Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

     ESB-2004.0438 -- US-CERT Technical Cyber Security Alert TA04-184A
     Internet Explorer Update to Disable ADODB.Stream ActiveX Control
                               03 July 2004


        AusCERT Security Bulletin Summary

Product:                Internet Explorer 6.0
                        Internet Explorer 5.01
Publisher:              US-CERT
Operating System:       Windows Server 2003
                        Windows XP
                        Windows 2000
                        Windows ME
                        Windows 9x
Platform:               IA-32
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

Ref:                    ESB-2004.0432

Comment: Microsoft recommends installing this update automatically through
         the Windows Update web site at http://windowsupdate.microsoft.com

         Alternatively, system administrators can download patches for
         their specific versions of Windows from

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

Internet Explorer Update to Disable ADODB.Stream ActiveX Control

   Original release date: July 2, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * Microsoft Windows systems


   Microsoft has released a security update for Internet Explorer (IE)
   that disables the ADODB.Stream ActiveX control. This update reduces
   the impact of attacks against cross-domain vulnerabilities in IE.

I. Description

   A class of vulnerabilities in IE allows malicious script from one
   domain to execute in a different domain which may also be in a
   different IE security zone. Attackers typically seek to execute script
   in the security context of the Local Machine Zone (LMZ). One such
   vulnerability (VU#713878) is described in US-CERT Technical Alert
   TA04-163A. Other cross-domain vulnerabilities have similar impacts.

   After obtaining access to the LMZ through one or more of the
   vulnerabilities noted above, attackers typically attempt to download
   and run an executable file. Writing the executable to disk can be
   accomplished using the ADODB.Stream ActiveX control. In order to
   defeat this technique, Microsoft has released an update that disables
   the ADODB.Stream control. From Microsoft Knowledge Base Article

     An ADO stream object contains methods for reading and writing
     binary files and text files. When an ADO stream object is combined
     with known security vulnerabilities in Internet Explorer, a Web
     site could execute scripts from the Local Machine zone. To help
     protect your computer from this kind of attack, you can manually
     modify your registry. 

   It is important to note that there may be other ways for an attacker
   to write arbitrary data or to execute commands without relying on the
   ADODB.Stream control.

   Further information is available from Microsoft in What You Should
   Know About Download.Ject. Instructions for securing IE and other web
   browsers against malicious web scripts are available in the Malicious
   Web Scripts FAQ.

II. Impact

   By convincing a victim to view an HTML document (web page, HTML
   email), an attacker could execute script in a different security
   domain than the one containing the attacker's document. By causing
   script to be run in the Local Machine Zone, the attacker could execute
   arbitrary code with the privileges of the user running IE.

   Recent incident activity known as Download.Ject (also JS.Scob.Trojan,
   Scob, JS.Toofeer) uses cross-domain vulnerabilities and the
   ADODB.Stream control to install software that steals sensitive
   financial information.

III. Solution

   Until a complete solution is available from Microsoft, consider the
   following workarounds.

Disable Active scripting and ActiveX controls

   Disabling Active scripting and ActiveX controls in the Internet Zone
   (or any zone used by an attacker) appears to prevent exploitation of
   this vulnerability. Disabling Active scripting and ActiveX controls in
   the Local Machine Zone will prevent widely used payload delivery
   techniques from functioning. Instructions for disabling Active
   scripting in the Internet Zone can be found in the Malicious Web
   Scripts FAQ. See Microsoft Knowledge Base Article 833633 for
   information about securing the Local Machine Zone. Also, Service Pack
   2 for Windows XP (currently at RC2) includes these and other security
   enhancements for IE.

Do not follow unsolicited links

   Do not click on unsolicited URLs received in email, instant messages,
   web forums, or Internet relay chat (IRC) channels. While this is
   generally good security practice, following this behavior will not
   prevent exploitation of this vulnerability in all cases. For example,
   a trusted web site could be compromised and modified to deliver
   exploit script to unsuspecting clients.

Disable ADODB.Stream ActiveX control

   One way to disable the ADODB.Stream control is to apply the update
   from the Microsoft Download Center (KB870669) or the Windows Update
   web site.

   The ADODB.Stream control can also be disabled by modifying the Windows
   registry as described in Microsoft Knowledge Base Article 870669.

   Both of these methods disable ADODB.Stream by setting the kill bit for
   the control in the Windows registry.

   Note that disabling the ADODB.Stream control does not directly address
   any cross-domain vulnerabilities, nor does it prevent attacks. This
   workaround prevents a well-known and widely used technique for writing
   arbitrary data to disk after a cross-domain vulnerability has been
   exploited. There may be other ways for an attacker to write arbitrary
   data or execute commands.

Maintain updated anti-virus software

   Anti-virus software with updated virus definitions may identify and
   prevent some exploit attempts. Variations of exploits or attack
   vectors may not be detected. Do not rely solely on anti-virus software
   to defend against this vulnerability. More information about viruses
   and anti-virus vendors is available on the US-CERT Computer Virus
   Resources page.

Appendix A. Vendor Information

Microsoft Corporation

     Please see What You Should Know About Download.Ject and Microsoft
     Knowledge Base Article 870669.

Appendix B. References

     * US-CERT Technical Alert TA04-163A -
     * US-CERT Vulnerability Note VU#713878 -
     * Malicious Web Scripts FAQ -
     * Results of the Security in ActiveX Workshop (PDF)
     * What You Should Know About Download.Ject -
     * Increase Your Browsing and E-Mail Safety -
     * Working with Internet Explorer 6 Security Settings -
     * Microsoft Knowledge Base Article 870669 -
     * Microsoft Knowledge Base Article 833633 -
     * Microsoft Knowledge Base Article 182569 -
     * Microsoft Knowledge Base Article 240797 -
     * Windows XP Service Pack 2 Release Candidate 2 Preview -

   Feedback can be directed to the author: Art Manion

   The most current version of this alert can be found at


   Copyright 2004 Carnegie Mellon University.

   Terms of use: <http://www.us-cert.gov/legal.html>

Version: GnuPG v1.2.1 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967