KB823182 Security Patch
 

Vulnerability in Authenticode Verification Could
Allow Remote Code Execution - CRITICAL!

So What's The Story With Patch KB823182

Microsoft has published a new security bulletin (KB823182), on the 15th October 2003, describing a new vulnerability that affect numerous versions of Microsoft Windows.

There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with an approval dialog.

To exploit this vulnerability, an attacker could host a malicious Web Site designed to exploit this vulnerability. If an attacker then persuaded a user to visit that site an ActiveX control could be installed and executed on the user’s system. Alternatively, an attacker could create a specially formed HTML e-mail and send it to the user. If the user viewed the HTML e-mail an unauthorized ActiveX control could be installed and executed on the user’s system. In both scenarios the vulnerability in Authenticode could allow an unauthorized ActiveX control to be installed and executed on the user’s system, with the same permissions as the user, without prompting the user for approval.

The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:

• You have applied the patch included with Microsoft Security bulletin MS03-040
• You are using Internet Explorer 6 or later
• You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.

What's the scope of the vulnerability?
This is a remote attack vulnerability. If an attacker were to successfully exploit this vulnerability then the attacker could execute arbitrary code in the context of the logged on user.

What causes the vulnerability?
The vulnerability results because of the method in which Authenticode checks for authorization when prompting a user to install an ActiveX control.

What is Authenticode?
Authenticode is a technology which allows users to verify the publisher of an ActiveX control. Through its code signing mechanisms, Authenticode identifies the publisher of the signed software and verifies that it hasn't been tampered with, before users download the software to their systems. Based on this knowledge the end user can then make a decision on whether or not to download and install the code.

What is ActiveX?
ActiveX is a technology that allows programmers to develop self-contained software modules called controls, that perform a single task or a collection of related tasks. An ActiveX control can be called by programs or web sites that need the functionality it provides.

What's wrong with Authenticode?
By default, Authenticode prompts a user prior to the installation of an ActiveX control. Authenticode prevents ActiveX controls from installing automatically on a user's system by presenting the user with a dialog requiring the user to confirm that they trust the publisher of a control and that they want to install the control on their system. Only when the user clicks "Yes" is the ActiveX control downloaded and installed on the user's system. There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with the dialog discussed above.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to install and execute an unauthorized ActiveX control on the user's system. This could allow an attacker to take any action on a user's system in the security context of the currently logged in user.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability in one of two ways:

• By hosting a specially constructed Web Page. If the attacker lured a user to this Web Page, the Authenticode checks could fail and could allow arbitrary code to execute in the context of the user.
• By sending a user a specially crafted HTML email. If a user viewed this E-mail, the Authenticode checks could fail and could allow arbitrary code to execute in the context of the user.

Does this mean the vulnerability is in Internet Explorer?
No - the vulnerability is in the underlying Authenticode technology in Microsoft Windows. Internet Explorer is one product that uses this underlying Authenticode technology

I'm not using Internet Explorer as my web browser, do I need the patch?
Yes - the vulnerability is in the underlying Authenticode technology in Microsoft Windows. Any application that uses Authenticode technology could be vulnerable.

I am running Internet Explorer on Windows Server 2003. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode known as Enhanced Security Configuration.

What is Internet Explorer Enhanced Security Configuration?
 

Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying numerous security-related settings, including Security and Advanced tab settings in Internet Options. Some of the key modifications include:

• Security level for the Internet zone is set to High. This setting disables scripts, ActiveX Controls, Microsoft Java Virtual Machine (MSJVM) HTML content, and file downloads.
• Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
• Install On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
• Multimedia content is disabled. This setting prevents music, animations, and video clips from running.

Disabling Internet Explorer Enhanced Security Configuration would remove the protections put in place that help prevent these vulnerabilities from being exploited. For more information regarding Internet Explorer Enhanced Security Configuration, please consult the Managing Internet Explorer Enhanced Security Configuration guide, which can be found at the following location:

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

Is there any configuration of Windows Server 2003 that is likely to have Internet Explorer Enhanced Security Configuration Disabled?
Yes. Systems Administrators who have deployed Windows Server 2003 as a Terminal Server would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to use Internet Explorer in an unrestricted mode.

Is there anything that helps mitigate the risk of an HTML email attack?
The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:

• You have applied the patch included with Microsoft Security bulletin MS03-040
• You are using Internet Explorer 6 or later
• You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.

What does the KB823182 patch do?

The patch addresses the vulnerability by ensuring Authenticode always correctly prompts the user prior to the installation of an ActiveX control.

This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1).

• Microsoft Windows Server 2003, Datacenter Edition

• Microsoft Windows Server 2003, Enterprise Edition

• Microsoft Windows Server 2003, Standard Edition

• Microsoft Windows Server 2003, Web Edition

• Microsoft Windows XP Home Edition

• Microsoft Windows XP Professional

• Microsoft Windows 2000 Advanced Server

• Microsoft Windows 2000 Datacenter Server

• Microsoft Windows 2000 Professional

• Microsoft Windows 2000 Server

• Microsoft Windows NT Server 4.0 Terminal Server Edition

• Microsoft Windows NT Server 4.0

• Microsoft Windows NT Workstation 4.

Not Sure KB823182 Is Installed On Your PC?

Apart from a quick check in the Add/Remove panel to see if KB823182 is listed...

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823182\Filelist

For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823182\Filelist

For Windows XP 64-Bit Edition, Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB823182\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the KB823182 security patch into the Windows installation source files!!!

Conclusion:

This includes making sure you have ALL CURRENT Outlook Email Security Updates to reduce risks from an e-mail borne attack...

By applying this KB823182 security patch you will stop any exploit of this known CRITICAL buffer overrun vulnerability. 

Microsoft has tested several workarounds as well... These may be useful to you if you are not in a position to install this patch on your system. 

These workarounds will not correct the underlying vulnerability and I STRONGLY advise you NOT to use them instead of installing this patch...!

Well I hope this article on the KB823182 security patch was useful..

Sign Up For My Windows XP Newsletter for more tips and advice!

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

An article on the KB823182 Security Patch