Opinion: Parsing Microsoft's June Patches
- By Russ Cooper
- July 06, 2005
Microsoft released 10 new Security Bulletins (MS05-025 through MS05-
034), plus two revisions which included new binaries (MS05-004 and
MS05-019), in June. Highlights include:
MS05-025: Cumulative Security Update for Internet Explorer
Two vulnerabilities were addressed in this cumulative update for IE.
The first addresses yet another image format buffer overflow, this time
in the PNG (Portable Network Graphics) format. The second addresses a
vulnerability in how the browser handles certain XML (Extensible Markup
The XML vulnerability might get used as part of phishing attempts since
it would be possible for a malicious Web site to request XML data on
behalf of the victim, or retrieve XML data from the victim's system
(assuming the attacker knew exactly where the XML data resided.)
However, neither represents a significant vulnerability likely to be
exploited En masse.
MS05-027: Vulnerability in Server Message Block Could Allow Remote
SMB attacks are the most common form of attack Windows systems
experience. They've been around for a very long time, attacking TCP
ports 139 and 445.
Although this is a new vulnerability, there's nothing unique about this
one vs. any of those in the past. Any system already blocking existing
SMB attacks will successfully block this one. Any system not already
blocking SMB attacks will likely already be compromised from any of the
numerous existing bots and/or worms that exist on the Internet today.
For some reason there seems to be increased alarm over this
vulnerability, but there's no reasonable basis for such alarm.
MS05-029: Vulnerability in Outlook Web Access for Exchange Server 5.5
Could Allow Cross-Site Scripting Attacks
This is the result of another parsing flaw, probably in the way
Microsoft validates HTML input. Canonicalization is the process of
converting any of the acceptable representations of HTML into
presentation form for a browser. Before the HTML is presented by the
browser, the input should be scrubbed for unacceptable input; however,
OWA fails to do this completely. As a result, it's possible to input
HTML that would cause another site to appear within an e-mail message
displayed via Outlook Web Access.
The default forms supplied by Microsoft for OWA (and any other Web-
based application) should not be accepted "as is." Instead, companies
employing such tools should ensure that sufficient additional parsing
code is added to these forms to prevent abuse of HTML.
Tools exist for programmatically stepping through HTML content and
examining tags, their placement and their parameters. This can be
achieved via any .NET language or third-party tools such as Michael
Newcomb's HtmlZap ATL Control, www.miken.com/htmlzap/. By
incorporating your own parsing routines into such HTML programs, you
can ensure that nothing other than what you wish to permit is presented
to your users.
MS05-030: Cumulative Update in Outlook Express
If Outlook Express can connect to a malicious Network News Transport
Protocol (NNTP) server, that server could send replies to the client
which could cause code of the attacker's choice to run on the victim
To be exploited by this vulnerability, the NNTP server you connect to
must be specially configured to send non-standard responses to requests
from Outlook Express. Typically, users connect to a corporately-
controlled NNTP server (so undesirable newsgroups and postings aren't
available to clients) or to an NNTP server controlled by their Internet
Service Provider. Neither is likely to be maliciously configured
(although it's possible that an ISP's NNTP server could be
compromised.) If outbound connection attempts to arbitrary NNTP servers
are permitted, exploitation may be possible.
MS05-032: Vulnerability in Microsoft Agent Could Allow Spoofing
The Microsoft Agent ActiveX Control allows a Web site or Web
application to provide an interactive character who assists a user. It
can prompt a user by pointing to a specific field or form, or explain
how to enter data into the application. Primarily it's used as a
training assistant, although there are very few limitations in what it
can do. The control is enabled on most systems.
The vulnerability permits the Microsoft Agent ActiveX Control to mask
security prompts in addition to its other features. As such, it would
be possible for a Web site, for example, to try to execute code that
would normally trigger a security prompt to warn a user of unsafe code.
If such a prompt were hidden by the Microsoft Agent, the user may
believe his actions are safe. The Microsoft Agent could go even
further, displaying prompts indicating that the actions are safe,
further fooling the user.
The most likely use for such an exploit would be in phishing
attempts, convincing the user he's on a trusted site when in fact
he's on a malicious site.
Any attempt to use the Microsoft Agent ActiveX Control by a Web site
will include a reference to the following object Class ID (CLSID),
which can be filtered:
MS05-034: Cumulative Security Update for ISA Server 2000
Two vulnerabilities exist in ISA Server 2000. Neither are exploitable
if ISA is configured in Firewall Only mode. The only vulnerable systems
are those on the internal side of the firewall, attempting outbound
The first involves the HTTP Cache. The vulnerability could permit the
cache to become poisoned with false content, but the poisoning
must come from content originating from the same IP address as the site
The second involves the NetBIOS Predefined Filter, an optional proxy
disabled by default. This would typically be enabled only if the ISA
server was allowing unprotected connections to a hosted Web server or
similar resource where a VPN couldn't be employed. The vulnerability
results in the possibility of connecting to the file system of the ISA
server itself via NetBIOS. This could result, for example, in viruses
being spread to the ISA server.
MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution
and Denial of Service
After some reports of problems with a previous installation of a patch,
Microsoft re-released the patch, updated to prevent such problems.
Microsoft will be prompting all systems to install the new patch, even
if the original was already present. The new patch does not prevent any
security vulnerability not already prevented by the original version.
Russ Cooper is a Senior Information Security Analyst with
Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of
NTBugtraq, www.ntbugtraq.com, one of the industry's most influential
mailing lists dedicated to Microsoft security. One of the world's most-
recognized security experts, he's often quoted by major media outlets
on security issues.
Russ Cooper's Security Watch column appears every Monday in the
Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.