Microsoft fixes quintet of security holes

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-1896556.html

By Paul Festa
Staff Writer, CNET News.com
May 18, 2000, 1:30 p.m. PT

Microsoft has patched several security holes in its Internet Explorer
and Office software, closing five potential avenues for online attacks
against its customers.

The flurry of specific bug patches comes as Microsoft moves to
implement broader security measures. The company came under heavy
criticism for its security policies following the widespread damage
caused by the "I Love You" virus, which exploited standard features of
Microsoft's Outlook email application.

Microsoft this week yielded to that criticism, pledging to implement
safeguards in Outlook.

Four of the patched holes are in Microsoft's IE browser. All of them
made computers vulnerable to invasions by malicious Web site
operators, or senders of HTML email.

The first, the "Frame Domain Verification" hole, concerns the way IE
governs the behavior of Web site frames, the windows within windows
that sites use to present multiple pages simultaneously. Normally, IE
only lets the "parent" window access data in the frame.

The problem with IE is that in some cases, it fails to check the Web
site address, or domain, of the frame against the frame of the parent
window. A Web site operator could exploit that vulnerability to access
Web files, whose names he or she would have to know or guess, from a
visitor's computer through a secondary frame.

The second patched hole exposes Web site visitors' cookies to
malicious site operators.

Cookies authenticate visitors' identities on their return to Web sites
and store data about their activities and purchases; IE checks to make
sure that a Web site requesting a cookie is the same Web site that put
it there in the first place. But through an alteration in the coding
of Web addresses, a site can slither around IE's security check. With
the security patch, IE will recognize the dodge.

The third hole, the "Malformed Component Attribute" vulnerability,
involves the way IE handles ActiveX--a technology with an already
spotty security reputation--which Web sites use to take actions on a
visitor's computer without his or her interaction.

IE's code for running ActiveX components contains a buffer overflow
bug. Said to be the most common security problem of the past decade,
buffer overflow attacks result from the flooding of a field, such as
an address bar, with more characters than it can accommodate.

The improperly coded buffer responds to such attacks by crashing the
application, and the excess code, potentially malicious, can be run
upon restarting the computer.

The patch fixes a fourth hole, which Microsoft has tackled once
already, called the "WPAD Spoofing" vulnerability.

IE 5 has a feature called Web Proxy Auto-Discovery (WPAD), which
automatically determines the right settings for the proxy servers that
act as buffers between networks, such as corporate intranets, and the
wider Internet.

The problem with WPAD is that in searching for the proxy server, it
searches for it outside the network if it fails to find it within the
network. That lets a malicious hacker give settings to the browser
that would facilitate a broader attack.

The first patch, included in IE 5.01, prevents the browser's search
for the proxy server from leaving the network. But what Microsoft
termed "a new variant" of the problem cropped up in the interim.

All four IE vulnerabilities, which affect versions 4.0, 4.01, 5.0 and
5.01, are fixed by the same patch. It is available for download
through IE; the page appears blank to people using AOL's Communicator
browser.

The fifth Web security hole Microsoft patched afflicts the company's
Office 2000 suite of applications, which includes Word, Excel,
PowerPoint, Access, PhotoDraw, FrontPage, Project, Publisher, Outlook
and Works. Those applications are also sold separately.

The Office 2000 problem concerns an improperly labeled ActiveX control
that Microsoft uses to demonstrate various tools in the Office suite.
Office's user assistance tool, or "UA Control," is marked "safe for
scripting," allowing it to be manipulated by hostile Web sites or
HTML-email senders.

The "safe for scripting" designation normally indicates that an
ActiveX control is harmless. But the control "exposes fairly powerful
functionality that is inappropriate for use by Web sites," according
to Microsoft's posting on the issue. The patch is available for
download.

Despite Microsoft's pile of Web security bug patches, more remain to
be fixed. The company this week acknowledged a problem with its
version of IE for the Macintosh. The bug concerns the browser's
handling of the Java programming language and, like the bugs patched
this week, opens a computer to malicious HTML code.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".