Security Watch

Parsing Microsoft's June Patches

Follow along as Russ gives a brief walkthrough through last month's Security Bulletins to patch possible vulnerabilities.

• By Russ Cooper
• 07/05/2005

MS05-025: Cumulative Security Update for Internet Explorer
Two vulnerabilities were addressed in this cumulative update for IE. The first addresses yet another image format buffer overflow, this time in the PNG (Portable Network Graphics) format. The second addresses a vulnerability in how the browser handles certain XML (Extensible Markup Language) requests.

The XML vulnerability might get used as part of phishing attempts since it would be possible for a malicious Web site to request XML data on behalf of the victim, or retrieve XML data from the victim's system (assuming the attacker knew exactly where the XML data resided.)

However, neither represents a significant vulnerability likely to be exploited en masse.

MS05-027: Vulnerability in Server Message Block Could Allow Remote Code Execution
SMB attacks are the most common form of attack Windows systems experience. They've been around for a very long time, attacking TCP ports 139 and 445.

Although this is a new vulnerability, there's nothing unique about this one vs. any of those in the past. Any system already blocking existing SMB attacks will successfully block this one. Any system not already blocking SMB attacks will likely already be compromised from any of the numerous existing bots and/or worms that exist on the Internet today. For some reason there seems to be increased alarm over this vulnerability, but there's no reasonable basis for such alarm.

MS05-029: Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks
This is the result of another parsing flaw, probably in the way Microsoft validates HTML input. Canonicalization is the process of converting any of the acceptable representations of HTML into presentation form for a browser. Before the HTML is presented by the browser, the input should be scrubbed for unacceptable input; however, OWA fails to do this completely. As a result, it's possible to input HTML that would cause another site to appear within an e-mail message displayed via Outlook Web Access.

The default forms supplied by Microsoft for OWA (and any other Web-based application) should not be accepted "as is." Instead, companies employing such tools should ensure that sufficient additional parsing code is added to these forms to prevent abuse of HTML. One crude technique is to simply convert the HTML, with all its tags, to plain text as described below. Change all occurrences of

  <%= bstrBody%>

to

  <%=ServerHTMLEncode(bstrBody)%>

The result won't be clearly readable, since all HTML tags will still be in place, but it will prevent exploitation of any HTML vulnerability via such a message.

Tools exist for programmatically stepping through HTML content and examining tags, their placement and their parameters. This can be achieved via any .NET language or third-party tools such as Michael Newcomb's HtmlZap ATL Control, http://www.miken.com/htmlzap/. By incorporating your own parsing routines into such HTML programs, you can ensure that nothing other than what you wish to permit is presented to your users.

MS05-030: Cumulative Update in Outlook Express
If Outlook Express can connect to a malicious Network News Transport Protocol (NNTP) server, that server could send replies to the client which could cause code of the attacker's choice to run on the victim system.

To be exploited by this vulnerability, the NNTP server you connect to must be specially configured to send non-standard responses to requests from Outlook Express. Typically, users connect to a corporately-controlled NNTP server (so undesirable newsgroups and postings aren't available to clients) or to an NNTP server controlled by their Internet Service Provider. Neither is likely to be maliciously configured (although it's possible that an ISP's NNTP server could be compromised.) If outbound connection attempts to arbitrary NNTP servers are permitted, exploitation may be possible.

MS05-032: Vulnerability in Microsoft Agent Could Allow Spoofing
The Microsoft Agent ActiveX Control allows a Web site or Web application to provide an interactive character who assists a user. It can prompt a user by pointing to a specific field or form, or explain how to enter data into the application. Primarily it's used as a training assistant, although there are very few limitations in what it can do. The control is enabled on most systems.

The vulnerability permits the Microsoft Agent ActiveX Control to mask security prompts in addition to its other features. As such, it would be possible for a Web site, for example, to try to execute code that would normally trigger a security prompt to warn a user of unsafe code. If such a prompt were hidden by the Microsoft Agent, the user may believe his actions are safe. The Microsoft Agent could go even further, displaying prompts indicating that the actions are safe, further fooling the user.

The most likely use for such an exploit would be in phishing attempts, convincing the user he's on a trusted site when in fact he's on a malicious site.

Any attempt to use the Microsoft Agent ActiveX Control by a Web site will include a reference to the following object Class ID (CLSID), which can be filtered: D45FD31B-5C6E-11D1-9EC1-00C04FD7081F

MS05-034: Cumulative Security Update for ISA Server 2000
Two vulnerabilities exist in ISA Server 2000. Neither are exploitable if ISA is configured in Firewall Only mode. The only vulnerable systems are those on the internal side of the firewall, attempting outbound connections.

The first involves the HTTP Cache. The vulnerability could permit the HTTP cache to become poisoned with false content, but the poisoning must come from content originating from the same IP address as the site being poisoned.

The second involves the NetBIOS Predefined Filter, an optional proxy disabled by default. This would typically be enabled only if the ISA server was allowing unprotected connections to a hosted Web server or similar resource where a VPN couldn't be employed. The vulnerability results in the possibility of connecting to the file system of the ISA server itself via NetBIOS. This could result, for example, in viruses being spread to the ISA server.

MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service
After some reports of problems with a previous installation of a patch, Microsoft re-released the patch, updated to prevent such problems. Microsoft will be prompting all systems to install the new patch, even if the original was already present. The new patch does not prevent any security vulnerability not already prevented by the original version.