'Critical' Windows Help, SQL Flaws Patched

Microsoft has patched a "critical" security flaw in the HTML Help facility in most major versions of its Windows OS, warning that an unchecked buffer could allow hackers to take control of vulnerable systems.

A security advisory from the Redmond-based software giant said the ActiveX control in the Windows HTML Help facility contained the vulnerability, which was detected by Rapid7, Inc.

"One of the functions exposed via the (ActiveX) control contains an unchecked buffer, which could be exploited by a web page hosted on an attacker's site or sent to a user as an HTML mail. An attacker who successfully exploited the vulnerability would be able to run code in the security context of the user, thereby gaining the same privileges as the user on the system," Microsoft warned.

Compromised software include Windows 98, Windows 98 Second Edition, Windows ME, Windows NT 4.0, Windows NT 4.0 (Terminal Server Edition), Windows 2000 and the new Windows XP.

The company also warned that a second vulnerability exists because of flaws associated with the handling of compiled HTML Help (.chm) files that contain shortcuts.

Because shortcuts allow HTML Help files to take specific action on the system, only trusted HTML Help files should be allowed to use them. Two flaws allow this restriction to be bypassed, Microsoft warned.

The HTML Help facility incorrectly determines the Security Zone in the case where a web page or HTML mail delivers a .chm file to the Temporary Internet Files folder and subsequently opens it. Instead of handling the .chm file in the correct zone (the one associated with the web page or HTML mail that delivered it), Microsoft warned that the HTML Help facility incorrectly handles it in the Local Computer Zone, considering it trusted and allowing it to use shortcuts.

"This error is compounded by the fact that the HTML Help facility doesn't consider what folder the content resides in. Were it to do so, it could recover from the first flaw, as content within the Temporary Internet Folder is clearly not trusted, regardless of the Security Zone it renders in," according to the advisory.

While determining the flaw to be "critical," Microsoft however said an attack scenario "would be complex" and would involve using an HTML mail to deliver a .chm file that contains a shortcut, then making use of the flaws to open it and allow the shortcut to execute.

It said an HTML mail-based attack could not be exploited on systems where Outlook 98 or Outlook 2000 were used alongside the Outlook Email Security Update, or Outlook Express 6 or Outlook 2002 were used in their default configurations.

The company issued a patch (download here) to plug the holes but warned that users of Internet Explorer Versions must be running 5.01, 5.5, or 6.0 for the patch to be effective.

Separately, Microsoft issued bulletins for two other flaws with "moderate" ratings. Those exist in the file decompression tool in Windows Millennium Edition, Windows XP and the Windows 98 Plus Pack.

Microsoft said the bugs could allow the execution of dangerous code on a compromised system.

Redmond also released a cumulative security patch for SQL Server 2000 and 7.0 that includes the functionality of all previously released patches as well as fixes for four other new bugs.

The new vulnerabilities fixed by the SQL server patch (download here) include:

• Unchecked Buffer in SQL Server 2000 Authentication Function - A buffer overrun in a section of code in SQL Server 2000 (and MSDE 2000) associated with user authentication that could allow an attacker to either cause the server to fail or gain the ability to overwrite memory on the server, thereby potentially running code on the server in the security context of the SQL Server service.
• Unchecked buffer in Database Console Commands - A buffer overrun vulnerability that occurs in one of the Database Console Commands (DBCCs) that ship as part of SQL Server 7.0 and 2000. In the most serious case, exploiting this vulnerability would enable an attacker to run code in the context of the SQL Server service, thereby giving the attacker complete control over all databases on the server.
• Flaw in Output File Handling for Scheduled Jobs - A vulnerability associated with scheduled jobs in SQL Server 7.0 and 2000, which in certain situations could allow an unprivileged user to submit a job that would create a file containing valid operating system commands in another user s Startup folder or simply overwrite system files in order to disrupt system operation.
• Change in Operation of SQL Server - The patch also changes the operation of SQL Server to prevent non-administrative users from running ad hoc queries against non-SQL OLEDB data sources. Although the current operation does not represent a security vulnerability per se, the new operation makes it more difficult to misuse poorly coded data providers that might be installed on the server.