Today Critical Security Flaws

[SDK]

----------------------------------------------------------------------
Title: XMLHTTP Control Can Allow Access to Local Files
Date: 21 February 2002
Software: Microsoft XML Core Services
Impact: Information disclosure
Max Risk: Critical
Bulletin: MS02-008

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-008.asp.
- ----------------------------------------------------------------------

Issue:
======
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
control, which allows web pages rendering in the browser to send or
receive XML data via HTTP operations such as POST, GET, and PUT.
The control provides security measures designed to restrict web
pages so they can only use the control to request data from remote
data sources.

A flaw exists in how the XMLHTTP control applies IE security zone
settings to a redirected data stream returned in response to a
request for data from a web site. A vulnerability results because
an attacker could seek to exploit this flaw and specify a data
source that is on the user's local system. The attacker could
then use this to return information from the local system to the
attacker's web site.

An attacker would have to entice the user to a site under his
control to exploit this vulnerability. It cannot be exploited
by HTML email. In addition, the attacker would have to know the
full path and file name of any file he would attempt to read.
Finally, this vulnerability does not give an attacker any
ability to add, change or delete data.

Mitigating Factors:
====================
- The vulnerability can only be exploited via a web site.
It would not be possible to exploit this vulnerability
via HTML mail.

- The attacker would need to know the full path and file name
of a file in order to read it.

- The vulnerability does not provide any ability to add,
change, or delete files.

Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-008.asp
for information on obtaining this patch.





- ----------------------------------------------------------------------
Title: Incorrect VBScript Handling in IE can Allow Web Pages to
Read Local Files
Date: 21 February 2002
Software: Internet Explorer
Impact: Information Disclosure
Max Risk: Critical
Bulletin: MS02-009

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-009.asp.
- -
- ----------------------------------------------------------------------

Issue:
======
Frames are used in Internet Explorer to provide for a fuller
browsing experience. By design, scripts in the frame of one site or
domain should be prohibited from accessing the content of frames
in another site or domain. However, a flaw exists in how VBScript
is handled in IE relating to validating cross-domain access. This
flaw can allow scripts of one domain to access the contents of
another domain in a frame.

A malicious user could exploit this vulnerability by using
scripting to extract the contents of frames in other domains,
then sending that content back to their web site. This would
enable the attacker to view files on the user's local machine
or capture the contents of third-party web sites the user visited
after leaving the attacker's site. The latter scenario could,
in the worst case, enable the attacker to learn personal
information like user names, passwords, or credit card information.

In both cases, the user would either have to go to a site under
the attacker's control or view an HTML email sent by the attacker.
In addition, the attacker would have to know the exact name and
location of any files on the user's system. Further, the attacker
could only gain access to files that can be displayed in a browser
window, such as text files, HTML files, or image files.

Mitigating Factors:
====================
- The vulnerability could only be used to view files. It could not
be used to create, delete, modify or execute them.

- The vulnerability would only allow an attacker to read files that
can be opened in a browser window, such as image files, HTML
files and text files. Other file types, such as binary files,
executable files, Word documents, and so forth, could not be read.

- The attacker would need to specify the exact name and location of
the file in order to read it.

- The email-borne attack scenario would be blocked if the user were
using any of the following: Outlook 98 or 2000 with the Outlook
Email Security Update installed; Outlook 2002; or Outlook
Express 6.

Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-009.asp
for information on obtaining this patch.

Acknowledgment:
===============
- Zentai Peter Aron, Ivy Hungary Ltd (http://w3.ivy.hu/)





- ----------------------------------------------------------------------
Title: Unchecked Buffer in ISAPI Filter Could Allow Commerce
Server Compromise
Date: 21 February 2002
Software: Commerce Server 2000
Impact: Run code of attacker's choice.
Max Risk: Critical
Bulletin: MS02-010

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/sec.../MS02-010.asp.
- ----------------------------------------------------------------------

Issue:
======
By default, Commerce Server 2000 installs a .dll with an ISAPI
filter that allows the server to provide extended functionality in
response to events on the server. This filter, called AuthFilter,
provides support for a variety of authentication methods.
Commerce Server 2000 can also be configured to use other
authentication methods.

A security vulnerability results because AuthFilter contains an
unchecked buffer in a section of code that handles certain types
of authentication requests. An attacker who provided
authentication data that overran the buffer could cause the
Commerce Server process to fail, or could run code in the
security context of the Commerce Server process. The
process runs with LocalSystem privileges, so exploiting the
vulnerability would give the attacker complete control of
the server.

Mitigating Factors:
====================
- Although Commerce Server 2000 does rely on IIS for its base
web services, the AuthFilter ISAPI filter is only available
as part of Commerce Server. Customers using IIS are at no
risk from this vulnerability.

- The URLScan tool, if deployed using the default ruleset for
Commerce Server, would make it difficult if not impossible
for an attacker to exploit the vulnerability to run code,
by significantly limiting the types of data that could be
included in an URL. It would, however, still be possible
to conduct denial of service attacks.

- An attacker's ability to extend control from a compromised
web server to other machines would depend heavily on the
specific configuration of the network. Best practices recommend
that the network architecture account for the inherent high-risk
that machines in an uncontrolled environment, like the Internet,
face by minimizing overall exposure though measures like DMZ's,
operating with minimal services and isolating contact with
internal networks. Steps like this can limit overall exposure
and impede an attacker's ability to broaden the scope of a
possible compromise.

- While the ISAPI filter is installed by default, it is not loaded
on any web site by default. It must be enabled through the
Commerce Server Administration Console in the Microsoft
Management Console (MMC).

Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/sec...n/ms02-010.asp
for information on obtaining this patch.

All that in one day!