View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>Exploitation of "Scriptlet.Typelib" ActiveX Control</h2>

Date: Tuesday, June 6, 2000<p>
<h3>Overview</h3>

We have received reports of email-borne viruses that exploit a 
vulnerability created by unsafe configuration of the Microsoft 
ActiveX control named "Scriptlet.Typelib".

<h3>Description</h3>
<p>
The Microsoft ActiveX control Scriptlet.Typelib allows local
files to be created or modified, so it is unsafe to allow
untrusted programs to access this control. The control is incorrectly 
marked "safe for scripting" as shipped with Internet Explorer 
versions 4.0 and 5.0. As a result, malicious programs may be able
to execute the control without requesting approval from the user.
For example, an HTML-format email message that is rendered using 
Internet Explorer may be able to execute the Scriptlet.Typelib
control to create and modify local files.
<p>
We are aware of two email-borne viruses that are designed to exploit 
this vulnerability. Malicious VBScript programs known as Bubbleboy
and kak are designed to infect systems by altering the Windows 
registry and propagating themselves through email. In both cases, 
a malicious VBScript is delivered in the form of an HTML-format email 
message with characteristics that might entice a user to view the 
message. If the HTML in the email message is rendered by Internet 
Explorer, the VBScript may be executed. In vulnerable
configurations, the Scriptlet.Typelib ActiveX control can be called 
by the malicious program to create and modify local files.
<p>
It is important to note that some mail user agents, such as Outlook
2000 and Outlook Express 5, use Internet Explorer to render
HTML-format email messages. Rather than explicitly executing a
malicious file attachment, a user may cause a malicious program to
execute simply by viewing a message.
<p>
It is possible that other methods of delivering and executing malicious code
can be used to exploit vulnerable configurations of Scriptlet.Typelib; for
example, through a maliciously crafted web page.
<p>
We began receiving reports of kak and kak variants in late February
2000, and we continue to receive reports of new infections. As of this
writing, we have not received any direct reports of Bubbleboy
infections.
<p>
Information about kak and its variants can be found at
<p>
<dl>
<dd><b>Aladdin Knowledge Systems:</b><br/>
<a href="http://www.ealaddin.com/home/csrt/valerts.asp#VBS_KAK">http://www.ealaddin.com/home/csrt/valerts.asp#VBS_KAK</a><br/>
<dd><b>Computer Associates International, Inc.:</b><br/>
<a href="http://www.cai.com/virusinfo/encyclopedia/descriptions/wscript.htm">http://www.cai.com/virusinfo/encyclopedia/descriptions/wscript.htm</a><br/>
<dd><b>F-Secure:</b><br/>
<a href="http://www.f-secure.com/v-descs/kak.htm">http://www.f-secure.com/v-descs/kak.htm</a><br/>
<dd><b>Network Associates (McAfee &amp; Dr. Solomon):</b><br/>
<a href="http://vil.nai.com/villib/dispVirus.asp?virus_k=10509&amp;">http://vil.nai.com/villib/dispVirus.asp?virus_k=10509&amp;</a><br/>
<dd><b>Norman Data Defense Systems:</b><br/>
<a href="http://www.norman.no/virus_info/js_kak_worm.shtml">http://www.norman.no/virus_info/js_kak_worm.shtml</a><br/>
<dd><b>Proland Software:</b><br/>
<a href="http://www.pspl.com/virus_info/worms/kak.htm">http://www.pspl.com/virus_info/worms/kak.htm</a><br/>
<dd><b>Sophos Anti-Virus:</b><br/>
<a href="http://www.uk.sophos.com/virusinfo/analyses/vbskakworm.html">http://www.uk.sophos.com/virusinfo/analyses/vbskakworm.html</a><br/>
<dd><b>Symantec:</b><br/>
<a href="http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html">http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html</a><br/>
</dd></dd></dd></dd></dd></dd></dd></dd></dl>
<p>
Information about BubbleBoy can be found at
<p>
<dl>
<dd><b>Central Command, Inc.:</b><br/>
<a href="http://www.avpve.com/viruses/worms/bubblebo.html">http://www.avpve.com/viruses/worms/bubblebo.html</a><br/>
<dd><b>Computer Associates International, Inc.:</b><br/>
<a href="http://www.cai.com/virusinfo/encyclopedia/descriptions/bubble.htm">http://www.cai.com/virusinfo/encyclopedia/descriptions/bubble.htm</a><br/>
<dd><b>F-Secure:</b><br/>
<a href="http://www.f-secure.com/v-descs/bubb-boy.htm">http://www.f-secure.com/v-descs/bubb-boy.htm</a><br/>
<dd><b>Network Associates, Inc. (McAfee &amp; Dr. Solomon's Software):</b><br/>
<a href="http://vil.nai.com/villib/dispVirus.asp?virus_k=10418">http://vil.nai.com/villib/dispVirus.asp?virus_k=10418</a><br/>
<dd><b>Norman Data Defense Systems:</b><br/>
<a href="http://www.norman.no/virus_info/vbs_bubble.shtml">http://www.norman.no/virus_info/vbs_bubble.shtml</a><br/>
<dd><b>Proland Software:</b><br/>
<a href="http://www.pspl.com/trojan_info/win32/bubbleboy.htm">http://www.pspl.com/trojan_info/win32/bubbleboy.htm</a><br/>
<dd><b>Sophos Anti-Virus:</b><br/>
<a href="http://www.uk.sophos.com/virusinfo/analyses/vbsbubbleboy.html">http://www.uk.sophos.com/virusinfo/analyses/vbsbubbleboy.html</a><br/>
<dd><b>Symantec:</b><br/>
<a href="http://www.symantec.com/avcenter/venc/data/vbs.bubbleboy.html">http://www.symantec.com/avcenter/venc/data/vbs.bubbleboy.html</a><br/>
<dd><b>Trend Micro, Inc.:</b><br/>
<a href="http://www.antivirus.com/vinfo/security/sa110999.htm">http://www.antivirus.com/vinfo/security/sa110999.htm</a>
</dd></dd></dd></dd></dd></dd></dd></dd></dd></dl>
<p>
<h3>Impact</h3>
<p>
Viruses or other malicious code contained in HTML-format email or
web pages can exploit Scriptlet.Typelib to create and modify local 
files.
<p>
<h3>Solutions</h3>
<p>
Microsoft produced a patch that will remove the "safe for scripting"
marking from the Scriptlet.Typelib ActiveX control. More information
about the vulnerable condition and the patch is available from
Microsoft at:
<p>
<dl>
<dd><a href="http://www.microsoft.com/security/bulletins/ms99-032.asp">http://www.microsoft.com/security/bulletins/ms99-032.asp</a><br/>
<dd><a href="http://www.microsoft.com/technet/security/bulletin/fq99-032.asp">http://www.microsoft.com/technet/security/bulletin/fq99-032.asp</a><br/>
<dd><a href="http://support.microsoft.com/support/kb/articles/q240/3/08.asp">http://support.microsoft.com/support/kb/articles/q240/3/08.asp</a><br/>
</dd></dd></dd></dl>
<p>
With the patch applied, the default action is for the user to be
prompted before Scriptlet.Typelib is executed. Even with the patch
installed, a user can choose to allow the control to be executed. 
If the control is allowed to execute, local files can still be 
created and modified.
<p>
<b>Authors</b>: Kevin Houle, Chad Dougherty, Brian King<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2000 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p>