Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-032)
What's this bulletin about?
Microsoft Security Bulletin MS99-032 announces the availability of a patch that eliminates a vulnerability posed by two ActiveX controls. The controls could allow a malicious web site operator to take inappropriate actions on the computer of a user who visited the site. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerabilities?
There are two controls at issue here, scriptlet.typelib and Eyedog, each with their own vulnerabilities. However, the net effect is that a web page could take unauthorized actions against a visitor to the site.
Although the risk from these controls is serious, it is limited by the user's privileges on the machine. The controls can only take actions on the machine that the user himself can take. For example, if a user were web browsing in a Guest account that had few privileges on the computer, the controls might be able to cause little damage; on the other hand, if an Administrator browsed an affected web page, the controls would have administrative privileges on the local machine.
What's the vulnerability?
Both of these controls are incorrectly marked as "safe for scripting". The "safe for scripting" denotation means that the control is verifiably unable to take any harmful action on the user's computer and therefore can be executed without requesting the user's approval. This is inappropriate in the case of these two controls, because they actually can take harmful action:
| • | scriptlet.typelib could allow a web page to change or delete files on the user's computer. By changing system files, a malicious web site operator could cause operating commands of his or her choice to execute. |
| • | Eyedog could allow a web page to gather information from the user's computer, such as registry settings, user name, hardware settings, and the like, and pass them back to a web site. |
The Eyedog control has an additional vulnerability. One of its methods contains an unchecked buffer that could be exploited via a web page using a classic buffer technique to run arbitrary code on the user's computer.
What are these controls normally used for?
The two controls are completely unrelated to each other:
| • | scriptlet.typelib is used by developers to generate Type Libraries for Windows Script Components (WSCs). The Type Library is then used by development tools such as Microsoft Visual InterDev to provide IntelliSense features such as Statement Completion and Tool-tip help. |
| • | Eyedog is used by diagnostic packages to collect hardware information on the machine that they are running on. |
What does the patch do?
The patch takes two slightly different approaches to correcting the vulnerability:
| • | For scriptlet.typelib, the patch revokes the "safe for scripting" label. It could still be used by IE, but would only run if the user agreed that it could. |
| • | For Eyedog, the patch sets the so-called "Kill Bit", which prevents it from being used within IE under any circumstances. |
Why does the patch treat the two controls differently?
scriptlet.typelib operates correctly but isn't appropriate to run without warning. By revoking its "safe for scripting" label, IE will always ask the user for confirmation before running it. Eyedog, because of the unchecked buffer, is simply unsafe to be executed within IE for any purpose. Setting the Kill Bit prevents IE from executing it.
Why are you setting the Kill Bit on Eyedog and not providing a new version?
The unchecked buffer in Eyedog can only be remotely exploited via a web site. By setting the "Kill Bit" and preventing it from being used within IE, the vulnerability is removed. We are re-coding the control to eliminate the unchecked buffer, and will deliver it as part of IE5.01.
What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
How can I tell if I installed the patch correctly?
To verify that scriptlet.typelib is no longer marked as safe for scripting, verify that the following registry key does not exist:
Hive | HKEY_CLASSES_ROOT \CLSID |
Key | \{06290BD5-48AA-11D2-8432-006008C3FBFC}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} |
To verify that the Kill Bit for Eyedog has been set, verify that the following registry value is set:
Hive | HKEY_LOCAL_MACHINE \SOFTWARE |
Key | \Microsoft\Internet Explorer\ActiveX Compatibility\{06A7EC63-4E21-11D0-A112-00A0C90543AA} |
Name | Compatibility Flags |
Value | Dword:00000400 |
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
The Internet Explorer Security web page contains information about IE security.
How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
