Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-037)
What's this bulletin about?
Microsoft Security Bulletin MS99-037 discusses two security vulnerabilities that could allow a web site to take inappropriate actions on the computer of a user who visited it. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerabilities?
Both of these vulnerabilities could allow a malicious web site operator to execute commands on the computer of a user who visited it. The first vulnerability, known as the "ImportExportFavorites" vulnerability, is caused by a feature in Microsoft® Internet Explorer 5. The second vulnerability exists because several ActiveX controls that should not be able to be called by a web site nevertheless can be.
Although the risk from these vulnerabilities is serious, it is limited by the user's privileges on the machine. The vulnerabilities can only be used to take actions on the machine that the user could take. For example, if a user were web browsing in a Guest account that had few privileges on the computer, the vulnerabilities might be able to cause little damage; on the other hand, if an Administrator browsed an affected web page, the vulnerability could be used to create, delete or modify files, reformat the hard drive, or take virtually any other actions.
What is the ImportExportFavorites vulnerability?
This vulnerability lies in the implementation of a feature in IE 5. IE provides a way for users to keep a list of their favorite web sites. However, users who switch between several different browsers, or who use IE on several different computers, need the ability to synchronize their Favorites lists. IE enables users to export their Favorites list to a file, or to import a file that contains a Favorites list. A vulnerability lies in ImportExportFavorites(), the software module that is used to implement this feature.
ImportExportFavorites() is designed to be able to only write specific types of files, and only to the specific folders. However, it is possible for a web site to call this function and bypass these restrictions in order to write files to other locations. By judiciously selecting the type of file and its location, it would be possible for a malicious web site operator to write files on the user's computer that would execute system commands the next time the user logged onto the machine.
What is the vulnerability posed by the ActiveX controls?
The ActiveX controls at issue here are incorrectly marked as "safe for scripting." The "safe for scripting" denotation means that a control is verifiably unable to take harmful action on a user's computer, and therefore can be safely called from a web site without asking the user's permission. However, these controls should not have been marked as "safe for scripting," because they can take action that could be misused to cause harm. The controls are:
| • | Kodak Image Edit: Wang Imaging |
| • | Kodak Image Annotation: Wang Imaging |
| • | Kodak Image Scan: Wang Imaging |
| • | Kodak Thumbnail Image: Wang Imaging |
| • | Wang Image Admin: Wang Imaging |
| • | HHOpen: HTML help files |
| • | Registration Wizard: Internet Explorer Product Registration |
| • | IE Active Setup: Internet Explorer Setup |
Is ImportExportFavorites an ActiveX control?
No. It is a function within IE 5.
Do the unsafe ActiveX controls represent a vulnerability in Internet Explorer?
No. The controls are not part of IE, and do not demonstrate a vulnerability in IE. Their only relationship to IE is that they use IE as a shipment vehicle.
Do the unsafe ActiveX controls represent a vulnerability in the ActiveX technology?
No. The controls were incorrectly marked due to human error. Actually, this demonstrates one of the strengths of the ActiveX technology. When a control is discovered to be inappropriately marked, the error can be quickly and easily corrected without the need to rewrite and re-deploy software.
What does the patch do?
| • | It eliminates the ImportExportFavorites vulnerability by only allowing the ImportExportFavorites() method to create icon files, and by restricting what folders they can be written to. |
| • | It eliminates the unsafe ActiveX controls by setting the "kill bit" for each. |
Why was a new version of the patch released?
On December 08, 1999, a patch was released that eliminated both this vulnerability and the "Server-Side Page Reference Redirect" vulnerability. We combined the patches to allow customers who had not yet applied the "ImportExportFavorites" patch to eliminate both vulnerabilities with a single patch.
What is the "kill bit?"
The "kill bit" is a flag that prevents web sites from being able to load and run a particular ActiveX control. For more information on the "kill bit," see Knowledge Base article 240797.
Where can I get the patch?
The download location of the patch is provided in the "Patch Availability" section of the Security Bulletin.
How can I verify that I installed the patch correctly?
Use the table below to verify whether you installed the patch correctly.
| If you're running on this platform... | And using this version of IE... | You've installed the patch correctly if SHDOCVW.DLL has these properties... |
Intel | IE 4.01 | Date: November 30, 1999 Size: 2,174,736 bytes |
Intel | IE 5 | Date: November 29, 1999 Size: 950,544 bytes |
Intel | IE 5.01 | Date: November 29, 1999 Size: 1,102,608 bytes |
Alpha | IE 4.01 | Date: November 29, 1999 Size: 3,154,704 bytes |
Alpha | IE 5 | Date: November 29, 1999 Size: 1,617,680 bytes |
Use the table below to verify that the "kill bits" on the ActiveX controls are set:
| The "kill bit" is set for this control... | If this registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility is set to Dword:00000400 |
Imgedit.ocx | {6D940280-9F11-11CE-83FD-02608C3EC08A}\Compatibility Flags |
Imgscan.ocx | {84926CA0-2941-101C-816F-0E6013114B7F}\Compatibility Flags |
Imgthumb.ocx | {E1A6B8A0-3603-101C-AC6E-040224009C02}\Compatibility Flags |
Imgadmin.ocx | {009541A0-3B81-101C-92F3-040224009C02}\Compatibility Flags |
Hhopen.ocx | {130D7743-5F5A-11D1-B676-00A0C9697233}\Compatibility Flags |
Regwiz.dll | {50E5E3D1-C07E-11D0-B9FD-00A0249F6B00}\Compatibility Flags |
Setupctl.dll | {F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1}\Compatibility Flags |
I previously disabled Active Scripting as a workaround against the ImportExportFavorites vulnerability. How do I re-enable it?
Just follow these steps:
| • | In IE, select Tools | Internet Options, then click on the Security tab. |
| • | Select the Internet Zone, then click on the "Custom Level" button. |
| • | Under "Scripting", find the entry labeled "Active Scripting" and set it to "Enable." |
| • | Click OK twice to return to IE. |
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and what they can do about it. |
| • | Microsoft has developed a patch that will eliminate the vulnerability altogether. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
