Security debated

[InfoSec News <isn () C4I ORG>]

http://www.infoworld.com/articles/hn/xml/00/06/20/000620hnbill.xml

Published at: Tuesday, Jun. 20, 2000 5:00 pm PT

By Jaikumar Vijayan, Computerworld

A MICROSOFT PATCH aimed at fixing a previously discovered ActiveX flaw
may not fully protect users against the vulnerability, according to an
advisory issued Monday by Carnegie Mellon University's Computer
Emergency Response Team (CERT).

But in response to the CERT advisory, a Microsoft spokesman Tuesday
insisted that the patch released by the company on June 2 provides
protection against the vulnerability in all circumstances where users
follow basic security procedures.

The disagreement involves a little-known but potentially serious flaw
that was discovered in mid-April with an ActiveX-based shortcut
control in the HTML Help feature built into Microsoft Internet
Explorer Web browser. The shortcuts allow HTML Help files to link to
and execute code that helps users understand how to perform certain
tasks, said Shawn Hernan, a CERT member.

But under certain conditions -- which are described by CERT in its
advisory -- the feature can be exploited by crackers to plant a
malicious help file from a remote location onto a user's system.
Basically, "someone who can exploit this vulnerability can [remotely]
do anything you can do on your computer" under certain conditions,
Hernan claimed.

Earlier this month, Microsoft's own description of the flaw and
announcement of the patch's release acknowledged that attackers
exploiting the security hole "could take any actions that the user
could take, including adding, changing or deleting data, or
communicating with a remote Web site."

Scott Culp, a security program manager at Microsoft, in Redmond,
Wash., said the company's patch eliminates the vulnerability by only
allowing an HTML Help file to use shortcuts if the file resides on a
user's PC. That should provide ample protection as long as users stick
to basic security practices such as having a secure firewall and not
accepting files from unknown sources, he said.

The security flaw can be exploited only under certain, very rare
circumstances and even then only if the user actively downloads a
malicious file from a remote location, Culp added. "CERT's advisory
oversimplifies the steps that an attacker would need to exploit the
flaw," he said. "The scenario they're postulating would open users up
to a far broader range of security issues above and beyond this
vulnerability."

But in its advisory, CERT claimed the preconditions needed for the
vulnerability to be exploited were not all that uncommon and posed a
greater risk than Microsoft describes.

"For some sites, the patch provided by Microsoft is adequate," CERT
said in the advisory. "For others, particularly those sites using
non-Microsoft networking products, the patch does not provide complete
protection." Users need to understand their network's configuration
prior to deciding which, if any, changes are required beyond
installing the patch, CERT added.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".