exploit this vulnerability. If an attacker then persuaded a 
user to visit that site an ActiveX control could be installed and executed 
on the user’s system. Alternatively, an attacker could create a specially 
formed HTML e-mail and send it to the user. If the user viewed the HTML 
e-mail an unauthorized ActiveX control could be installed and executed 
on the user’s system. In both scenarios the vulnerability in Authenticode 
could allow an unauthorized ActiveX control to be installed and executed 
on the user’s system, with the same permissions as the user, without 
prompting the user for approval.

The risk of attack from the HTML email vector can be significantly reduced 
if the following conditions are met:

- You have applied the patch included with Microsoft Security bulletin 
MS03-040 

- You are using Internet Explorer 6 or later 

- You are using the Microsoft Outlook Email Security Update or Microsoft 
Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in 
their default configuration. 

Mitigating factors: 

- By default, Internet Explorer on Windows Server 2003 runs in Enhanced 
Security Configuration. This default configuration of Internet Explorer 
blocks automatic exploitation of this attack. If Internet Explorer 
Enhanced Security Configuration has been disabled, the protections 
put in place that prevent this vulnerability from being automatically 
exploited would be removed. 

- In the Web-based attack scenario, the attacker would have to host a Web 
site that contained a Web page used to exploit this vulnerability. An 
attacker would have no way to force a user to visit a malicious Web Site. 
Instead, the attacker would need to lure them there, typically by getting 
them to click a link that would take them to the attacker's site. 

- By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the 
Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in 
the Restricted Sites Zone if the Outlook Email Security Update has been 
installed. Customers who use any of these products would be at a reduced 
risk from an e-mail borne attack that attempted to exploit this 
vulnerability unless the user clicked a malicious link in the email. 

- Exploiting the vulnerability would allow the attacker only the same 
privileges as the user. Users whose accounts are configured to have few 
privileges on the system would be at less risk than ones who operate with 
administrative privileges. 

Severity Rating:
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Windows NT 4.0                                Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Windows Server NT 4.0 Terminal Server Edition Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Windows 2000                                  Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Windows XP                                    Critical
++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
Windows Server 2003                           Moderate 
++++++++++++++++++++++++++++++++++++++++++++++++++++++

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0660 


Workarounds:

Microsoft has tested the following workarounds. These workarounds will 
not correct the underlying vulnerability however they help block known 
attack vectors. Workarounds may cause a reduction in functionality in 
some cases – in such situations this is identified below.

- Disable downloading of ActiveX controls in the Internet zone: 
You can help protect against this vulnerability by changing your settings 
for the Internet security zone to disable the downloading of ActiveX 
components. To do this, perform the following steps:

1. In Internet Explorer, select Tools, Internet Options 
2. Click on the Security tab 
3. Highlight the Internet icon and click on the Custom Level button 
4. Scroll through the list to the ActiveX controls and plugins section 
5. Under Download signed ActiveX controls click Disable 
6. Click OK, then click OK again to return to Internet Explorer 

Impact of Workaround:
Many Web sites on the Internet use ActiveX to provide additional 
functionality. For instance, an online e-commerce site or banking site 
might use ActiveX controls to provide menus, ordering forms, or even 
account statements. 

Disabling the downloading of ActiveX controls is a global setting for 
all Internet sites. If you feel that there are sites on the Internet 
where you require the page to download ActiveX components, you can 
instead use the "Restrict Web sites to only your trusted Web sites" 
workaround.

- Restrict Web sites to only your trusted Web sites 
After disabling the downloading of ActiveX in the Internet zone, you can 
add sites that you trust into Internet Explorer's Trusted sites. This 
will allow you to continue using trusted Web sites exactly as you do 
today, while helping protect you from this attack on untrusted sites. 
When you are able to deploy the patch, you can safely re-enable the 
downloading of ActiveX in the Internet zone.

To do this, perform the following steps: 

1. In Internet Explorer, select Tools, then Internet Options. Click the 
Security tab. 
2. In the box labeled Select a Web content zone to specify its current 
security settings, click Trusted Sites, then click Sites 
3. If you want to add sites that do not require an encrypted channel, 
click to clear the Require server verification (https:) for all sites 
in this zone check box. 
4. In the box labeled Add this Web Site to the zone, type the URL of a 
site that you trust, then click the Add button. Repeat for each site that
you want to add to the zone. 
5. Click OK twice to accept the changes and return to Internet Explorer. 

Add any sites that you trust not to take malicious action on your computer. 
One in particular that you may want to add is 
https://*.windowsupdate.microsoft.com. This is the site that hosts the 
patch, and it requires the use of an ActiveX control to install the patch. 

Note that there is generally a trade-off between ease-of-use and security; 
by selecting a high-security configuration, you could make it extremely 
unlikely that a malicious Web site could take action against you, but at 
the cost of missing a lot of rich functionality. The appropriate balance 
between security and ease-of-use is different for everyone, and you should 
pick a configuration that fits your needs. 

Impact of Workaround:
For those sites you have not configured to be in your Trusted sites zone, 
their functionality will be impaired if they require ActiveX controls to 
function properly. Adding sites to your Trusted sites zone will allow them 
to be able to download the ActiveX control required to function correctly. 
However you should only add Web sites you trust to the Trusted sites zone.

- Install Outlook Email Security Update if you are using Outlook 2000 SP1 
or Earlier. 

The Outlook Email Security Update causes Outlook 98 and 2000 to open HTML 
mail in the Restricted Sites Zone by default. Outlook Express 6.0 and 
Outlook 2002 by default open HTML mail in the Restricted Sites Zone. 
Customers who use any of these products would be at reduced risk from 
an e-mail borne attack that attempts to exploit this vulnerability unless 
the user clicks a malicious link in the email.

- If you are using Outlook 2002 or Outlook Express 6.0 or higher, to help 
protect yourself from the HTML email attack vector, read email in plain
text format. 

Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied 
Service Pack 1 and or higher can enable a feature to view all 
nondigitally-signed e-mail or nonencrypted e-mail messages in plain text 
only. Digitally signed e-mail or encrypted e-mail messages are not 
affected by the setting and may be read in their original formats. 
Information on enabling this setting in Outlook 2002 can be found in the 
following Knowledge Base article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;307594

Information on enabling this setting in Outlook Express 6.0 can be found 
in the following Knowledge Base article:

http://support.microsoft.com/?kbid=291387

Impact of Workaround:
E-mail viewed in plain text format cannot contain pictures, specialized 
fonts, animations, or other rich content. In addition:

The changes are applied to the preview pane and open messages. 
Pictures become attachments to avoid loss. 
Since the message is still in Rich Text or HTML format in the store, 
the object model (custom code solutions) may behave unexpectedly because 
the message is still in Rich Text or HTML format in the mail store. 


Security Patch Information
For information about the specific security patch for your platform, 
click the appropriate link: 
Windows Server 2003 (all versions)
Windows XP (all versions)
Windows 2000 (all versions)
Windows NT 4.0 (all versions)


Obtaining other security patches:

Patches for other security issues are available from the following 
locations: 

Security patches are available from the Microsoft Download Center, and 
can be most easily found by doing a keyword search for "security_patch".
 
Patches for consumer platforms are available from the WindowsUpdate web site

Support:

Technical support is available from Microsoft Product Support Services at 
1-866-PCSAFETY. There is no charge for support calls associated with 
security patches. 

Security Resources: 

The Microsoft TechNet Security Web Site provides additional information 
about security in Microsoft products. 

Microsoft Software Update Services: http://www.microsoft.com/sus/ 
Microsoft Baseline Security Analyzer (MBSA) details: 
    http://www.microsoft.com/mbsa. 
Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460for 
list of security patches that have detection limitations with MBSA tool. 
Windows Update Catalog: 
   http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 
Windows Update: http://windowsupdate.microsoft.com 
Office Update: http://office.microsoft.com/officeupdate/ 

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation 
or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.

Revisions:

V1.0 (October 15, 2003): Bulletin published.

[***** End Microsoft Security Bulletin MS03-041 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/