Microsoft Security Advisory 926043

[Wiz Feinberg]

Microsoft Security Advisory (926043)

Vulnerability in Windows Shell Could Allow Remote Code Execution

<small>Published: September 28, 2006 | Updated: October 2, 2006</small>

Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly and limited attacks. We are aware of Web sites attempting to use the reported vulnerability to install malware. Our investigation into these Web sites shows that, in most cases, attempts to install malicious software by exploiting this vulnerability fail. This is due to specific technical factors related to the vulnerability. We will continue to investigate these public reports.

The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View.

We are working on a security update currently scheduled for an October 10 release.

Customers are encouraged to keep their anti-virus software up to date.

Mitigating Factors:

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.

• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

See the Microsoft Security Advisory (926043) for suggested workarounds, to protect your computers until a patch is released.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. My FAQs.</small>


<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 02 October 2006 at 11:01 PM.]</p></FONT>

[Jim Phelps]

double post.<font size="1" color="#8e236b"><p align="center">[This message was edited by Jim Phelps on 29 September 2006 at 08:14 PM.]</p></FONT>

[Jim Phelps]

So the malicious code get in through execution on the browser or Outlook Express? If I'm reading this correctly, it seems that a firewall would offer no protection. Can this code still execute in non-IE browsers and non-Outlook/Outlook Express email clients?<font size="1" color="#8e236b"><p align="center">[This message was edited by Jim Phelps on 29 September 2006 at 08:20 PM.]</p></FONT>

[Wiz Feinberg]

<SMALL>Can this code still execute in non-IE browsers and non-Outlook/Outlook Express email clients?</SMALL>

No. It only affects browsers and email clients that use ActiveX, which is limited to Microsoft.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage. Get Firefox Here.
Learn about current computer virus and security threats here.
Read Wiz's Blog for security news and update notices. My FAQs.</small>

[Jim Phelps]

Thanks Wiz... yeah, duh... re-read your post and saw you already mentioned it uses Active-X... whoops. See what happens when you quit the computer biz and don't keep up... I don't even know how to set the VCR anymore.

[Wiz Feinberg]

Bump ^ for updated details from Microsoft concerning exploits in the wild. Re-read the first post for full details.

Wiz