** 03-023 Buffer Overrun in HTML [It's Wednesday Patch day]

- - ---------------------------------------------------------------
Title: Buffer Overrun In HTML Converter Could Allow Code
Execution (823559)
Date: 09 July 2003
Software: Microsoft(r) Windows (r) 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Impact: Allow an attacker to execute code of their choice
Max Risk: Critical
Bulletin: MS03-023

Microsoft encourages customers to review the Security Bulletins
at:
http://www.microsoft.com/technet/security/bulletin/MS03-023.asp
http://www.microsoft.com/security/security_bulletins/ms03-023.asp
- - ---------------------------------------------------------------

Issue:
======

All versions of Microsoft Windows contain support for file
conversion within the operating system. This functionality allows
users of Microsoft Windows to convert file formats from one to
another. In particular, Microsoft Windows contains support for
HTML conversion within the operating system. This functionality
allows users to view, import, or save files as HTML.

There is a flaw in the way the HTML converter for Microsoft
Windows handles a conversion request during a cut-and-paste
operation. This flaw causes a security vulnerability to exist. A
specially crafted request to the HTML converter could cause the
converter to fail in such a way that it could execute code in the
context of the currently logged-in user. Because this
functionality is used by Internet Explorer, an attacker could
craft a specially formed Web page or HTML e-mail that would cause
the HTML converter to run arbitrary code on a user's system. A
user visiting an attacker's Web site could allow the attacker to
exploit the vulnerability without any other user action.

To exploit this vulnerability, the attacker would have to create
a specially-formed HTML e-mail and send it to the user.
Alternatively, an attacker would have to host a malicious Web
site that contains a Web page designed to exploit this
vulnerability. The attacker would then have to persuade a user to
visit that site.


Mitigating factors:
====================

- By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of
Internet Explorer blocks automatic exploitation of this attack.
If Internet Explorer Enhanced Security Configuration has been
disabled, the protections put in place that prevent this
vulnerability from being automatically exploited would be
removed.

- In the Web-based attack scenario, the attacker would have to
host a Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force users to
visit a malicious Web site outside the HTML e-mail vector.
Instead, the attacker would need to lure them there, typically by
getting them to click a link that would take them to the
attacker's site.

- Exploiting the vulnerability would allow the attacker only the
same privileges as the user. Users whose accounts are configured
to have few privileges on the system would be at less risk than
ones who operate with administrative privileges.

Risk Rating:
============
Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read
the Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-023.asp
http://www.microsoft.com/security/security_bulletins/ms03-023.asp

for information on obtaining this patch.

Jeff
Wed Jul 09 14:33:51 CDT 2003

This is a potentially very nasty, extremely dangerous vulnerability. If the
actual vulnerability code requirement ever becomes published, this
potentially could be the worst nightmare to happen. Find the time to do
this patch.

Susan
Thu Jul 10 00:10:06 CDT 2003

Ouch.....

Russ wrote:

> Float like a Dove, or Sting like a Bee...
>
> Ok, here's another example of "Trustworthy Computing".
>
> For quite some time Microsoft has offered up, as a mitigator, the fact that the
> Outlook Email Security Update and Outlook 2002, and/or Outlook Express 6.x, in
> default mode, are great at thwarting any attack which involves HTML-based email
> and scripting. All of those environments render email in the Restricted Sites
> Zone with scripting disabled.
>
> But when I read MS03-023, it stood out like a sore thumb the fact that this was
> not offered as a mitigator. The attack, as described by DigitalScream, required
> scripting after all. So why wouldn't running Outlook in the Restricted Sites
> Zone prevent such an email-borne attack?
>
> Maybe its the fact that none of the 30+ vulnerabilities which have made
> possible attacks via HTML-based email (over the past two years) have ever come
> to fruition. So maybe email-AV are bearing fruit? Of course the overwhelming
> majority of zombies aren't corporate clients (those that have email-AV.) All
> possible, but not excusable, reasons for not offering the mitigator.
>
> I can't believe that the MSRC has become so void of knowledge that they believe
> its not important to impress the value of such great MS tools...but, they all
> seem to have forgotten so many other legacies, maybe its true.
>
> On its face, its difficult to believe that such mitigators will not thwart an
> attack against this vulnerability. But I called the new Manager of the MSRC,
> and asked him this specifically more than 7 hours ago. He told me he'd be back
> to me in 5 minutes. The new information I have for you is as follows;
>
> <media inflammatory on>
> 1. 5 minutes is longer in Redmond than anywhere else I've dealt with (and
> that's a lot of places.)
>
> 2. It must be true, you can get this exploit to run despite all of the Trust
> Zone facilities in MS email products (and Service Packs), otherwise, they'd
> have been able to say quite quickly that it was simply a mitigator they
> overlooked (umm, the most important one I'd say.)
>
> 3. They're assessment as "Critical" is, IMO, understated. If a scripting
> HTML-based email can by-pass such security measures that prevent such
> exploitation, they need to come up with a new category.
>
> 4. Expect "security researchers" to divulge far more really soon. Anyone who
> can come up with something which can by-pass the security restrictions imposed
> by the Restricted Sites Zone is not going to leave it at that.
> </media inflammatory off>
>
> Now of course its possible that the newly formed Microsoft Security Response
> Center are simply people with, um, no clue? But to my way of thinking, unless
> their only customers are people who blindly take updates from WU without
> thinking (e.g. don't have to deploy a patch to 10's of 1000's of systems), they
> should be able to answer a simple question like "did you just forget to mention
> an important mitigator?".
>
> This message comes after 6 calls to the MSRC.
>
> Cheers,
> Russ - NTBugtraq Editor
>
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
> Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
>
> With a growth rate exceeding 110%, the TICSA security practitioner
> certification is one of the hottest IT credentials available. And now, for
> a limited time, you can save 33% off of the TICSA certification exam! To
> learn more about the TICSA certification, and to register as a TICSA
> candidate online, just go to
>
> http://www.trusecure.com/offer/s0100/
>
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" wrote:

> Looks to me like the script is/was published on bugtraq on June 22.....
>
> MARC: msg 'Internet Explorer &gt;=5.0 : Buffer overflow':
> http://marc.theaimsgroup.com/?l=bugtraq&m=105639925122961&w=2
>
> [Full-Disclosure] PoC for Internet Explorer >=5.0 buffer overflow (trivial
> exploit for hard case).:
> http://lists.netsys.com/pipermail/full-disclosure/2003-July/010833.html
> [Full-Disclosure] Re: Internet Explorer >=5.0 : Buffer overflow:
> http://lists.netsys.com/pipermail/full-disclosure/2003-June/010745.html
>
> "Jeff Middleton [SBS-MVP]" wrote:
>
> > This is a potentially very nasty, extremely dangerous vulnerability. If the
> > actual vulnerability code requirement ever becomes published, this
> > potentially could be the worst nightmare to happen. Find the time to do
> > this patch.

Susan
Thu Jul 10 21:39:08 CDT 2003



Russ wrote:

> I want to apologize to the folks over at the Microsoft Security Response Center. I
> said last night that they hadn't responded to my query after 7 hours. In fact, they
> did respond, about 3 hours after I contacted them. Unfortunately, their response
> didn't get to me through no fault of theirs.
>
> Their response indicated that the Outlook with the Outlook Email Security Update
> (OESU) applied, Outlook 2002 in default configuration, and Outlook Express 6.0 SP1
> would all stop a (J/VB)scripted attack sent via email.
>
> It is still unclear why those products don't make a reasonable mitigator worth
> listing, particularly since IE's Enhanced Security Configuration under Windows 2003
> is listed as one.
>
> They did point out that the vulnerability could be invoked via other means.
> Basically, any attempt to convert HTML<->RTF could invoke the overflow, and that
> might be done in programs other than those that use IE. True as that is, that's
> also true on Windows 2003, even with IE's Enhanced Security Configuration, isn't
> it?
>
> Anyway, the point is that the Restricted Sites Zone is not being by-passed. Since
> my assessment is that attacks against corporate environments is most likely going
> to occur via an HTML-based email, use of those products listed above should be
> considered a reasonable mitigator.
>
> <meager excuse>
> Spam is driving me nuts. In an effort to reduce the spam I get every day (max. 209
> per day), I wrote several utilities for Outlook and Exchange which have allowed me
> to get down to an average of 69 per day so far. Good work you might say, or "my
> spam program's way better than that". Well, maybe, but I have some rather unique
> requirements so what I need isn't what everyone else does, nor would it work for
> everyone else.
>
> Anyway, the point is, my anti-spam program may block email from you to me. Its not
> supposed to, but hey, who said I get paid to be a programmer. I have to manually
> move a message into a specific folder for it to be classified as spam. My mouse
> slips sometimes, and the wrong mail ends up in that folder occasionally.
>
> Messages sent to NTBugtraq@listserv.ntbugtraq.com are not subjected to this spam
> filtering, so you should never be blocked from sending to that address. Also,
> remember, messages sent to that address are moderated by me only, so if you feel
> you can't get to me through my personal address, feel free to send me a message via
> the list address (just make a note in the message that it isn't meant for the
> list.)
> </meager excuse>
>
> Cheers,
> Russ - NTBugtraq Editor
>
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
> Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
>
> With a growth rate exceeding 110%, the TICSA security practitioner
> certification is one of the hottest IT credentials available. And now, for
> a limited time, you can save 33% off of the TICSA certification exam! To
> learn more about the TICSA certification, and to register as a TICSA
> candidate online, just go to
>
> http://www.trusecure.com/offer/s0100/
>
> oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo