Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13794
HistoryAug 08, 2006 - 12:00 a.m.

Microsoft Security Bulletin MS06-045 Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)

2006-08-0800:00:00
vulners.com
17

Microsoft Security Bulletin MS06-045
Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
Published: August 8, 2006

Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity.

Security Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Windows 2000 Service Pack 4 – Download the update

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update

Microsoft Windows XP Professional x64 Edition – Download the update

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Download the update

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Download the update

Microsoft Windows Server 2003 x64 Edition – Download the update

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

Note The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.
Top of sectionTop of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, publicly-reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers Impact of Vulnerability Windows 2000 Windows XP Service Pack 1 Windows XP Service Pack 2 Windows Server 2003 Windows Server 2003 Service Pack 1

Folder GUID Code Execution Vulnerability - CVE-2006-3281

Remote code execution

Important

Important

Important

Important

Important

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Note The security updates for Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.

Note The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:

The Microsoft Windows XP Professional x64 Edition severity rating is the same as the Windows XP Service Pack 2 severity rating.

The Microsoft Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.

The Microsoft Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.

The Microsoft Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Extended security update support for Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems; what should I do?
Windows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Extended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems; what should I do?
Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Customers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.

What updates does this release replace?
This security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.
Bulletin ID Windows 2000 Windows XP Service Pack 1 Windows XP Service Pack 2 Windows Server 2003 Windows Server 2003 Service Pack 1

MS05-016

Replaced

Replaced

Replaced

Replaced

Not Applicable

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?
The following table provides the MBSA detection summary for this security update.
Product MBSA 1.2.1 MBSA 2.0

Microsoft Windows 2000 Service Pack 4

Yes

Yes

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

Yes

Yes

Microsoft Windows XP Professional x64 Edition

No

Yes

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Yes

Yes

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems

No

Yes

Microsoft Windows Server 2003 x64 Edition family

No

Yes

For more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.

For more detailed information, see Microsoft Knowledge Base Article 910723.

Can I use Systems Management Server (SMS) to determine whether this update is required?
The following table provides the SMS detection summary for this security update.
Product SMS 2.0 SMS 2003

Microsoft Windows 2000 Service Pack 4

Yes

Yes

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

Yes

Yes

Microsoft Windows XP Professional x64 Edition

No

Yes

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Yes

Yes

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems

No

Yes

Microsoft Windows Server 2003 x64 Edition family

No

Yes

SMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to programs that MBSA does not detect.

For SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For more information about SMS, visit the SMS Web site.

For more detailed information, see Microsoft Knowledge Base Article 910723.
Top of sectionTop of section

Vulnerability Details

Folder GUID Code Execution Vulnerability - CVE-2006-3281:

A remote code execution vulnerability exists in Windows Explorer because of the way that Windows Explorer handles Drag and Drop events. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow an attacker to save a file on the user’s system if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. User interaction is required to exploit this vulnerability

Mitigating Factors for Folder GUID Code Execution Vulnerability - CVE-2006-3281:

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario described previously.

By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.

The vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must open an attachment or click on a link that is sent in an e-mail message.
Top of sectionTop of section

Workarounds for Folder GUID Code Execution Vulnerability - CVE-2006-3281:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Disable the Web Client service

Disabling the Web Client service will help protect the affected system from attempts to exploit this vulnerability. To disable the Web Client service, follow these steps:

Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.

Double-click Administrative Tools.

Double-click Services.

Double-click WebClient.

In the Startup type list, click Disabled.

Click Stop, and then click OK.

You can also stop and disable the Web Client service by using the following command at the command prompt:

sc stop WebClient & sc config WebClient start= disabled

Impact of Workaround: If the Web Client service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. If the Web Client service is disabled, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. Windows Server 2003 users will not be able to use the "Open as Web Folder" functionality.

Use the Group Policy settings to disable the WebClient service on all affected systems that do not require this feature.
Because the Web Client service is a possible attack vector, disable the service by using the Group Policy settings. You can disable the startup of this service at either the local, site, domain, or organizational-unit level by using Group Policy object functionality in Windows 2000 domain environments or in Windows Server 2003 domain environments.

Note You may also review the Windows Server 2003 Security Guide. This guide includes information about how to disable services.

For more information about Group Policy, visit the following Microsoft Web sites:

Step-by-Step Guide to Understanding the Group Policy Feature Set

Windows 2000 Group Policy

Group Policy in Windows Server 2003

Impact of Workaround: If the Web Client service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. If the Web Client service is disabled, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. Windows Server 2003 users will not be able to use the "Open as Web Folder" functionality.

Disable the file: protocol handler.

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

To disable the file: protocol handler, follow these steps:

Close all instances of Internet Explorer

Click Start, click Run, type "regedt32 " (without the quotation marks), and then click OK

In Registry Editor, locate the following registry key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Add or edit the DWORD value NoFileUrl

Set the value to 1

Impact of Workaround: URLs utilizing the file: handler will not function.

Block TCP ports 139 and 445 at the firewall:

Although WebDAV uses TCP port 80 for outbound communication, TCP ports 139 and 445 can be used outbound to attempt to connect to a malicious service and try to exploit this vulnerability. Blocking them at the firewall can help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.
Top of sectionTop of section

FAQ for Folder GUID Code Execution Vulnerability - CVE-2006-3281:

What is the scope of the vulnerability?

This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
Improper handling by Windows Explorer of Drag and Drop events. User interaction is required to exploit this vulnerability

What might an attacker use the vulnerability to do?
An attacker who could successfully convince a user to visit attacker's web site and save a specially crafted file to the affected system could take complete control of the users system.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by preventing specially crafted files and directories from invoking arbitrary code without specific user interaction.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2006-3281. It also has been named Microsoft Internet Explorer Information Disclosure and HTA File Execution Vulnerability by the larger security community.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

How does this vulnerability relate to the vulnerability that is corrected by MS06-015?
Both vulnerabilities were in Windows Explorer. However, this update addresses a new vulnerability that was not addressed as part of MS06-015. MS06-015 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update does not replace MS06-015

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (August 8, 2006): Bulletin published

Related for SECURITYVULNS:DOC:13794