Vulnerability Note VU#165022

Microsoft Log Sink Class ActiveX control incorrectly marked "safe for scripting"

Original Release date: 27 Jun 2005 | Last revised: 29 Jun 2005

Overview

The Microsoft Log Sink Class ActiveX control is incorrectly marked safe for scripting. This may allow a remote attacker to create or append to arbitrary files on a vulnerable system.

Description

ActiveX

ActiveX is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls.

ActiveX safety determination

Internet Explorer determines if an ActiveX control is safe by querying the IObjectSafety interface of the object and by querying the Implemented Categories registry key for the control, as specified by Microsoft Knowledge Base Article 216434 and the MSDN ActiveX safety article.

ActiveX security options

Through either the IObjectSafety interface or the appropriate registry values, an ActiveX control can be marked as "safe for scripting" and/or "safe for initialization." According to the MSDN article Signing and Marking ActiveX Controls:

    If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won't do anything that would damage a user's system or compromise the user's security.

    If you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security, regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad.
The MSDN article Designing Secure ActiveX Controls states:
    Controls are marked as not safe for scripting or data initialization by default. Don't implement them unless the functionality of the control is hampered without them.
Log Sink Class ActiveX control

The Log Sink Class ActiveX control is provided by the Microsoft SharePoint Portal Server Core Objects Library, pkmcore.dll. This file is provided by several Microsoft products, including Office XP, Visio 2002, and SharePoint Portal Server 2001 client. The Log Sink Class ActiveX control has the ability to create files on the local file system.

The Problem

The Microsoft Log Sink Class ActiveX control can create or append to arbitrary files on the local file system, but it is marked as "safe for scripting" and "safe for initialization" via the IObjectSafety interface.

Impact

By convincing a victim to click on a link in an HTML document (web page, HTML email), an attacker could create or append to arbitrary files on a vulnerable system within the security context of the user running IE. These files could contain code that could be executed through other means. The user may click the file inadvertently, or the file may be placed in a sensitive location, such as the Windows Startup folder.
Please note that this vulnerability is being actively exploited.

Solution

Install an update

Office XP users should install the Office XP Update October 12, 2004, which addresses this issue. This update may also be installed via Office Update.

Visio 2002 users should install Visio 2002 Service Pack 2. This update may also be installed via Office Update.

SharePoint Portal users should install SharePoint Portal Server 2001 Service Pack 2. Client systems should install the client components for SharePoint Portal Server 2001 SP2.

Please note that because the vulnerable component is not provided by the Windows operating system, these updates are not available via Windows Update.


Disable Active scripting and ActiveX

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. With ActiveX controls disabled, the Log Sink Class ActiveX control will not be instantiated. With Active scripting disabled, the Log Sink Class ActiveX control cannot be scripted by a web site to create files automatically. Instructions for disabling Active scripting and ActiveX in the Internet Zone can be found in the Malicious Web Scripts FAQ.

Note that disabling Active scripting and ActiveX controls in the Internet Zone will reduce the functionality of some web sites.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements.

Read and send email in plain text format

Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Use a different web browser

There have been a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE or other ActiveX controls frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected24 Jun 200527 Jun 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Microsoft.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CAN-2005-0360
  • Date Public: 13 Jan 2003
  • Date First Published: 27 Jun 2005
  • Date Last Updated: 29 Jun 2005
  • Severity Metric: 38.31
  • Document Revision: 21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.