Microsoft Security Bulletin (MS00-015): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-015 announces the availability of a patch that eliminates a vulnerability in Microsoft® Clip Art Gallery. The vulnerability could cause the Clip Art Gallery software to crash or, under special circumstances, could allow the execution of hostile code on the computer where the Clip Art Gallery software was running. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could enable a malicious web site operator or the malicious sender of an e-mail message to exploit a buffer overrun on a user's machine. The buffer overrun could crash the Clip Art Gallery application or cause arbitrary code to run. The primary danger in this vulnerability is that the buffer overrun would occur if a user clicked on a specially malformed CIL file hosted on a malicious web page or opened an email attachment that contained such a CIL file.
This vulnerability can affect a user even if the user follows what would normally be safe computing practices such as disabling macros in Office documents, and using the Internet Explorer Security Zones feature to manage the security of his or her web browsing.
What is clip art?
Clip art files transport graphic images that can be embedded in a variety of other documents. The download format used to transfer Clip art files from the Microsoft Clip Gallery Live web site has the file type CIL. CIL files are processed by the Microsoft Clip Art Gallery software, CAG.EXE.
A clip art file consists of control information and the representation of the clip art image. The control information provides the software with guidance on how to display the image and where to store it.
What causes the vulnerability?
This is a buffer overrun vulnerability. If a certain field in the control information in a clip art file were very long, it could result in a buffer overrun that would cause the Clip Art Gallery software to crash. If the field were constructed in a specific way, it could cause the Clip Art Gallery software to execute hostile code that had been embedded in the CIL file. Such code could take any action on the machine that the user of the Clip Art Gallery software could take.
Because clip art files are normally downloaded to CAG.EXE without asking the user for confirmation (as would be the case for an executable file format), if a malicious web site hosted a CIL file that exploited the vulnerability, a user could be tricked into executing hostile code without warning.
How could a very long field get into a clip art file?
The long field would have to be inserted deliberately by a malicious user. Microsoft is not aware of any software that could generate such a field either as part of normal operation or as the result of an error.
What's the risk from this vulnerability?
The primary risk from this vulnerability results from the ability of a malicious clip art file to execute arbitrary code on the user's machine. If a user were to encounter such a file either on a hostile web site, or in an email message or downloaded file, the file could cause the disclosure, modification or destruction of the user's data. Because clip art files are not normally considered to be executable objects, the file would be downloaded and the malicious code run without warning to the user.
Could this vulnerability be exploited accidentally?
No. In order to exploit this vulnerability, a malicious user would need to use a hexadecimal editor or a specially constructed program to change the underlying data in a clip art file.
Could this vulnerability be exploited remotely?
A malicious user could send an affected file via email or embed it in a malicious web site, or in a file made available for download.
What does the patch do?
The patch modifies the software to check the length of the field in question so as to ensure that the buffer overflow will not occur and rejects any files that do not meet the processing criteria for CAG.EXE.
Is there a workaround that I can apply rather than installing the patch?
Microsoft encourages all users of affected software to install the patch. However, as an alternative, you can ensure that clip art files are not opened without your explicit knowledge. To do this, follow the steps shown below:
| • | Double-click the My Computer icon on the desktop. |
| • | On the Tools menu, select Folder Options. |
| • | On the File Types tab, select the CIL file type. |
| • | Click Advanced, and then select Confirm Open After Download. |
| • | Click OK twice to return to the My Computer window. |
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
Use the following table to verify that you installed the patch correctly.
| If you are running on this platform... | And using this product... | You've installed the patch correctly if CAG.EXE has these properties... |
Windows 95, Windows 98,Windows NT 4.0,Windows 2000 | Any of the products listed in the Affected Software Versions of the Security Bulletin | Date: 2/23/2000 |
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
