Microsoft Security Bulletin MS02-049

Technical description:

In general, when an product installs, it should register itself with Internet Explorer. This allows the product to specify how Internet Explorer should handle files associated with it when referenced from a web page - for instance, it allows the product to specify whether the user should be presented with a warning dialogue before such a file is opened.

Visual FoxPro 6.0 does not perform this registration, and this gives rise to a situation in which a web page could automatically launch a Visual FoxPro application (i.e., an .app file). In most cases, this would not result in a security vulnerability - because of the way Visual FoxPro 6.0 evaluates file names, FoxPro itself could be started but the .app file would typically not run. However, if the filename of the application were constructed in a particular way, a second error (associated with how Visual FoxPro 6.0 evaluates application filenames) could not only start FoxPro but allow the application to execute.

The vulnerability could be exploited by creating a web page that references a Visual FoxPro application, and either hosting it on a web site or sending it to a user as an HTML mail. If the user had installed Visual FoxPro 6.0 - or had installed a product that includes the Visual FoxPro 6.0 runtime - and the filename of the application was constructed in a particular way, the application would execute. This would enable the application to not only interrogate databases, but also issue system commands in the user's security context.

Mitigating factors: 

Severity Rating: 

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2002-0696 

Tested Versions:

Microsoft tested Visual FoxPro 6.0 and 7.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This vulnerability could enable an attacker to run a Visual FoxPro application on another user's system. By doing so, the attacker would be able to take any action that user could take, including loading and running programs, altering data on the system, reformatting the hard drive, and so forth.
The vulnerability could only be exploited if two conditions were present:

What causes the vulnerability?
The vulnerability results because Visual FoxPro application can be launched from a web page without generating a warning to the user.

What's Visual FoxPro?
Visual FoxPro is an object-oriented database management system that enables the development of database solutions for desktops or the web. The version of Visual FoxPro at issue here, Version 6.0, shipped as both a stand-alone product and as part of Visual Studio 6.0.

What's a Visual FoxPro application?
In Visual FoxPro, as in most database systems, it's possible to write an application that automates access to the database. Such an application can not only interrogate the database, but also can, by design, take actions on the user's system.

What's wrong with the way Visual FoxPro applications are handled?
There are two problems that combine to create a vulnerability. The first is that Visual FoxPro 6.0 does not register itself with Internet Explorer. Whenever a product installs, it should register with Internet Explorer and indicate whether files associated with the application can open automatically, or require user approval before opening. However, Visual FoxPro 6.0 does not do this.
Under most conditions, this would not pose a security vulnerability. For the vast majority of cases, the sole effect of opening a Visual FoxPro application would be to start Visual FoxPro but not actually run the application. However, if the application's filename is constructed in a particular way, it will cause Visual FoxPro to interpret and execute the application.

What could this vulnerability enable an attacker to do?
The vulnerability would enable an attacker to launch a Visual FoxPro application on another user's system, after which point the application could take any action that the user was authorized to take on the system.

How might an attacker exploit the vulnerability?
The attacker would need to create a web page that invokes a Visual FoxPro application, and either host the page on a web site or send it to another user as an HTML mail. In either case, if a user opened that page, and had Visual FoxPro 6.0 installed on the system, the application would launch without warning

I don't have Visual FoxPro installed on my system. Am I at any risk?
The vulnerability could only be exploited if Visual FoxPro - and specifically Version 6.0 of Visual FoxPro - was installed on your system. However, it is important to note that there are two ways it could be installed. The most common way would be for you to have installed the Visual FoxPro 6.0 product on your system.
But it's also possible for third-party products to embed the Visual FoxPro 6.0 runtime - essentially, the core database engine, without any of the supporting feature set. If you had installed such a product, you could also be vulnerable.

What third-party products install the Visual FoxPro 6.0 runtime?
It's impossible to say. The runtime is embedded in a number of applications that have been written by companies for their internal use, as well as by commercial products. If you think you might be using such a product, you can determine whether the Visual FoxPro 6.0 runtime is present on your system by searching for any of the following files on your system: vfp6r.dll, vfp6t.dll, or vfp6run.exe. If any of them are present, Visual FoxPro 6.0 is installed on your system and you need the patch.

I have Visual FoxPro 7.0 installed on my system. Am I at any risk?
No. The vulnerability only affects Visual FoxPro 6.0.

I used to have Visual FoxPro 6.0 on my system, but I upgraded to Version 7.0. Am I at any risk?
No. Upgrading to Version 7.0 eliminates the vulnerability. This is true even if you did a side-by-side installation - that is, if you installed Version 7.0 on a system that already had Version 6.0 on it, but elected to keep both versions present on the system.

Is there any way to eliminate the vulnerability other than installing the patch?
Yes. Recall that the vulnerability results in part because Visual FoxPro 6.0 doesn't tell Internet Explorer how to handle Visual FoxPro applications. It's possible to do this manually via the following procedure:

What does the patch do?
The patch registers Visual FoxPro application (.app) files with Internet Explorer and also removes the code flaw that allows certain filenames to be evaluated and launched.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Visual FoxPro 6.0. There are no service pack requirements.

Inclusion in future service packs:

No additional service packs are planned for Visual FoxPro 6.0.

Reboot needed: No

Patch can be uninstalled: No

Superseded patches: None.

Verifying patch installation: 

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\VFPODBC\Q326568
•	To verify the individual files, use the date/time and version information provided in the file manifest in Knowledge Base article Q326568

Caveats:

•

The localized versions of the patch contain a minor error in the EULA and the completion dialog, which results in random characters being displayed in both. These errors do not affect the effectiveness of the patch -- they are display errors only. Microsoft will release shortly updated versions of the patches that do not contain the errors.

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section