Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.277 -- Microsoft Security Bulletin MS02-027 Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889) 12 June 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Internet Explorer Proxy Server 2.0 Internet Security and Acceleration Server 2000 Vendor: Microsoft Operating System: Windows Impact: Execute Arbitrary Code/Commands Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice (Q323889) Date: 11 June 2002 Software: Internet Explorer, Proxy Server, Internet Security and Acceleration Server Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS02-027 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-027.asp. - - ---------------------------------------------------------------------- Issue: ====== This is a work-around bulletin that details steps customers can take to protect themselves against a publicly disclosed vulnerability until patches are available. The Gopher protocol is a legacy protocol that provides for the transfer of text-based information across the Internet. Information on Gopher servers is hierarchically presented using a menu system, and multiple Gopher servers can be linked together to form a collective "Gopherspace". There is an unchecked buffer in a piece of code which handles the response from Gopher servers. This code is used independently in IE, ISA, and Proxy Server. A security vulnerability results because it is possible for an attacker to attempt to exploit this flaw by mounting a buffer overrun attack through a specially crafted server response. The attacker could seek to exploit the vulnerability by crafting a web page that contacted a server under the attacker's control. The attacker could then either post this page on a web site or send it as an HTML email. When the page was displayed and the server's response received and processed, the attack would be carried out. A successful attack requires that the attacker be able to send information to the intended target using the Gopher protocol. Anything which inhibited Gopher connectivity could protect against attempts to exploit this vulnerability. In the case of IE, the code would be run in the user's context. As a result, any limitations on the user would apply to the attacker's code as well. Mitigating Factors: ==================== - A successful attack requires that the attacker's server be able to deliver information to the target using the Gopher protocol. Customers who block Gopher at the perimeter would be protected against attempts to exploit this vulnerability across the Internet. - In the case of IE, code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions an attacker's code could take. - A successful attack against ISA and Proxy servers would require that the malicious response be received by the web proxy service. In practical terms, this means that a proxy client would have to submit the initial request through the proxy server. Risk Rating: ============ - Internet systems: Critical - Intranet systems: Critical - Client systems: Critical Patch Availability: =================== - A patch is currently under development to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-027.asp for workaround information while patches are developed. - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPQZbc40ZSRQxA/UrAQGsegf/SpsXozsMHaoF3KeVrrYjXlFwPQykzRKc N5VMHNGeVcaBGJQ6e8EX1Ajv5A/yBkYWeBSNrbLPur/tgOHo7h4Jlyux1dmbWzMv 53P5bZ06m8SgzQykdiJ3Ji9Yua6YtR69bLk4wExL0+t29j17qyBEIeNVTY48QLCq eDUGvN05q80KS+xUJo/NG2TMhpVPPGwY/XDZqkd2N8wUiKBR4azML33lVHIx83jG bQDLVZ+2d4uSQ4TbRKjZs47Y3hPWvivVNuqPdPwemHtAfz7+jvxafcXgmPIMqmVh gxzipKKMToPKcI/WeEhahbNO8xH7FlfgK1GNGBGiJm1XuxwRcfV8ZA== =sMKd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPQdgXSh9+71yA2DNAQEUqQP/fZ6ArwUf5GnXSMucQKdgnyJc2rY9qYys L7u9RM0CCw0uU1lrfL1Wn7iEEyOeKBV0PIxsmd0ojPIhaATjSFeMzTfPLzcxfJr3 juq3COkg1J3UICYFs4zk7Wo4hCK6Di909gk1iCthH11mhoVttEYXyysYKEYfL1FG UHKX7bkncjU= =kP7D -----END PGP SIGNATURE-----