Microsoft is forced to issue SSL patch for IE
John McCormick
Published: 09 Sep 2002 16:59 BST
Mitigating factors
Digital certificate deletion
Microsoft says in the Security Bulletin that it is difficult to exploit this vulnerability, which can take place through a Web page or by opening an HTML e-mail. There is also a flaw in the SmartCard Enrollment feature, but this will not delete or alter the information on the card even if one is inserted at the time of the attack.
Various combinations of newer software and new and older operating systems may have default installations that open HTML e-mail and Web sites in security zones that will block this attack. Details are included in the bulletin, but the versions are still vulnerable if the default installation is altered, so the patch is still recommended if you are managing a number of different client systems.
Cumulative Patch for Internet Explorer
Because this patch covers so many different problems, going back as far as MS02-015, it wouldn't really be practical to discuss all the mitigating factors here. I will simply refer you to Security Bulletin MS02-047 for details.
Buffer Overrun in TSAC
This problem poses no threat to servers hosting the services. It's a threat only if the TSAC control was installed by an IIS server that hosts the service. Further, this component is not installed by default on any system. Users of Outlook 98 and 2000 with the Outlook E-mail Security Update are not vulnerable. Neither are users of Outlook Express 6 or Outlook 2002.
Unchecked Buffer in Network Share Provider
Some mitigating factors are detailed in the Security Bulletin for this problem, but they involve turning off important file sharing and print services so are not applicable to most network installations. You can also turn off anonymous access to block some threat vectors, but that won't prevent the exploitation of this vulnerability by legitimate users.
Unsafe Functions in Office Web Components
This flaw entails various complex sets of mitigating factors, which are detailed in the MS02-044 bulletin.
Fixes
Digital certificate deletion
A patch is available that replaces this ActiveX component with a repaired version, but it can be applied only to IE 5 or later. In addition, Webmasters who use Certificate Enrollment Control on their sites must also make some changes to accommodate the new component. Another flaw, found only in XP and Windows 2000, relates to SmartCard Enrollment and is also fixed with this patch. See MS02-048 for specific patch information and links.
Cumulative Patch for Internet Explorer
Read MS02-047 carefully before applying these patches, because some earlier problems must be addressed before installation. In particular, you may need to install the patches described in MS02-022 and MS02-046 if you haven't done so already.
Buffer Overrun in TSAC
Apply the patch or set the kill bit manually following the instructions given in MS02-046. The fix just repairs the way the TSAC ActiveX control handles input data checking.
Unchecked Buffer in Network Share Provider
See MS02-045 for links to specific version patches. This fix will be included in Windows 2000 Service Pack 4 and Windows XP Service Pack 1.
Unsafe Functions in Office Web Components
Install Office XP SP2 from Office Product Updates. Install general and/or specific patches or updates as detailed in MS02-044.
The long-awaited patch
As mentioned above, Microsoft initially crafted a response that downplayed the SSL threat and repeated the contention that it is difficult to exploit. Microsoft outlined three reasons for this claim:
- The attacker must be able to spoof a Web site.
- The attacker could be caught.
- Users would see the attack because it can be discovered by carefully checking the digital certificate every time you move to a different page.
But in an apparent contradiction of Microsoft's early assurances, a Reuters report said that a Swedish white hat hacker demonstrated an exploit of this SSL attack by penetrating several Swedish bank servers (three of the top four) "in quick succession." According to the report, he then erased traces of his attack, and the banks said that they were unaware of it.
"It's a protocol which is very easy to break through," the computer expert said. "The protocol doesn't provide the security the users think it does."
Microsoft's Swedish representative denied that the attack could take place as described and added that he couldn't even see any theoretical way to exploit this vulnerability. However, the release of Security Bulletin MS02-050 would seem to indicate that the SSL threat is indeed quite serious.
Have your say instantly, in the Tech Update forum.
For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.
Find out what's where in the new Tech Update with our Guided Tour.
Tell us what you think in the Mailroom.
Previous
Did you find this article useful?
38 out of 68 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
