Original release date: August 11, 2000<BR>
Last revised: August 14, 2000<BR>
Source: CERT/CC<BR>
<P>A complete revision history is at the end of this file.
<A NAME="affected">
<H3>Systems Affected</H3>
<UL>
<li>Internet Explorer 4.x, 5.x
<li>Microsoft Access 97 or 2000
</UL>
<A NAME="overview">
<H2>Overview</H2>
<P>
Under certain conditions, Internet Explorer can open Microsoft Access
database or project files containing malicious code and execute the
code without giving a user prior warning. Access files that are
referenced by OBJECT tags in HTML documents can allow attackers to
execute arbitrary commands using Visual Basic for Applications (VBA)
or macros.
</P>
<P>
A patch which protects against all known variants of attack exploiting
this vulnerability is now available. A workaround which was previously
suggested provided protection against one specific publicly-available
exploit using .mdb files but did not protect against attack using many
other Access file types. (See <a href="#references">Appendix B</a> for
a complete list of file types.)
</P>
<A NAME="description">
<H2>I. Description</H2>
<P>
Last month, a workaround for the "IE Script" vulnerability was
addressed in Microsoft Security Bulletin MS00-049: Subsection
"Workaround for 'The IE Script' Vulnerability." Microsoft has just
re-released <a
href="http://www.microsoft.com/technet/security/bulletin/ms00-049.asp">MS00-049</a>,
which now includes information about a patch for this
vulnerability. The <a href="http://www.cert.org">CERT Coordination
Center</a> is issuing this advisory to raise awareness in the Internet
community about the need to apply this patch to protect IE users
against all variants of attacks which can exploit this particular
vulnerability.
</P>
<H4>Initial Findings</H4>
<P>
Many of the initial public details about the vulnerability were
discussed on the <a href="http://www.securityfocus.com">SecurityFocus</a>
Bugtraq mailing list, as well as in a <a href="http://www.sans.org">SANS</a> Flash Advisory:
<DL><DD>
<a href="http://www.securityfocus.com/bid/1398">http://www.securityfocus.com/bid/1398</a>
<BR>
<a href="http://www.sans.org/newlook/resources/win_flaw.htm">http://www.sans.org/newlook/resources/win_flaw.htm</a>
</DL>
</P>
<P>
This vulnerability in IE can be used to open Access data or project
files. (See <a href="#references">Appendix B</a> for a complete list of
file types.) Visual Basic for Application (VBA) code embedded within
these files will then execute. If a warning message appears (depending
on the security settings in IE), it will only do so <i>after</i> the
code has been run.
</P>
<P>
Attackers exploit this vulnerability by placing OBJECT tags in HTML
files posted on malicious Web sites or transmitted via email or via
newsgroup postings. The OBJECT tag can look like
<font FACE="monospace">
<DD>
<PRE>
<OBJECT data="database.mdb" id="d1"></OBJECT">
</PRE>
</font>
Note, however, the file extension does not have to be .mdb; an
attacker may use any of the ones listed in <a
href="#references">Appendix B</a>.
</P>
<P>
The Access file can then open before any warning messages are
displayed, regardless of the default security settings in either IE or
Access. Since Access files can contain VBA or macro code executed upon
opening the file, arbitrary code can be run by a remote intruder on a
victim machine without prior warning.
</P>
<P>
While this is not an ActiveX issue per se, since all Microsoft
Office documents are normally treated like ActiveX controls, by
default Microsoft Access files are treated as unsafe for scripting
within the IE Security Zone model. This vulnerability, however, can be
used to reference an Access file and execute VBA or macro code even if
scripting has been disabled in Internet Explorer.
</P>
<H4>Other Vulnerable OBJECT tag extensions</H4>
<P>
In Microsoft Security Bulletin MS00-049, Microsoft initially provided
a workaround for this vulnerability which involved setting the Admin
password in MS Access. However, unlike with Access data files,
setting the Admin password will not protect against exploits using
project files (.ade, .adp). (<a href="#references">See Appendix
B</a>.)
</P>
<P>
Because Access project files rely on SQL backends to authenticate
their requests, project files created without SQL content can bypass
the default authentication for such requests in MS Access. For more
information regarding Access project files, see
<BR>
<DL><DD>
<a href="http://msdn.microsoft.com/library/techart/acaccessprojects.htm">http://msdn.microsoft.com/library/techart/acaccessprojects.htm</a>
</DL>
</P>
<A NAME="impact">
<H2>II. Impact</H2>
<P>
A remote intruder can send malicious HTML via an email message,
newsgroup posting, or downloaded Web page and may be able to execute
arbitrary code on a victim machine.
</P>
<A NAME="solution">
<H2>III. Solution</H2>
<H4>Apply the patch provided by Microsoft</H4>
<P>
Microsoft has released the following patch which addresses the "IE
Script" vulnerability, as well as others:
<br>
<DL><DD>
<a href="http://www.microsoft.com/windows/ie/download/critical/patch11.htm">http://www.microsoft.com/windows/ie/download/critical/patch11.htm</a>
</DL>
</P>
<P>
Please see <a href="http://www.microsoft.com/technet/security/bulletin/ms00-055.asp">MS00-055</a> "Patch Available for 'Scriptlet Rendering' Vulnerability" for additional information regarding other issues addressed by this patch:
<DL><DD>
<a href="http://www.microsoft.com/technet/security/bulletin/ms00-055.asp">http://www.microsoft.com/technet/security/bulletin/ms00-055.asp</a>
</DL>
<A>Note that the OBJECT tag issues addressed by <a
href="http://www.microsoft.com/technet/security/bulletin/ms00-049.asp">MS00-049</a>,
<a
href="http://www.microsoft.com/technet/security/bulletin/ms00-055.asp">MS00-055</a>,
and this advisory are separate from those addressed by the recently
released <a
href="http://www.microsoft.com/technet/security/bulletin/ms00-056.asp">MS00-056</a>:
"Patch Available for 'Microsoft Office HTML Object Tag'
Vulnerability."
</P>
<P>
Microsoft's initial workaround for this issue was for users to set the
Admin password for Access. Since Access does not allow a user to
disable VBA code embedded in Access data and project files, the CERT
Coordination Center recommends that users follow the suggested
workaround and set the Admin password even after the patch for this
vulnerability has been applied.
</P>
<P>Appendix A contains information provided by vendors for this
advisory. We will update the appendix as we receive more information.
If you do not see your vendor's name, the CERT/CC did not hear from
that vendor. Please contact your vendor directly.</P>
<A NAME="vendors">
<H2>Appendix A. Vendor Information</H2>
<A NAME="microsoft">
<H4>Microsoft Corporation</H4>
<P>Microsoft has published the following documents regarding this issue:
<BR>
<DL><DD>
<a href="http://www.microsoft.com/technet/security/bulletin/ms00-049.asp">http://www.microsoft.com/technet/security/bulletin/ms00-049.asp</a>
<br>
<a href="http://www.microsoft.com/technet/security/bulletin/fq00-049.asp">http://www.microsoft.com/technet/security/bulletin/fq00-049.asp</a>
<br>
<a href="http://www.microsoft.com/technet/support/kb.asp?ID=269368">http://www.microsoft.com/technet/support/kb.asp?ID=269368</a>
</DL>
</P>
<!-- end microsoft -->
<A NAME="references">
<H2>Appendix B. Additional Information</H2>
<P>The full list of OBJECT tag extensions which may be used to exploit this vulnerability is listed below:
<br>
<ul>
<li><b>.adp</b> — Microsoft Access project file
<li><b>.ade</b> — ADP file with all modules compiled and all editable source code removed
<li><b>.mda</b> — Microsoft Access VBA add-in
<li><b>.mdb</b> — Microsoft Access database file
<li><b>.mde</b> — MDB file with all modules compiled and all editable source code removed
<li><b>.mdw</b> — Microsoft Access workgroup information file
synonym for the system database used to store group and user
account names and the passwords used to authenticate users
when they log on to an Access database or MDE file secured
with user-level security
</ul>
<P>The patch provided by Microsoft addresses all the file extensions
identified above.
<P>Please consult the following resources for further information
regarding the other file types involved in exploited this vulnerability:
<BR>
<ul>
<li><a href="http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adefile">http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adefile</a>
<li><a href="http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adpfile">http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#adpfile</a>
<li><a href="http://msdn.microsoft.com/library/officedev/off2000/defAddIn.htm">http://msdn.microsoft.com/library/officedev/off2000/defAddIn.htm</a>
<li><a href="http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdbfile">http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdbfile</a>
<li><a href="http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdefile">http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#mdefile</a>
<li><a href="http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#workgroupinformationfile">http://www.microsoft.com/office/ork/2000/appndx/glossary.htm#workgroupinformationfile</a>
</DL>
</P>
<HR NOSHADE>
<P>The CERT Coordination Center thanks <a
href="mailto:joro@nat.bg">Georgi Guninski</a> for discovering this
vulnerability and <a href="mailto:tmullen@anchorsign.com">Timothy
Mullen</a>, <a href="mailto:sansro@sans.org">Alan Paller and the SANS
Research Office</a>, and the <a
href="mailto:secure@microsoft.com">Microsoft Security Response
Center</a> for their help in developing this advisory.
</P>
<HR NOSHADE>
<P>Author: <a href="mailto:cert@cert.org?subject=CA-2000-16%20Feedback">Jeffrey
S. Havrilla</a>
<P></P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2000 Carnegie Mellon University.</P>
<P>Revision History
<PRE>
August 11, 2000: Initial release
August 14, 2000: Added Georgi Guninski to credits section. Our apologies for the oversight.
</PRE>
|