The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
PowerPoint 2000 Information Disclosure Vulnerability (MS06-010)
------------------------------------------------------------------------
SUMMARY
An attacker who successfully exploits this information disclosure
vulnerability in Power Point could attempt to remotely access objects in
the Temporary Internet Files Folder (TIFF) explicitly by name.
This vulnerability would not allow an attacker to execute code or to
elevate their user rights directly, but it could be used to produce useful
information that can be utilized to try and further compromise the
affected system.
DETAILS
Vulnerable Systems:
* Microsoft Office 2000 Service Pack 3
* PowerPoint 2000
<http://www.microsoft.com/downloads/details.aspx?familyid=E51B27C8-2F31-4E99-B868-CE626FED5B7D>
Download the update
Immune Systems:
* Microsoft Office XP Service Pack 3
* PowerPoint 2002
* Microsoft Office 2003 Service Pack 1 or Service Pack 2
* PowerPoint 2003
Mitigating Factors for PowerPoint Temporary Internet Files Information
Disclosure Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0004>
CVE-2006-0004:
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's Web site.
Workarounds for PowerPoint Temporary Internet Files Information Disclosure
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0004>
CVE-2006-0004:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.
Back up and remove the vnd.ms-powerpoint MIME type
Removing the vnd.ms-powerpoint registry key helps protect the affected
system from attempts to exploit this vulnerability. To backup and remove
the vnd.ms-powerpoint registry key, follow these steps:
Note Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee
that problems resulting from the incorrect use of Registry Editor can be
solved. Use Registry Editor at your own risk. For information about how to
edit the registry, view the "Changing Keys And Values" Help topic in
Registry Editor (Regedit.exe) or view the "Add and Delete Information in
the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note We recommend backing up the registry before you edit it.
1. Click Start, click Run, type regedit" (without the quotation marks),
and then click OK.
2. Expand HKEY_CLASSES_ROOT\MIME\Database\Content Type, and then
clickapplication/vnd.ms-powerpoint.
3. Click File, and then click Export.
4. In the Export Registry File dialog box, type a file name in the File
Name box, and then click Save.
5. Click Edit, and then click Delete to remove the registry key.
6. In the Confirm Key Delete dialog box, you receive an Are you sure you
want to delete this key and all of its subkeys message. Click Yes.
Impact of Workaround: This workaround removes the MIME entry point for
PowerPoint.
Configuration of Internet Explorer to open Office documents in the
appropriate Office program instead of in Internet Explorer
1. Open My Computer.
2. On the Tools menu (or the View menu), click Folder Options (or click
Options).
3. Click the File Types tab.
4. In the Registered file types list, click the specific Office document
type (for example, Microsoft Excel Worksheet), and then click Advanced (or
click Edit).
5. In the Edit File Type dialog box, click to clear the Browse in same
window check box (or click to clear the Open Web documentsin place check
box).
6. Click OK.
Note If you are running Terminal Server on Windows 2000 or Windows Server
2003, you may not be able to click Advanced to open the Edit File Type
dialog box in step 4 of this procedure. This issue occurs if the
NoFileAssociate policy is enabled. Enabling this policy prevents users
(including administrators) from changing file type associations for all
users. For additional information about this behavior, click the following
article number to view the article in the
<http://support.microsoft.com/kb/257592/> Microsoft Knowledge Base Article
257592.
Impact of Workaround: This workaround configures Internet Explorer to open
Office files in the appropriate Office program.
FAQ for PowerPoint Temporary Internet Files Information Disclosure
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0004>
CVE-2006-0004:
What is the scope of the vulnerability?
This is an Information Disclosure vulnerability. An attacker who
successfully exploited this vulnerability could remotely attempt to access
objects in the Temporary Internet Files Folder (TIFF) explicitly by name.
Note that this vulnerability would not allow an attacker to execute code
or to elevate their user rights directly, but it could be used to produce
useful information that could be used to try to further compromise the
affected system.
What causes the vulnerability?
This issue is caused by the interaction between PowerPoint and Internet
Explorer when PowerPoint attempts to render HTML data.
How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a PowerPoint presentation that is used to attempt to exploit
this vulnerability. An attacker would have no way to force users to visit
a malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.
If the user is enticed into clicking the PowerPoint presentation, the
attacker s malicious script will run and can attempt to access objects in
the Temporary Internet Files Folder (TIFF) explicitly by name.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.
What does the update do?
The update modifies PowerPoint such that, when the user clicks on a
PowerPoint presentation on a Web site, PowerPoint warns the user that the
presentation about to be opened may be unsafe. In such a case, the user
may then cancel opening the presentation.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-010.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-010.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
