‘Critical’ Windows Help, SQL Flaws Patched

Microsoft has patched a “critical” security flaw in the
HTML Help facility in most major versions of its Windows OS, warning that an
unchecked buffer could allow hackers to take control of vulnerable systems.

A security advisory from the Redmond-based
software giant said the ActiveX control in the Windows HTML Help facility
contained the vulnerability, which was detected by Rapid7, Inc.

“One of the functions exposed via the (ActiveX) control contains an
unchecked buffer, which could be exploited by a web page hosted on an
attacker’s site or sent to a user as an HTML mail. An attacker who
successfully exploited the vulnerability would be able to run code in the
security context of the user, thereby gaining the same privileges as the
user on the system,” Microsoft warned.

Compromised software include Windows 98, Windows 98 Second Edition, Windows
ME, Windows NT 4.0, Windows NT 4.0 (Terminal Server Edition), Windows 2000
and the new Windows XP.

The company also warned that a second vulnerability exists because of flaws
associated with the handling of compiled HTML Help (.chm) files that contain
shortcuts.

Because shortcuts allow HTML Help files to take specific action on the
system, only trusted HTML Help files should be allowed to use them. Two
flaws allow this restriction to be bypassed, Microsoft warned.

The HTML Help facility incorrectly determines the Security Zone in the case
where a web page or HTML mail delivers a .chm file to the Temporary Internet
Files folder and subsequently opens it. Instead of handling the .chm file in
the correct zone (the one associated with the web page or HTML mail that
delivered it), Microsoft warned that the HTML Help facility incorrectly
handles it in the Local Computer Zone, considering it trusted and allowing
it to use shortcuts.

“This error is compounded by the fact that the HTML Help facility doesn’t
consider what folder the content resides in. Were it to do so, it could
recover from the first flaw, as content within the Temporary Internet Folder
is clearly not trusted, regardless of the Security Zone it renders in,”
according to the advisory.

While determining the flaw to be “critical,” Microsoft however said an
attack scenario “would be complex” and would involve using an HTML mail to
deliver a .chm file that contains a shortcut, then making use of the flaws
to open it and allow the shortcut to execute.

It said an HTML mail-based attack could not be exploited on systems where
Outlook 98 or Outlook 2000 were used alongside the Outlook Email Security
Update, or Outlook Express 6 or Outlook 2002 were used in their default
configurations.

The company issued a patch (download here) to plug the holes but warned that users of
Internet Explorer Versions must be running 5.01, 5.5, or 6.0 for the patch
to be effective.

Separately, Microsoft issued bulletins for two other flaws with “moderate”
ratings. Those exist in the file decompression tool in Windows Millennium
Edition, Windows XP and the Windows 98 Plus Pack.

Microsoft said the bugs could allow the execution of dangerous code on a
compromised system.

Redmond also released a cumulative
security patch
for SQL Server 2000 and 7.0 that includes the
functionality of all previously released patches as well as fixes for four
other new bugs.

The new vulnerabilities fixed by the SQL server patch (download here) include:

  • Unchecked Buffer in SQL Server 2000 Authentication Function – A buffer
    overrun in a section of code in SQL Server 2000 (and MSDE 2000) associated
    with user authentication that could allow an attacker to either cause the
    server to fail or gain the ability to overwrite memory on the server,
    thereby potentially running code on the server in the security context of
    the SQL Server service.
  • Unchecked buffer in Database Console Commands – A buffer overrun
    vulnerability that occurs in one of the Database Console Commands (DBCCs)
    that ship as part of SQL Server 7.0 and 2000. In the most serious case,
    exploiting this vulnerability would enable an attacker to run code in the
    context of the SQL Server service, thereby giving the attacker complete
    control over all databases on the server.
  • Flaw in Output File Handling for Scheduled Jobs – A vulnerability
    associated with scheduled jobs in SQL Server 7.0 and 2000, which in certain
    situations could allow an unprivileged user to submit a job that would
    create a file containing valid operating system commands in another user s
    Startup folder or simply overwrite system files in order to disrupt system
    operation.
  • Change in Operation of SQL Server – The patch also changes the operation
    of SQL Server to prevent non-administrative users from running ad hoc
    queries against non-SQL OLEDB data sources. Although the current operation
    does not represent a security vulnerability per se, the new operation makes
    it more difficult to misuse poorly coded data providers that might be
    installed on the server.

News Around the Web