what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2004-184A

Technical Cyber Security Alert 2004-184A
Posted Jul 2, 2004
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert TA04-163A - A class of vulnerabilities in IE allows malicious script from one domain to execute in a different domain which may also be in a different IE security zone. Attackers typically seek to execute script in the security context of the Local Machine Zone (LMZ).

tags | advisory, local, vulnerability
SHA-256 | 3018d809ec8c33d9aa35d9849eecffaa33b0b52cd7f226d20950eb53870042b3

Technical Cyber Security Alert 2004-184A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Internet Explorer Update to Disable ADODB.Stream ActiveX Control

Original release date: July 2, 2004
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows systems

Overview

Microsoft has released a security update for Internet Explorer (IE)
that disables the ADODB.Stream ActiveX control. This update reduces
the impact of attacks against cross-domain vulnerabilities in IE.

I. Description

A class of vulnerabilities in IE allows malicious script from one
domain to execute in a different domain which may also be in a
different IE security zone. Attackers typically seek to execute script
in the security context of the Local Machine Zone (LMZ). One such
vulnerability (VU#713878) is described in US-CERT Technical Alert
TA04-163A. Other cross-domain vulnerabilities have similar impacts.

After obtaining access to the LMZ through one or more of the
vulnerabilities noted above, attackers typically attempt to download
and run an executable file. Writing the executable to disk can be
accomplished using the ADODB.Stream ActiveX control. In order to
defeat this technique, Microsoft has released an update that disables
the ADODB.Stream control. From Microsoft Knowledge Base Article
870669:

An ADO stream object contains methods for reading and writing
binary files and text files. When an ADO stream object is combined
with known security vulnerabilities in Internet Explorer, a Web
site could execute scripts from the Local Machine zone. To help
protect your computer from this kind of attack, you can manually
modify your registry.

It is important to note that there may be other ways for an attacker
to write arbitrary data or to execute commands without relying on the
ADODB.Stream control.

Further information is available from Microsoft in What You Should
Know About Download.Ject. Instructions for securing IE and other web
browsers against malicious web scripts are available in the Malicious
Web Scripts FAQ.

II. Impact

By convincing a victim to view an HTML document (web page, HTML
email), an attacker could execute script in a different security
domain than the one containing the attacker's document. By causing
script to be run in the Local Machine Zone, the attacker could execute
arbitrary code with the privileges of the user running IE.

Recent incident activity known as Download.Ject (also JS.Scob.Trojan,
Scob, JS.Toofeer) uses cross-domain vulnerabilities and the
ADODB.Stream control to install software that steals sensitive
financial information.

III. Solution

Until a complete solution is available from Microsoft, consider the
following workarounds.

Disable Active scripting and ActiveX controls

Disabling Active scripting and ActiveX controls in the Internet Zone
(or any zone used by an attacker) appears to prevent exploitation of
this vulnerability. Disabling Active scripting and ActiveX controls in
the Local Machine Zone will prevent widely used payload delivery
techniques from functioning. Instructions for disabling Active
scripting in the Internet Zone can be found in the Malicious Web
Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
information about securing the Local Machine Zone. Also, Service Pack
2 for Windows XP (currently at RC2) includes these and other security
enhancements for IE.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages,
web forums, or Internet relay chat (IRC) channels. While this is
generally good security practice, following this behavior will not
prevent exploitation of this vulnerability in all cases. For example,
a trusted web site could be compromised and modified to deliver
exploit script to unsuspecting clients.

Disable ADODB.Stream ActiveX control

One way to disable the ADODB.Stream control is to apply the update
from the Microsoft Download Center (KB870669) or the Windows Update
web site.

The ADODB.Stream control can also be disabled by modifying the Windows
registry as described in Microsoft Knowledge Base Article 870669.

Both of these methods disable ADODB.Stream by setting the kill bit for
the control in the Windows registry.

Note that disabling the ADODB.Stream control does not directly address
any cross-domain vulnerabilities, nor does it prevent attacks. This
workaround prevents a well-known and widely used technique for writing
arbitrary data to disk after a cross-domain vulnerability has been
exploited. There may be other ways for an attacker to write arbitrary
data or execute commands.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and
prevent some exploit attempts. Variations of exploits or attack
vectors may not be detected. Do not rely solely on anti-virus software
to defend against this vulnerability. More information about viruses
and anti-virus vendors is available on the US-CERT Computer Virus
Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see What You Should Know About Download.Ject and Microsoft
Knowledge Base Article 870669.

Appendix B. References

* US-CERT Technical Alert TA04-163A -
<http://www.us-cert.gov/cas/techalerts/TA04-163A.html>
* US-CERT Vulnerability Note VU#713878 -
<http://www.kb.cert.org/vuls/id/713878>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html>
* Results of the Security in ActiveX Workshop (PDF)
<http://www.cert.org/reports/activeX_report.pdf>
* What You Should Know About Download.Ject -
<http://www.microsoft.com/security/incident/download_ject.mspx>
* Increase Your Browsing and E-Mail Safety -
<http://www.microsoft.com/security/incident/settings.mspx>
* Working with Internet Explorer 6 Security Settings -
<http://www.microsoft.com/windows/ie/using/howto/security/settings
.mspx>
* Microsoft Knowledge Base Article 870669 -
<http://support.microsoft.com/default.aspx?kbid=870669>
* Microsoft Knowledge Base Article 833633 -
<http://support.microsoft.com/default.aspx?kbid=833633>
* Microsoft Knowledge Base Article 182569 -
<http://support.microsoft.com/default.aspx?kbid=182569>
* Microsoft Knowledge Base Article 240797 -
<http://support.microsoft.com/default.aspx?kbid=240797>
* Windows XP Service Pack 2 Release Candidate 2 Preview -
<http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.
mspx>

Feedback can be directed to the author: Art Manion
_________________________________________________________________

The most current version of this alert can be found at

<http://www.us-cert.gov/cas/techalerts/TA04-184A.html>

Copyright 2004 Carnegie Mellon University.

Terms of use: <http://www.us-cert.gov/legal.html>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFA5eRhXlvNRxAkFWARAoJ2AJ4li8P3oDahkS8wx7TwaxEENVSB2QCeOAx/
XqyJQKuWUPfNwdlZLklcTDc=
=I1vr
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close