Re: Microsoft Security Bulletin (MS99-051) (fwd)

[jmknoble () POBOX COM (Jim Knoble)]

På 1999-Nov-29 klokka 17:42:36 -0800 skrivet Ben Greenbaum:

: ---------- Forwarded message ----------
: Date: Mon, 29 Nov 1999 17:18:19 -0800
: From: Microsoft Product Security <secnotif () MICROSOFT COM>
: To: MICROSOFT_SECURITY () ANNOUNCE MICROSOFT COM
: Subject: Microsoft Security Bulletin (MS99-051)
:
: The following is a Security  Bulletin from the Microsoft Product Security
: Notification Service.
:
: Please do not  reply to this message,  as it was sent  from an unattended
: mailbox.
:                     ********************************
:
: Microsoft Security Bulletin (MS99-051)
: --------------------------------------
:
: Patch Available for "IE Task Scheduler" Vulnerability
: Originally Posted: November 29, 1999

  [...]

: Issue
: =====

  [...]

: The IE 5 Task Scheduler controls who can create and submit "AT jobs." The
: utility that is used to create AT jobs can only be run by an administrator,
: and the Task Scheduler will only execute AT jobs that are owned by
: administrators. However, if a malicious user had change access to an
: existing file owned by an administrator (it would not need to be an AT job),
: he or she could modify it to be a valid AT job and place in the appropriate
: folder for execution. This would bypass the control mechanism and allow the
: job to be executed.
:
: This vulnerability would primarily affect machines that allow normal users
: to interactively log onto them. The patch eliminates this vulnerability by
: digitally signing all AT jobs at creation time, and verifying the signature
: at execution time.

Is this really a solution to the problem?  It seems to me that the
actual problem is this part

    if a malicious user had change access to an existing file owned by
    an administrator (it would not need to be an AT job), he or she
    could modify it to be a valid AT job and place in the appropriate
    folder for execution[....]

Isn't that true for most files to which a malicious user has `change'
access?

Regardless of that, how does the patch stop malicious users from
producing AT jobs that have valid signatures and putting them in place?

  [...]

: More Information
: ================
: Please see the following references for more information related to this
: issue.
:  - Microsoft Security Bulletin MS99-051: Frequently Asked Questions,
:    http://www.microsoft.com/security/bulletins/MS99-051faq.asp.

This URL produces the following text:

    Microsoft VBScript runtime error `800a000d'

    Type mismatch: `CInt'

    /security/inc/scripts.txt, line 279

but only with JavaScript turned on.  Without JavaScript, the page is
utterly blank.

:  - Microsoft Knowledge Base (KB) article Q246972,
:    IE 5 Task Scheduler Allows Privilege Elevation on Windows NT Systems,
:    http://support.microsoft.com/support/kb/articles/q245/7/29.asp.
:    (NOTE: It may take 24 hours from the original posting of this bulletin
:    for this KB article to be visible)

This URL gets me to a KB item entitled `Windows 95 and Windows 98 File
Access URL Update', which has nothing to do with Q246972.

:  - Microsoft Security Advisor web site,
:    http://www.microsoft.com/security/default.asp.

This URL produces the following text:

    Microsoft VBScript runtime error `800a000d'

    Type mismatch: `CInt'

    /security/inc/scripts.txt, line 279

Is there anywhere that has some actual information about this?

--
jim knoble
jmknoble () pobox com