Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Critical Microsoft Hole

Posted by michael on from the your-daily-dose dept.

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

13 of 597 comments (clear)

  1. The admission is in the faq section. by terradyn · · Score: 5, Informative

    Reproduced for your enjoyment:

    What steps could I follow to prevent the control from being silently re-introduced onto my system?

    The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

    1. In Internet Explorer, choose Tools, then Internet Options.
    2. Select the Content tab. In the Certificates section of the page, click on Publishers.
    3. In the Certificates dialog, click on the Trusted Publishers tab.
    4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
    5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

  2. Re:why? by jandrese · · Score: 5, Informative

    Because if you don't bring these problems out into the open, Microsoft won't fix them. There have been several cases in the past where security vulnerabilities were left unpatched until people started clamoring for a fix. Also, this hole is rather severe (if a similar hole was found in SSH or Apache Slashdot would announce it) and the fact that it is digitally signed makes it unusual and newsworthy.

    --

    I read the internet for the articles.
  3. FWIW: .NET may help this... by Kanagawa · · Score: 4, Informative

    I'm no M$ fan, but I deal with it at work so I make a point at figuring out how to deal with the problems. Frankly, this isn't a suprise. The most well secured enterprises I've seen allow only internal ActiveX publishers -- ActiveX is just too hard to make safe.

    Looking forward, I recently picked up .NET Framework Security -- anyway, it seems like Microsoft is at least attempting to solve this particular problem. And, their approach isn't completely idiotic. Really.

    Mobile code that runs in the .NET common language runtime (read: M$ JVM) is controlled by a fairly sophisticated access control system. The default policy in XPsp1 from M$ allows no code from the Internet to execute, at all. Not exactly what I want as a user, but its what I want as an admin...

    Frustratingly, you can't run .NET mobile code without also enabling ActiveX controls. Not sure what the issue there is, but I suspect the CLR loader is some sort of ActiveX control. Anyone know about that?

    Anyway... here's some additional links to M$ references on mobile code:

    Security in .NET: Enforce Code Access Rights...
    Security in the .NET Framework

    --
    "He wrested the world's whereabouts from the heavens And locked the secret in a pocketwatch." - Dava Sobel
  4. Install MDAC 2.7 by Brazzo · · Score: 4, Informative
    Yes, there are still bugs with MDAC 2.6; install MDAC 2.7. You'll note at the bottom of the security update that MDAC 2.7 is not affected by this issue.

    Here's a URL for you, even...

    MDAC 2.7 Refresh

    Keeping Windows secure is hard, but it's easier if you install the recent components...

  5. A mountain of sloppy code? by Futurepower(R) · · Score: 4, Informative


    While researching the article linked below, I developed the impression that Microsoft has for years allowed its programmers to submit sloppy code. Now bugs are not easily found or fixed because everything is a mess.

    Windows XP Shows the Direction Microsoft is Going.

  6. Re:why? by GnomeKing · · Score: 5, Informative

    Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

    I guess the same reason that...
    Security Vulnerabilities in KDE 2.1-3.0.4, 3.1 RC3
    Trojan Found in libpcap and tcpdump
    Bind 4 and 8 Vulnerabilities
    and
    Vulnerability In Linksys Cable/DSL Router

    were posted?

    i.e. this particular article would have been posted were it about windows, redhat, solaris or pretty much any other "widly used" system

  7. And while where at it... by Theodore+Logan · · Score: 4, Informative

    Perhaps it's the same exploits mentioned in the linked Slashdot article, and in that case pardon my ignorance. If not, I haven't seen these nine security holes talked about at too many places. Why I don't know. They are certainly vicious.

    However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?

    --

    "If you think education is expensive, try ignorance" - Derek Bok

  8. Re:why? by _bug_ · · Score: 5, Informative

    Because in a recent /. story there is reference to a recent /. poll which shows 47% of those who responded still use a Windows operating system.

    Nearly half of /. users use Windows.

    This would seem to validate the need to have stories about Microsoft software bugs, especially those as grevious as this, on /.

  9. Re:Question by gmoschin · · Score: 5, Informative

    Actually, you can.. at least, on Windows XP.. I haven't tried earlier versions.

    Create a shortcut to Internet Explorer.

    Right-click the shortcut, choose "Run As.."

    The option "Current User" and "Protect my computer and data from unauthorized program activity" should be checked.

    Click OK to run Internet Explorer in "secure mode".

    Caveats to running in this mode:
    Your bookmarks or links won't appear, but they'll still be there if you run it in normal mode.
    Other web-based programs may not run correctly.

    You can test to see if it's working by going to Windows Update - if it's secure, you'll see something about having to run Windows Update as an administrator.

  10. Re:MS buffer overrun theory by ChaosDiscord · · Score: 4, Informative
    The lack of an snprintf method in the DevStudio standard C lib...
    From my time as a Windows developer, I have alot of grudges against Microsoft. (I've even publically aired some of them.) But I can't complain about lack of a snprintf. It's right here, and has been for at least five years. If an obvious function appears to be missing, look for a version prefixed with an underscore. (Of course, it seems stupid to me that it's prefixed with an underscore, instead of conforming to other systems, but that's a different issue.)
    --
    Search 2010 Gen Con events
  11. RTFM : lol... Try Runas.. by bored · · Score: 5, Informative

    Re enable the runas service (it's on by default). Now try right clicking an exe with the shift button held down. See that "Run As..." menu item? Click it, now the program will run with alternate use privledge. Welcome to NT... What I want to know is why 99% of the fscking setup programs need to run as admin to install simple little applets into my user context..

  12. Unsafe at any release? by geoff+lane · · Score: 5, Informative
    For those of us still running Win95 on hardware that cannot support '98 or XP there is no fix for the recent critical IE security problems.

    So, to fix this particular little problem needs a hardware replacement "upgrade" :-(

  13. Score one against DRM !!! by Anonymous+Custard · · Score: 5, Informative

    From the MS Technet article:

    Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?

    A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.

    Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.

    --
    $8.95/mo web hosting