provided in this site is provided "as is" without warranty
of any kind. Microsoft Corporation disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages,
even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation may not
apply. Furthermore, this information is only listed as a
resource for such information by Whiptech. Whiptech is in
no way responsible for the use or misuse of the information
by anyone, anywhere, at anytime.
Microsoft Patch Disclosure - August 2006
Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
August 8, 2006
Microsoft Severity Rating: Critical
This bulletin can be a bit inconsistent and confusing to those that take the time to read the entire thing. At one point the bulletin states that:
"To attempt to exploit the vulnerability, an attacker must be able to log on locally to the system and run a program."
But then the rest of the bulletin talks about exploiting this issue via a maliciously crafted website, which of course does not require the attacker to log on locally.
The bulletin is also unclear about the level of rights an attacker will have if he exploits a vulnerable system. At one point the bulletin states:
"An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
But then it points out:
"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
On the last Windows system we looked at, you required a level of administrative rights to "create new accounts with full user rights" and even in some cases to install programs.
So, to try and clear up the confusion: Yes, this is a web-based attack scenario
that requires the victim to perform multiple actions starting with clicking
on a malicious link or visiting a malicious website. Note that it has also
been pointed out that malicious banner ads can also be used. At this point
exploitation is not automatic and will still require user interaction. Once
exploited, an attacker can run commands in the context of the logged-in user.
Because we are talking about Microsoft Management console, it is safe to assume
that the logged-in user will be an Administrator.
Internet Explorer 6 Service Pack 1 on Windows 2000 Service Pack 4 will not open local files from the Internet Zone. Note that Explorer 6 Service Pack 1 will still open local files, and thus is vulnerable, from sites in the Local Intranet or Trusted Sites zones.
An attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed. The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability.
The risk of attack from the HTML e-mail vector can be significantly reduced if you meet all the following conditions:
Apply the update that is included with Microsoft Security Bulletin MS03-040 or a later Cumulative Security Update for Internet Explorer.
Use Internet Explorer 6 or a later version.
Use the latest security update for Microsoft Outlook, use Microsoft Outlook Express 6 or a later version, or use Microsoft Outlook 2000 Service Pack 2 or a later version in its default configuration.
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition