Published:
05 September 2002
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.489 -- Microsoft Security Bulletin MS02-049 Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning (Q326568) 05 September 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Visual FoxPro 6.0 Vendor: Microsoft Impact: Administrator Compromise Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ---------------------------------------------------------------------- Title: Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning (Q326568) Date: 04 September 2002 Software: Microsoft Visual FoxPro 6.0 Impact: Attacker could gain control over user's system. Max Risk: Moderate Bulletin: MS02-049 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-049.asp. - - ---------------------------------------------------------------------- Issue: ====== In general, when an product installs, it should register itself with Internet Explorer. This allows the product to specify how Internet Explorer should handle files associated with it when referenced from a web page - for instance, it allows the product to specify whether the user should be presented with a warning dialogue before such a file is opened. Visual FoxPro 6.0 does not perform this registration, and this gives rise to a situation in which a web page could automatically launch a Visual FoxPro application (i.e., an .app file). In most cases, this would not result in a security vulnerability - because of the way Visual FoxPro 6.0 evaluates file names, FoxPro itself could be started but the .app file would typically not run. However, if the filename of the application were constructed in a particular way, a second error (associated with how Visual FoxPro 6.0 evaluates application filenames) could not only start FoxPro but allow the application to execute. The vulnerability could be exploited by creating a web page that references a Visual FoxPro application, and either hosting it on a web site or sending it to a user as an HTML mail. If the user had installed Visual FoxPro 6.0 - or had installed a product that includes the Visual FoxPro 6.0 runtime - and the filename of the application was constructed in a particular way, the application would execute. This would enable the application to not only interrogate databases, but also issue system commands in the user's security context. Mitigating Factors: ==================== - The vulnerability could only be exploited if Visual FoxPro 6.0 (or the Visual FoxPro 6.0 runtime) is installed on the system. Other products, and other versions of Visual FoxPro, are not affected by the vulnerability. - The most privileges the application could gain would be those of the user. If the user were operating in a less-privileged context, it would limit the damage that the application could cause. Risk Rating: ============ - Internet systems: Low - Intranet systems: Low - Client systems: Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-049.asp for information on obtaining this patch. Acknowledgment: =============== - Cristobal Bielza and Juan Carlos G. Cuartango from Instituto Seguridad Internet (http://www.instisec.com) - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPXZOto0ZSRQxA/UrAQFItQf+Ngf4YeZLp127K4yeAr7DWt6ngP8JM3m2 XASeBTNq25zrHl2l5FCL3eLEZOCjD51TZ53ZcgcAadBarWdHIncIUdMnfPG2tR9z UtszFBBZRhZUR//DnewVOr70CPnL4RBDUt/rhPWrHDMxPKwGOKQeu3IDj2NjcKCm jjys+gGJ4ZaiVKfRRFpUnDOeWicy9JcvYWQk6DGvvjfL67bbu6lallW0KkBcpEey 6Kyz0GKI8+ICZhHypiFU3gy4Kcooi9v4G6PuIFRWpQfpNgNEUFQmptBKDV6PHSsW 6H6FnhxIyY7YJtp2VKDp/IfWUKH4LaNRrnjkaO6LK98AAju7PU+q2A== =Kffn - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPXdBASh9+71yA2DNAQFvKwP+JmjNpt0/KVjvlb3ZUJdvA5QwkmLmnqck T1DrsXbdBHbiGiUjhFtLLkq1gwCujlvqOeZ7/eRwoLEJeQHBBjX6aZ0Z1slH45qO rXZOD7pqH+NkT7Es7zZTSJz42GOiQdj1K/+mV/MRr9l1VSYXkFdjGn+76UWT2mpd jmr5ELmkB3w= =NNfm -----END PGP SIGNATURE-----