Friday, September 15, 2006

Microsoft Security Advisory 925444 Released


Below is a Security Advisory from Microsoft regarding an AxtiveX control that could allow remote control execution. The code, if installed could result in browser hijacking of Internet Explorer to malicious websites.

Workarounds are provided in the Advisory, two of which should be set for regardless of this advisory. In particular, see the instructions for configuring Internet Explorer to prompt before running Active Scripting or AxtiveX controls.


Security Advisory 925444 – Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Control Execution - on 14 September 2006.

========================================
Summary
========================================

Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly but we are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. A security update will be released through our monthly release process or an out-of-cycle security update will be provided, depending on customer needs.

========================================
Mitigating Factors
========================================

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.

• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted Sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted Sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted Sites zone if Microsoft Security Bulletin MS04-018 has been installed.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

========================================
Additional Resources:
========================================

• Microsoft released Security Advisory 925444 – Vulnerability in the Microsoft DirectAnimation Path ActiveX Control Could Allow Remote Control Execution.
http://www.microsoft.com/technet/security/advisory/925444.mspx

• Microsoft Knowledgebase Article 925444 - Microsoft Security Advisory: Vulnerability in the Microsoft DirectAnimation Path ActiveX control could allow remote code execution
http://support.microsoft.com/kb/925444

• MSRC Blog:
http://blogs.technet.com/msrc/

Note: check the MSRC Blog periodically as new information may appear there.

No comments: