Microsoft Security Bulletin (MS99-051):Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Explorer 5. The vulnerability could allow a user to gain additional privileges on a Windows NT machine. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. A malicious user could use this vulnerability to gain administrative privileges on a Windows NT machine, if three conditions existed:
| • | The IE 5 Offline Browsing Pack had been installed on the machine. |
| • | The user could interactively log onto the machine (or the appropriate folder were shared for remote use). |
| • | The user had the ability to change files owned by a member of the local Administrators group. |
| • | The Task Scheduler service were running. |
The privileges that a user could gain would depend on the specific machine that was compromised. If a workstation were compromised, the malicious user would gain complete control over it, but could not directly use this vulnerability to extend control to other machines. On the other hand, if a critical machine like a domain controller were compromised, the malicious user could gain control over the entire network. (However, critical machines such as domain controllers typically do not allow normal users to interactively log onto them).
This vulnerability only affects Windows NT machines that are running IE 5. As discussed in more detail below, Windows 95 and 98 machines are not affected by this vulnerability, nor are Windows NT machines that are running any other version of IE.
Is the IE 5 Task Scheduler installed by default?
No. It's included in the Offline Browsing Pack, which is not installed by default.
What is the IE Task Scheduler?
A task scheduler is a utility that lets administrators submits tasks for execution at a specified time. For instance, an administrator might use a task scheduler to automatically start a backup process at the same time every day. Windows NT has a native task scheduler, known as the Schedule Service or the "AT Service" IE 5 delivers a new task scheduler that replaces the native Windows NT service.
Tasks that are scheduled for execution via the Task Scheduler are known as "AT jobs". By design, the process should work like this:
| • | An administrator uses the AT command (or its equivalent GUI) to create an AT job. Only administrators can use this command. |
| • | The AT job is stored in %systemroot%\tasks for execution. (It is possible to configure the Task Scheduler to use a different folder, but the scenario is the same.) |
| • | At execution time, the Task Scheduler verifies that the AT job is owned by an administrator and executes it. |
What causes the vulnerability?
There are two points of control in the above process: allowing only administrators to run the AT command, and ensuring that every AT job is owned by an administrator before executing it. These are intended to ensure that only administrators can cause AT jobs to be executed. However, under certain circumstances, it would be possible for a normal user to circumvent these controls.
The folder %systemroot%\tasks is world-writeable. As a result, if a malicious user could modify a file that is owned by a member of the local Administrators, he or she could replace its contents with those of an AT job that performed some desired task, then place it in the %systemroot%\tasks folder. Such a file would pass Task Scheduler's security checks and would be executed at the designated time.
But I thought that one of the points of control was the fact that only administrators can use the AT command to create an AT job. How would a malicious user create an AT job without the AT command?
It's true that only administrators can use the AT command to create AT jobs. However, it is possible to create a valid AT job through other means. For instance, if the malicious user knew the proper file format, he or she could use a hexadecimal editor to create an AT job. Likewise, if the malicious user were an administrator on another machine, he or she could use AT on that machine, create an AT job, then port it to the other machine and copy its contents to the new file.
How would a malicious user gain change access to a file owned by an administrator?
This would be largely a matter of social engineering.
Why would this vulnerability constitute a privilege elevation?
The Task Scheduler service can be configured to run AT jobs in any desired security context, but, by default, it runs them in the security context of the local System context.
Could this vulnerability be exploited remotely?
By default, it could not. The %systemroot%\tasks folder is not shared by default, so the malicious user would be unable to put an AT job into it.
Why aren't Windows 95 or 98 machines affected by this problem?
All users on a Windows 95 or 98 machine have complete administrative control of the machine, so there is nothing to be gained through the vulnerability.
I don't see anything about Task Scheduler in the IE menus. Where is it?
The IE Task Scheduler functionality isn't accessible via the IE menus. Instead, the IE Task Scheduler replaces the native Windows NT Task Scheduler, and is accessed via the AT command.
How can I tell whether the Task Scheduler on my machine is the native Windows NT Task Scheduler or the IE Task Scheduler?
The IE Task Scheduler is only installed as part of the IE 5 Offline Browsing Pack.
| • | If you do not have IE 5 on your machine, you have the native Windows NT Task Scheduler installed, and are not affected by the vulnerability. |
| • | If you installed IE 5 but did not install the Offline Browsing Pack, you have the native Windows NT Task Scheduler installed, and are not affected by the vulnerability. |
What machines are chiefly at risk from this vulnerability?
Windows NT workstations and Windows NT Terminal Servers would be at greatest risk from this vulnerability, because normal users can log onto them. Windows NT Servers would only be at risk from this vulnerability if they allowed normal users to interactively log onto them, or gave normal users the ability to create and modify files on them. However, domain controllers, ERP servers and other critical servers typically do not allow normal users to do either.
Are there any other ways to prevent users from exploiting this vulnerability?
The vulnerability only exists if the Task Scheduler service is running. Customers who do not need the service may wish to consider turning it off, and setting to manual start. As a general principal, it is always a good idea to turn off any unneeded services.
Will this problem exist in Windows 2000?
No. Windows 2000 ship with a version of IE 5 that is not affected by this vulnerability.
How does IE 5.01 eliminate the problem?
The IE 5.01 Task Scheduler digitally signs every AT job when it's created, and verifies the signature at execution time.
How does digitally signing the AT jobs eliminate the vulnerability?
It re-establishes the AT command as a point of control. It's not enough to simply be able to create an AT job with the proper format. If it isn't digitally signed, it won't run-and only the AT command can do the digital signature. Because only administrators can run the AT command, only they can create AT jobs.
It also prevents malicious users from modifying existing AT jobs. If the contents of an AT job are changed, the verification of the digital signature will fail, and the job will not run.
Why couldn't a malicious user create an AT job on another machine and port it to a target machine?
The private key used in the digital signature is unique to every machine. If a malicious user ported a valid AT job from one machine to another, it would not pass the verification.
I have IE 4, and don't want to upgrade to IE 5.01. What should I do?
You don't need to upgrade. Only IE 5 is affected by the vulnerability.
Where can I get IE 5.01?
The download location for IE 5.01 is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed IE 5.01 correctly?
In the Internet Explorer command menu, select "Help", then "About Internet Explorer". If IE 5.01 is installed, the version number will be 5.00.2919.6307.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that eliminates the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
