Microsoft Security Bulletin MS03-042

Technical Description:

Microsoft re-issued this bulletin on October 29, 2003 to advise on the availability of an updated Windows 2000 patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846. This problem is unrelated to the security vulnerability discussed in this bulletin. If you have previously applied this security patch, this update does not need to be installed.

A security vulnerability exists in the Microsoft Local Troubleshooter ActiveX control. The vulnerability exists because the ActiveX control (Tshoot.ocx) contains a buffer overflow that could allow an attacker to run code of their choice on a user's system. Because this control is marked "safe for scripting", an attacker could exploit this vulnerability by convincing a user to view a specially crafted HTML page that references this ActiveX control. The Microsoft Local Troubleshooter ActiveX control is installed as a default part of the operating system on Windows 2000.

To exploit this vulnerability, the attacker would have to create a specially formed HTML-based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability.

In the worst case, this vulnerability could allow an attacker to load malicious code onto a user's system and then to execute the code. The code would run in the context of the user. Therefore, the code is limited to any action that the legitimate user could take on the system. Any limitations on the user's account would also limit the actions of any arbitrary code that the attacker could execute.

The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:

Mitigating factors: 

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0662

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.

Why has Microsoft reissued this bulletin?
Subsequent to the release of this bulletin and the associated patches, a problem was identified with the Windows 2000 version of the patch. This problem is unrelated to the security vulnerability discussed in this bulletin. If you have previously applied this security patch, this update does not need to be installed.
Microsoft has corrected this problem and re-issued this bulletin on October 29th, 2003 to advise on the availability of an updated Windows 2000 patch. This revised patch corrects the Debug Programs (SeDebugPrivilege) user right issue that some customers experienced with the original patch that is discussed in Knowledge Base Article 830846.

What is the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited the vulnerability could, in the worst case, run code of their choice on a user's system. This would enable an attacker to take any action the legitimate user could take. This could include creating, modifying or deleting data, This could also include reconfiguring the system, or reformatting the hard disk.

What causes the vulnerability?
The vulnerability results because the Microsoft Local Troubleshooter ActiveX control (Tshoot.ocx) does not correctly validate parameters under certain circumstances. By luring a user into viewing a specially-crafted Web page, or by sending them a specially-crafted email, an attacker could cause the ActiveX control to fail in such a way that could allow an attacker to run arbitrary code.

What's ActiveX?
ActiveX® is a technology that enables developers to write small programs that are named controls. Web pages, Visual Basic® programs, and other applications can use controls. An ActiveX control performs a small number of related tasks and can be used as building blocks in much more complex programs.
Developers can build custom ActiveX controls. If developers build custom ActiveX controls, the controls must be distributed to each user. However, Microsoft and many third-party software vendors include ActiveX controls with their products, to enable these products to be easily extended. The vulnerability in this case involves an ActiveX control that installs by default as part of the operating system.

Which ActiveX controls contain the vulnerability?
The Microsoft Windows Help system is a default component of Windows. This Help system features documentation and interactive troubleshooting wizards that help users diagnose common problems. In Windows 2000, the Microsoft Windows Troubleshooting and Help System uses an ActiveX control that is named the Microsoft Local Troubleshooter (Tshoot.ocx). Microsoft Local Troubleshooter interacts with the local computer to help diagnose problems. This ActiveX control was designed to be used only by the Windows Troubleshooting and Help System.

What is wrong with the affected ActiveX controls?
The affected ActiveX control contain a buffer overrun. Because the control is marked "safe for scripting'" after installation, Internet Explorer, even in the Internet security zone, can load the control without any user interaction. By luring a user to view a specially-crafted Web page, an attacker could cause the control to fail in such a way that would allow arbitrary code to be run.

What are Internet Explorer security zones?
Internet Explorer security zones are a system that divides online content into categories or zones based on its trustworthiness. Specific Web domains can be assigned to a zone, depending on how much trust is placed in the content of each domain. The zone then restricts the capabilities of the Web content, based on the zone's settings.
By default, most Internet domains are treated as part of the Internet security zone, which has settings that prevent scripts and other active code from accessing resources on the local system. Conversely, the My Computer zone is a much less restricted zone which allows content to access and to make changes to content that is on the local system. By default, files that are stored on the local computer are run in the My Computer zone.

What could this vulnerability enable an attacker to do?
An attacker who successfully exploited this vulnerability could, in the worst case, run code of their choice on a user's system. This would enable an attacker to take any action the legitimate user could take. This could include creating, modifying or deleting data. This could also include reconfiguring the system, or reformatting the hard disk.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, the attacker would have to create a specially formed HTML-based e-mail and send it to the user. Alternatively an attacker would have to host a malicious Web site that contained a Web page designed to exploit this vulnerability.

Is there anything that helps mitigate the risk of an HTML email attack?
The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:

What does the patch do?
The patch helps remove the vulnerability by making sure that the ActiveX control validates all parameters correctly.

Installation platforms and Prerequisites: 

For information about the specific security patch for your platform, click the appropriate link:

Prerequisites:

For Windows 2000 this security patch requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

For information about the Windows desktop product life cycle, visit the following Microsoft Web site: http://www.microsoft.com/lifecycle/.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base: 260910 How to Obtain the Latest Windows 2000 Service Pack

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 5.

Installation Information: 

This security patch supports the following Setup switches:

/help Displays the command line options

Setup Modes

/quiet Quiet mode (no user interaction or display)

/passive Unattended mode (progress bar only)

/uninstall Uninstalls the package

Restart Options

/norestart Do not restart when installation is complete

/forcerestart Restart after installation

Special Options

/l Lists installed Windows hotfixes or update packages

/o Overwrite OEM files without prompting

/n Do not backup files needed for uninstall

/f Force other programs to close when the computer shuts down

Note: For backward compatibility, the security patch also supports the setup switches used by the previous version of the setup utility, however usage of the previous switches should be discontinued as this support may be removed in future security patches.

Deployment Information 

To install the security patch without any user intervention, use the following command line:

For Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-kb826232-x86-enu /passive /quiet

To install the security patch without forcing the computer to restart, use the following command line:

For Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Windows2000-kb826232-x86-enu /norestart

Note: You can combine these switches into one command line.

Restart Requirement:

In some cases, this patch does not require a reboot. The installer stops the needed services, applies the patch, then restarts them. However, if the needed services cannot be stopped for any reason or if required files are in use, it will require a reboot. If this occurs, a prompt will be displayed advising of the need to reboot.

Removal Information:

To remove this security patch, use the Add or Remove Programs tool in Control Panel.

System administrators can use the Spuninst.exe utility to remove this security patch. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB826232$\Spuninst folder, and it supports the following Setup switches:

/?: Show the list of installation switches.

/u: Use unattended mode.

/f: Force other programs to quit when the computer shuts down.

/z: Do not restart when the installation is complete.

/q: Use Quiet mode (no user interaction).

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4:

Date	Time	Version	Size	File Name
07-Oct-2003	23:08	1.0.1.2125	107,792	tshoot.ocx

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB826232\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 824146 security patch into the Windows installation source files.

Top of section