The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in Step-by-Step Interactive Training Allows Remote Code
Execution (MS05-031)
------------------------------------------------------------------------
SUMMARY
Step-by-Step Interactive Training "is used as the engine for hundreds of
interactive training titles that are provided by Microsoft Press and other
vendors". The list of know titles that contain this software is provided
in <http://support.microsoft.com/kb/898458> Microsoft Knowledge Base
Article 898458. For more information about other available Microsoft Press
titles that may contain this software see the
<http://www.microsoft.com/learning/Books/default.asp> Microsoft Press Web
site.
The Step-by-Step Interactive Training has a remote code execution
vulnerability that could allow an attacker to take complete control of an
affected system.
DETAILS
Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
* Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
* Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) Review the FAQ section of this
bulletin for details about these operating systems.
Affected Components:
* Step-by-Step Interactive Training -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=591265a7-e7f4-409f-992b-84d954824ba8>
Download the update
* Step-by-Step Interactive Training when it is running on Itanium-based
systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=591265a7-e7f4-409f-992b-84d954824ba8>
Download the update
* Step-by-Step Interactive Training when it is running on x64-based
systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=591265a7-e7f4-409f-992b-84d954824ba8>
Download the update
If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.
However, user interaction is required to exploit this vulnerability.
Mitigating Factors for Interactive Training Vulnerability - CAN-2005-1212:
* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker could also try to compromise a Web site to have it deliver a
Web page that contains malicious content to try to exploit this
vulnerability. An attacker would have no way to force users to visit a Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site or to a Web site that has been compromised by the
attacker.
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.
* By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
Outlook E-mail Security Update has been installed. Outlook Express 5.5
Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if
Microsoft Security Bulletin MS04-018 has been installed. The Restricted
sites zone helps reduce attacks that could try to exploit this
vulnerability.
* The risk of attack from the HTML e-mail vector can be significantly
reduced if you meet all the following conditions:
* Apply the update that is included with Microsoft Security Bulletin
MS03-040 or a later Cumulative Security Update for Internet Explorer.
* Use Internet Explorer 6 or a later version.
* Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook
Express 6 or a later version, or use Microsoft Outlook 2000 Service Pack 2
or a later version in its default configuration.
* The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that is
sent in an e-mail message or must click a link that is provided in an
e-mail message.
* The following e-mail management best practices can help mitigate this
vulnerability:
* Discourage users from opening file attachments that have file name
extensions that are not familiar. The relevant file name extensions (.cbo,
cbl, .cbm) are not ordinarily used in e-mail and should be treated with
caution.
* Discourage users from opening file attachments from untrusted sources.
What is a bookmark link file?
Bookmark link files are created by using the Step-by-Step Interactive
Training user interface. These files allow a user the ability to quickly
and easily link to a particular topic. Bookmark link files are text files
that contain the information that is required by Step-by-Step Interactive
Training to view a topic.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially
crafted message and sending the message to an affected system. The message
could then cause the affected system to execute code.
There are several additional ways that an attacker could try to exploit
this vulnerability. However, user interaction is required to exploit this
vulnerability in each of these ways. Some examples follow:
* An attacker could exploit the vulnerability by constructing a malicious
Step-by-Step Interactive Training bookmark file (a .cbo, cbl, or .cbm
file) and then persuading the user to open the file.
* An attacked could send a malicious file as an attachment to a user
through e-mail and then convince a user to open the attachment.
* An attacker could host a malicious Web site that is designed to exploit
this vulnerability through Internet Explorer and then persuade a user to
view the Web site.
* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker could also try to compromise a Web site to have it deliver a
Web page that contains malicious content to try to exploit this
vulnerability. An attacker would have no way to force users to visit a Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site or to a Web site that has been compromised by the
attacker.
What systems are primarily at risk from the vulnerability?
Any operating system where Step-by-Step Interactive Training is installed
is at risk from this vulnerability. Because this software is typically
installed only on client systems, servers would typically not be at risk
from the vulnerability.
Workarounds for Interactive Training Vulnerability - CAN-2005-1212:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.
* Disable the handler for Step-by-Step Interactive Training bookmark link
files by removing the related registry keys.
Delete these keys to help reduce attacks. This workaround helps reduce
attacks by preventing Step-by-Step Interactive Training from automatically
opening the affected file types. The content can still be opened from
within the Step-by-Step Interactive Training user interface.
* Important This bulletin contains information about how to modify the
registry. Make sure to back up the registry before you modify it. Make
sure that you know how to restore the registry if a problem occurs. For
more information about how to back up, restore, and modify the registry,
see <http://support.microsoft.com/kb/256986> Microsoft Knowledge Base
Article 256986. Warning Serious problems might occur if you modify the
registry incorrectly by using Registry Editor or by using another method.
These problems might require that you reinstall your operating system.
Microsoft cannot guarantee that these problems can be solved. Modify the
registry at your own risk.
1. Click Start, click Run, type regedt32, and then click OK.
2. In Registry Editor, locate the following registry subkeys:
HKEY_CLASSES_ROOT\.cbl (for Microsoft Press Interactive Training )
HKEY_CLASSES_ROOT\.cbm (for Interactive Training )
HKEY_CLASSES_ROOT\.cbo (for Microsoft Interactive Training )
3. For each subkey that is found, click the subkey, and then press
DELETE.
4. In the Confirm Key Delete dialog box, click OK.
These actions can also be performed at a command prompt by using the
following commands in the order that is specified here:
reg.exe export HKCR\.cbl c:\cbl.reg
reg.exe delete HKCR\.cbl /f
reg.exe export HKCR\.cbm c:\cbm.reg
reg.exe delete HKCR\.cbm /f
reg.exe export HKCR\.cbo c:\cbo.reg
reg.exe delete HKCR\.cbo /f
Impact of Workaround:
Step-by-Step Interactive Training bookmark files can no longer be opened.
The content can still be opened from within the Step-by-Step Interactive
Training user interface.
* Do not open or save Step-by-Step Interactive Training bookmark link
files (.cbo, .cbl, .cbm) that you receive from untrusted sources.
This vulnerability could be exploited when a user opens a .cbo, .cbl, or
cbm file. Do not open files that use these file name extensions. This
workaround does not cover other vectors of attack such as Web browsing.
* Help prevent e-mail attacks by blocking Step-by-Step Interactive
Training bookmark link files (.cbo, .cbl, .cbm).
This vulnerability could be exploited when a user views a user views a
cbo, .cbl, or .cbm file. To help block these files by using Outlook and
Outlook Express, see <http://support.microsoft.com/kb/837388> Microsoft
Knowledge Base Article 837388 and
<http://support.microsoft.com/kb/291387> Microsoft Knowledge Base Article
291387. Enterprise customers should consider adding Step-by-Step
Interactive Training files (.cbo, .cbl, .cbm) to the list of unsafe files
that are blocked by enterprise gateway e-mail filters.
Note When you block these files through e-mail, you are not preventing
attacks that use other vectors.
* Remove Step-by-Step Interactive Training.
Removing Step-by-Step Interactive Training will help prevent attacks.
To remove Step-by-Step Interactive Training, follow these steps:
* Click Start, click Run, and type
%windir%\IsUninst.exe -x -y -a -f"%windir%\orun32.isu"
Note You may have to replace "orun32.isu" with "mrun32.isu" or
"lrun32.isu," depending on the version of Step-by-Step Interactive
Training that is installed. If you have several of these versions
installed, you must remove them all.
Impact of Workaround:
After you remove the Step-by-Step Interactive Training application, any
applications that depend on Step-by-Step Interactive Training will fail.
* Remove Step-by-Step Interactive Training by using the Add or Remove
Programs tool in Control Panel.
To manually remove Step-by-Step Interactive Training from a system, follow
these steps.
1.Click Start, point to Settings, and then click Control Panel.
2. Double-click Add or Remove Programs.
3. In the Add or Remove Programs dialog box, click the name of the
affected program and then click Remove
Note Affected versions are "Microsoft Press Interactive Training" and
"Interactive Training." However, removing these programs may not be a
complete workaround, because "Microsoft Interactive Training" does not
create an Add or Remove Programs entry. "Microsoft Interactive Training"
is based on the Orun32.exe file. Therefore, you must also manually verify
that the Orun32.exe file is not present on your system.
4. Follow the instructions to complete the removal.
Impact of Workaround:
After you remove the Step-by-Step Interactive Training application, any
applications that depend on Step-by-Step Interactive Training will fail.
* Delete or rename the Step-by-Step Interactive Training .ini program
file.
If Step-by-Step Interactive Training cannot be removed by using the
methods that are documented in this section of the security bulletin, you
may be able to help prevent attacks by deleting or renaming the physical
file.
Delete or rename the %windir%\Orun32.ini file.
Note You may have to replace "Orun32.ini" with "Mrun32.ini" or "Lrun32.ini
depending on the version of Step-by-Step Interactive Training that is
installed.
Impact of Workaround:
After you disable the Step-by-Step Interactive Training application, any
applications that depend on Step-by-Step Interactive Training may fail.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1212>
CAN-2005-1212
ADDITIONAL INFORMATION
The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS05-031.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-031.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
