News

Microsoft Patches Three More Bugs

• By Scott Bekker
• 06/22/2001

The software giant alerted customers to an issue that affects a subcomponent of the FrontPage Server Extensions (FPSE) that it supports in its IIS 4.0 and IIS 5.0 Web server platforms; to a new vulnerability in several versions of its Word productivity application that could allow malicious macros to execute automatically; and to a variation on a denial-of-service (DoS) attack, targeting its NetMeeting product, that it originally patched in October 2000.

In the most serious of the three announcements, Microsoft confirmed the existence of a vulnerability in IIS' FPSE that could potentially give an attacker complete control over a compromised system. Most observers acknowledge that the scope of this latest vulnerability is for the most part limited, however.

FPSE are enabled by default in IIS 4.0 and IIS 5.0, but can also be augmented by means of an optional sub-component - which isn't installed by default - called Visual Studio Remote Application Deployment (RAD) Support. In a variation on a now classic theme, FPSE's Visual Studio RAD Support component contains an unchecked buffer that can be exploited - by means of a standard buffer overflow attack - to load code of an attacker's choice and execute it on a server. A would-be cracker has only to establish a Web session with the server and pass a malformed packet to the server component to successfully perpetrate the attack.

Microsoft says that an attack of this type typically executes code at a privilege level associated with the IUSR_machinename context, but also acknowledges that "under certain circumstances" - which it doesn't explain - it is possible for an attacker to execute code in the much more powerful SYSTEM context, as well.

IUSR_machinename is a user account created automatically during IIS installation which facilitates anonymous connections to a server; any attacker that runs code in the IUSR_machinename context is generally limited with respect to what he or she can and can't do on a server. If an attacker successfully perpetrated an attack of this type and was able to execute code at a SYSTEM-level privilege, however, he or she could conceivably gain complete control over an affected system.

"SYSTEM context would allow you to get access to the SAM, and by having access to the SAM, you could run something like l0phtcrack to get the administrator password," explains Russ Cooper, editor of the Windows NT Bugtraq Mailing list. "You could then have the keys to system."

Cooper says that the potential impact of the latest IIS-related vulnerability is mitigated in large part because the compromised Visual Studio RAD Support component is not installed by default with IIS and FPSE, however. For its part, Microsoft claims that if an administrator selects the Visual Studio RAD Support feature during IIS/FPSE configuration, the installation routine invokes a warning message that informs him or her about the dangers associated with installing the feature in question on production machines.

"This will probably affect about 20 percent of the [systems] that have been defaced lately, because most of the ones that are being defaced now are development boxes, which might have this stuff on them," he suggests. "Typically, this stuff would be removed before the server went out of development, and of course you don't have a lot of people who are allowing FPSE anymore, anyway."

Another Microsoft security bulletin confirmed the existence of a serious vulnerability in Word versions 97, 98, 2000, 2001 and 2002 that could potentially facilitate the execution of malicious macros - even in cases in which a user has disabled macro support altogether.

Word provides a security mechanism whereby it requires a user's approval to run macros, and also scans documents for macros prior to opening them. This latest vulnerability is enabled because it's possible for an attacker to modify a Word document in such a way as to prevent Word's security scanning mechanism from recognizing an embedded macro in the first place. Consequently, when a user double-clicks and opens a modified document of this type, the undetected macro is permitted to execute.

Microsoft says that an attacker who successfully exploits this vulnerability "could take any action that the user herself could take" - which includes, the software giant cautions, "disabling the user's Word security settings so that subsequently-opened Word documents would no longer be checked for macros."

"It's not likely to cause an increase in word macro viruses," NTBugtraq's Cooper comments. "It's a bad one because it demonstrates the fact that there were two steps being done with respect to macros in Word where you'd expect that there should only be one."

Finally, Microsoft updated an older security bulletin to document a new variation on a once-patched DoS attack that affects its NetMeeting collaborative tool.

According to Microsoft, an attacker could exploit a vulnerability in NetMeeting's Remote Desktop Sharing (RDS) component to drive CPU utilization on an affected system to 100 percent - causing the NetMeeting application itself to hang and possibly affecting service levels on the system as a whole.

NetMeeting and its suspect Remote Desktop Sharing component are not enabled by default in either Windows NT 4.0 or in Windows 2000. -- Stephen Swoyer