The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in JView Profiler Could Allow Remote Code Execution
(MS05-037)
------------------------------------------------------------------------
SUMMARY
A COM object, the JView Profiler (Javaprxy.dll), when instantiated in
Internet Explorer, contains a remote code execution vulnerability that
could allow an attacker to take complete control of an affected system.
Since the JView Profiler COM object was not designed to be accessed
through Internet Explorer, this update sets the kill bit for the JView
Profiler (Javaprxy.dll) COM object.
If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.
DETAILS
Affected Software:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
* Microsoft Windows Millennium Edition (ME)
Affected Components:
* JView Profiler
* Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service
Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=25982E02-EC6D-44CE-82DE-12DDEF1ADDD6>
(Update)
* Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service
Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2A506C16-01EF-4060-BCF8-6993C55840A9>
Update
* Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack
1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=C1381768-6C6D-4568-97B1-600DB8798EBF>
(Update)
* Internet Explorer 6 for Microsoft Windows XP Service Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F368E231-9918-4881-9F17-60312F82183F>
(Update)
* Internet Explorer 6 for Microsoft Windows Server 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F368E231-9918-4881-9F17-60312F82183F>
(Update)
* Microsoft Windows Server 2003 Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F368E231-9918-4881-9F17-60312F82183F>
(Update)
* Microsoft Windows Server 2003 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D785F9AB-DBE9-4272-A87E-64205690F98E>
(Update)
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D785F9AB-DBE9-4272-A87E-64205690F98E>
(Update)
* Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=68209225-A682-4008-A22B-881C401486F7>
(Update)
* Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=80EFD9A8-7EE9-4B0B-8517-559C49614AB7>
(Update)
* Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium
Edition
* Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, 98 SE or
Millennium Editions.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2087>
CAN-2005-2087
Mitigating Factors for JView Profiler Vulnerability - CAN-2005-2087:
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's Web site.
An attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.
The Microsoft Java Virtual Machine is not included in the following
software by default:
* Windows XP Service Pack 1a and Windows XP Service Pack 2
* Windows Server 2003 and Windows Server 2003 Service Pack 1
However, the Microsoft Java Virtual Machine may have been installed by an
application. It could also be present as a result of upgrading the
operating system. Customers can use the MSJVM
<http://www.microsoft.com/downloads/details.aspx?familyid=4e38f4f9-ce7e-4271-8836-a7d7293a992f>
Diagnostic Tool, which is available from the
<http://www.microsoft.com/mscorp/java/> Microsoft Java Virtual Machine Support
page. Customers can use this tool to perform remote and local scans to detect
for the presence of MSJVM and MSJVM-related software. See the How do I know if
I have the Javaprxy.dll on my system? question in the FAQ section of this
document for more information.
The Restricted sites zone helps reduce attacks that could try to exploit
this vulnerability by preventing ActiveX controls from being used when
reading HTML e-mail. However, if a user clicks on a link within an e-mail
they could still be vulnerable to this issue through the Web-based attack
scenario described previously.
Workarounds for JView Profiler Vulnerability - CAN-2005-2087:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. The workarounds are mutually exclusive so users need only
apply one to be secure. When a workaround reduces functionality, it is
identified in the following section.
Set Internet and Local intranet security zone settings to High to prompt
before running ActiveX controls in these zones:
You can help protect against this vulnerability by changing your settings
for the Internet security zone to prompt before running ActiveX controls.
You can do this by setting your browser security to High.
To raise the browsing security level in Microsoft Internet Explorer,
follow these steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then
click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets
the security level for all Web sites you visit to High.
Note If no slider is visible, click Default Level, and then move the
slider to High.
Repeat steps 1 through 3 for the Local intranet security zone by clicking
on the Local intranet icon.
Note Setting the level to High may cause some Web sites to work
incorrectly. If you have difficulty using a Web site after you change this
setting, and you are sure the site is safe to use, you can add that site
to your list of trusted sites. This will allow the site to work correctly
even with the security setting set to High.
Impact of Workaround: User will be prompted prior to running ActiveX
controls unless the Web site is in the user s list of trusted sites.
Configure Internet Explorer to prompt before running or ActiveX controls
or disable ActiveX controls in the Internet and Local intranet security
zone:
You can help protect against this vulnerability by changing your settings
to prompt before running ActiveX controls or disable ActiveX controls in
the Internet and Local intranet security zone. To do this, follow these
steps:
1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then
click the Internet icon.
3. Click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run
ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run
ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.
Impact of Workaround: There are side effects to prompting before running
ActiveX controls. Many Web sites that are on the Internet or on an
intranet use ActiveX to provide additional functionality. For example, an
online e-commerce site or banking site may use ActiveX controls to provide
menus, ordering forms, or even account statements. Prompting before
running ActiveX controls is a global setting that affects all Internet and
intranet sites. You will be prompted frequently when you enable this
workaround. For each prompt, if you feel you trust the site that you are
visiting, click Yes to run ActiveX controls.
Un-register the Javaprxy.dll COM Object:
To un-register Javaprxy.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 /u javaprxy.dll" (without the
quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.
3. Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround: Applications that require the Microsoft Java Virtual
Machine may no longer function correctly.
To undo this change, re-register Javaprxy.dll by following the above
steps. Replace the text in Step 1 with regsvr32
%windir%\system32\javaprxy.dll (without the quotation marks).
Modify the Access Control List on Javaprxy.dll to be more restrictive:
To modify the Access Control List (ACL) on Javaprxy.dll to be more
restrictive, follow these steps:
1. Click Start, click Run, type "cmd" (without the quotation marks), and
then click OK.
2. Type the following command at a command prompt. Make a note of the
current ACLs that are on the file (including inheritance settings) for
future reference in case you have to undo this modification:
cacls %windir%\system32\javaprxy.dll
3. Type the following command at a command prompt to deny the everyone
group access to this file:
cacls %windir%\system32\javaprxy.dll /d everyone
4. Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround: Applications that require the Microsoft Java Virtual
Machine may no longer function correctly.
Restrict access to Javaprxy.dll in Internet Explorer by using a Software
Restriction Policy:
To restrict access to Javaprxy.dll in Internet Explorer on Windows XP and
later versions you can create a
<http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx>
Software Restriction Policy. To create this policy, use a registry script or
create a Group Policy setting to block the loading of the Javaprxy.dll.
Note Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee
that problems resulting from the incorrect use of Registry Editor can be
solved. Use Registry Editor at your own risk. For information about how to
edit the registry, view the "Changing Keys And Values" Help topic in
Registry Editor (Regedit.exe) or view the "Add and Delete Information in
the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
We recommend that you back up the registry before you edit it.
Use the following text to create a .reg file to un-register Javaprxy.dll
in Internet Explorer. You can copy the following text, paste it into a
text editor such as Notepad, and then save the file with the .reg file
name extension. Run the .reg file on the vulnerable client.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"TransparentEnabled"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\
Paths\{09687f8a-0ca9-4639-b295-a3f5b5be8fc5}]
"LastModified"=hex(b):50,09,1f,b1,04,4a,c5,01
"Description"="Block javaprxy.dll"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6a,00,61,00,76,00,61,00,70,\
00,72,00,78,00,79,00,2e,00,64,00,6c,00,6c,00,00,00
Impact of Workaround: Applications that require the Microsoft Java Virtual
Machine may no longer function correctly.
Remove the Microsoft Java Virtual Machine from your system using the Java
Removal Tool:
Customers can use the MSJVM
<http://www.microsoft.com/downloads/details.aspx?familyid=4e38f4f9-ce7e-4271-8836-a7d7293a992f>
Diagnostic Tool, available from the <http://www.microsoft.com/mscorp/java/>
Microsoft Java Virtual Machine Support page, to perform remote and local scans
to detect for the presence of MSJVM and MSJVM-related software.
Customers can then use the Java Removal Tool to permanently remove the
Microsoft Java Virtual Machine from their system. For more information
about how to qualify for access to the Java Removal Tool from Microsoft
Product Support Services, see <http://support.microsoft.com/kb/826878>
Microsoft Knowledge Base Article 826878.
Warning: Removing the Microsoft Java Virtual Machine from your system is
permanent. Microsoft cannot provide Windows operating system recovery
media to you that includes the MSJVM for reinstallation. Microsoft no
longer includes the MSJVM in Windows operating system products.
Impact of Workaround: Applications that require the Microsoft Java Virtual
Machine will no longer function correctly.
FAQ for JView Profiler Vulnerability - CAN-2005-2087:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.
What causes the vulnerability?
When Internet Explorer tries to instantiate the JView Profiler
(Javaprxy.dll) COM object as an ActiveX control, it may corrupt system
memory in such a way that an attacker could execute arbitrary code.
What is JView Profiler?
JView Profiler is a debugger interface for Microsoft Java Virtual Machine
(MSJVM). For more information about the Microsoft Java Virtual Machine
(MSJVM), visit the <http://www.microsoft.com/mscorp/java/faq.asp>
Microsoft Java Virtual Machine Web site
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system. In a Web-based attack scenario,
an attacker would host a Web site that exploits this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's site. It could also be possible to display malicious Web
content by using banner advertisements or by using other methods to
deliver Web content to affected systems.
How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit
this vulnerability through Internet Explorer and then persuade a user to
view the Web site.
What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user is logged on and reading e-mail
messages or by visiting Web sites for any malicious action to occur.
Therefore, any systems where e-mail messages are read or where Internet
Explorer is used frequently, such as workstations or terminal servers, are
at the most risk from this vulnerability.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition
are critically affected by this vulnerability. The security updates are
available from the <http://go.microsoft.com/fwlink/?LinkId=21130> Windows
Update Web site. For more information about severity ratings, visit the
following <http://go.microsoft.com/fwlink/?LinkId=21140> Web site.
What does the update do?
Since the JView Profiler COM object was not designed to be accessed
through Internet Explorer, this update sets the
<http://support.microsoft.com/kb/240797> kill bit for the JView Profiler
(Javaprxy.dll) COM object. To help protect customers who have this object
installed, this update prevents it from being instantiated in Internet
Explorer. For more information about kill bits, see
<http://support.microsoft.com/kb/240797> Microsoft Knowledge Base Article
240797. The class identifier (CLSID) for this object is
03D9F3F2-B0E3-11D2-B081-006008039BF0 .
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned
Common Vulnerability and Exposure number
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2087>
CAN-2005-2087.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received
information that this vulnerability was being exploited.
Does applying this security update help protect customers from the code
that has been published publicly that attempts to exploit this
vulnerability?
Yes. This security update addresses the vulnerability that is being
exploited. The vulnerability that has been addressed has been assigned the
Common Vulnerability and Exposure number
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2087>
CAN-2005-2087.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
