Audit My PC - Free Internet Security Audit

Firewall Test and web tools to check your security and privacy

Web View Vulnerability

Vulnerability in Web View Could Allow Remote Code Execution (894320)

http://www.microsoft.com/technet/security/Bulletin/MS05-024.mspx

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Windows 2000 Service Pack 3

Microsoft Windows 2000 Service Pack 4

Non-Affected Software:

Microsoft Windows Server 2003 and

Microsoft Windows Server 2003 Service Pack 1

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

Executive Security Patch Summary:

This update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute arbitrary code in the context of the logged on user. The vulnerability is documente in the “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability.

We recommend that customers apply the update at the earliest opportunity.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Details

Web View Script Injection Vulnerability

– CAN-2005-1191:
A remote code execution vulnerability exists in the way that Web View in Windows Explorer handles certain HTML characters in preview fields. By persuading a user to preview a malicious file, an attacker could execute code. However, user interaction is required to exploit this vulnerability.

Mitigating Factors for Web View Script Injection Vulnerability

– CAN-2005-1191:

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site. After they click the link, they would be prompted to perform an action. An attack could only occur after they performed these actions.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The vulnerability could not be exploited automatically through e-mail. For an attack to be successful through email a user must save an attachment locally and preview from within Windows Explorer.

Workarounds for Web View Script Injection Vulnerability – CAN-2005-1191:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Disable Web View

Disabling Web View will reduce the ability to maliciously use this feature to perform an attack. To disable Web View, follow these steps:

  • 1. Open My Computer
  • 2. Under the Tools menu, select Folder Options.
  • 3. On the General tab in the Web View section, select Use Windows classic folders.
  • 4. Click OK
  • 5. These settings will only fully take affect after a user has logged off and then logged back onto the affected system.

Impact of Workaround: This change will reduce the functionality of Windows Explorer by removing the left hand task pane which contains links to common folders and tasks.

Disabling Web View will reduce the ability to maliciously use this feature to perform an attack.

Impact of Workaround: This change will reduce the functionality of Windows Explorer by removing the left hand task pane which contains links to common folders and tasks.

Block Outbound TCP ports 139 and 445 at the perimeter firewall:

These ports are used to initiate a connection via the Server Message Block (SMB) protocol. Blocking outbound SMB traffic at the perimeter firewall will help prevent systems from attempting to connect to a malicious file server outside of the firewall. For more information about the ports, visit the following web site.

Affected Software:

Windows 2000 (all versions)

Security Update Prerequisites

For Windows 2000, this security update requires Service Pack 3 (SP3) or Service Pack 4 (SP4).

Restart Requirement

You must restart your system after you apply this security update. For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.

Removal Information

To remove this security update, use the Add or Remove Programs tool in Control Panel.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *