search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Authenticode mechanism installs ActiveX controls without prompting user

Vulnerability Note VU#838572

Original Release Date: 2003-10-16 | Last Revised: 2003-12-09

Overview

A vulnerability in Microsoft's Authenticode could allow a remote attacker to install an untrusted ActiveX control on the victim's system.

Description

According to Microsoft Security Bulletin MS03-041:

ActiveX is a technology that allows programmers to develop self-contained software modules called controls, that perform a single task or a collection of related tasks. An ActiveX control can be called by programs or web sites that need the functionality it provides.

Authenticode is a technology which allows users to verify the publisher of an ActiveX control. Through its code signing mechanisms, Authenticode identifies the publisher of the signed software and verifies that it hasn't been tampered with, before users download the software to their systems. Based on this knowledge the end user can then make a decision on whether or not to download and install the code.

Normally, Authenticode prompts a user prior to the installation of an ActiveX control. There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with the dialog discussed above. An attacker could exploit this vulnerability by creating a web page or HTML email message that included a malicious ActiveX control.

Impact

A remote attacker may be able to install and execute an unauthorized ActiveX control on the victim's system, thereby allowing the attacker to execute code of their choosing. This code would be executed in the security context of the user who was logged in at the time that the ActiveX control was installed.

Solution

Microsoft has issued a security bulletin and a patch in response to this issue. Users are encouraged to review the information provided in Microsoft Security Bulletin MS03-041 and apply the patches it refers to.

Workarounds

Users who are not able to apply the patches listed above are encouraged to consult the "Workarounds" section of MS03-041.

Vendor Information

838572
 
Affected   Unknown   Unaffected

Microsoft Corporation

Updated:  October 16, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has published Microsoft Security Bulletin MS03-041 in response to this issue. Users are encouraged to review this bulletin and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation

Updated:  December 09, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Some Xerox products are affected by this vulnerability. Please see Xerox's official response for more information. Users are encouraged to review the information provided by the vendor and take appropriate action.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Microsoft for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2003-0660
Severity Metric: 34.73
Date Public: 2003-10-15
Date First Published: 2003-10-16
Date Last Updated: 2003-12-09 16:26 UTC
Document Revision: 7

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.