As Microsoft starts to tout the importance of security, the company releases patches to fix security holes in its Internet and server software.
The security problems have been found in the Internet Explorer Web browser, Microsoft’s XML Core Services 2.6 and later, Microsoft Commerce Server 2000 as well as Microsoft’s SQL server.
According to Microsoft, the first patch has been produced to prevent a malicious user from using a Web site to read the contents of files on a local computer.
Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame.
A malicious user could exploit this vulnerability by using scripting to extract the contents of frames in other domains, then sending that content back to their web site. This would enable the attacker to view files on the user’s local machine or capture the contents of third-party web sites the user visited after leaving the attacker’s site. The latter scenario could, in the worst case, enable the attacker to learn personal information like user names, passwords, or credit card information.
In both cases, the user would either have to go to a site under the attacker’s control or view an HTML email sent by the attacker. In addition, the attacker would have to know the exact name and location of any files on the user’s system. Further, the attacker could only gain access to files that can be displayed in a browser window, such as text files, HTML files, or image files.
The Microsoft patch prevents a malicious user from running VBScript in an unauthorised Web site to read the contents of files on someone else’s computer.
The second patch aims to fix a flaw in Microsoft’s Core services. Microsoft XML Core Services (MSXML) includes what is called XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources.
However, a flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user’s local system. The attacker could then use this to return information from the local system to the attacker’s web site.
An attacker would have to entice the user to a site under his control to exploit this vulnerability. It cannot be exploited by HTML email. In addition, the attacker would have to know the full path and file name of any file he would attempt to read. Finally, the vulnerability does not give an attacker any ability to add, change or delete data.
The third problem relates to the Commerce Server Web site.
By default, Commerce Server 2000 installs a dynamic-link library (DLL) with an ISAPI filter that allows the server to provide extended functionality in response to events on the server. This filter, called AuthFilter, provides support for a variety of authentication methods. Commerce Server 2000 can also be configured to use other authentication methods.
But a security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. An attacker who provides authentication data that overruns the buffer may cause the Commerce Server process to fail, or may run code in the security context of the Commerce Server process.
The process runs with LocalSystem privileges, so exploiting the vulnerability may give the attacker complete control of the server.
Lastly, the SQL Server 2000 security fix aims to prevent an attacker running arbitrary code under the security context in which the SQL Server service is running.