[12774] in bugtraq
Re: Microsoft Security Bulletin (MS99-051) (fwd)
daemon@ATHENA.MIT.EDU (Jim Knoble)
Tue Nov 30 12:18:49 1999
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <19991129220934.A706@quipu.earth>
Date: Mon, 29 Nov 1999 22:09:34 -0500
Reply-To: Jim Knoble <jmknoble@pobox.com>
From: Jim Knoble <jmknoble@POBOX.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.10.9911291742150.19134-100000@www.securityfocus.com>;
from Ben Greenbaum on Mon, Nov 29, 1999 at 05:42:36PM -0800
Pe 1999-Nov-29 klokka 17:42:36 -0800 skrivet Ben Greenbaum:
: ---------- Forwarded message ----------
: Date: Mon, 29 Nov 1999 17:18:19 -0800
: From: Microsoft Product Security <secnotif@MICROSOFT.COM>
: To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM
: Subject: Microsoft Security Bulletin (MS99-051)
:
: The following is a Security Bulletin from the Microsoft Product Security
: Notification Service.
:
: Please do not reply to this message, as it was sent from an unattended
: mailbox.
: ********************************
:
: Microsoft Security Bulletin (MS99-051)
: --------------------------------------
:
: Patch Available for "IE Task Scheduler" Vulnerability
: Originally Posted: November 29, 1999
[...]
: Issue
: =====
[...]
: The IE 5 Task Scheduler controls who can create and submit "AT jobs." The
: utility that is used to create AT jobs can only be run by an administrator,
: and the Task Scheduler will only execute AT jobs that are owned by
: administrators. However, if a malicious user had change access to an
: existing file owned by an administrator (it would not need to be an AT job),
: he or she could modify it to be a valid AT job and place in the appropriate
: folder for execution. This would bypass the control mechanism and allow the
: job to be executed.
:
: This vulnerability would primarily affect machines that allow normal users
: to interactively log onto them. The patch eliminates this vulnerability by
: digitally signing all AT jobs at creation time, and verifying the signature
: at execution time.
Is this really a solution to the problem? It seems to me that the
actual problem is this part
if a malicious user had change access to an existing file owned by
an administrator (it would not need to be an AT job), he or she
could modify it to be a valid AT job and place in the appropriate
folder for execution[....]
Isn't that true for most files to which a malicious user has `change'
access?
Regardless of that, how does the patch stop malicious users from
producing AT jobs that have valid signatures and putting them in place?
[...]
: More Information
: ================
: Please see the following references for more information related to this
: issue.
: - Microsoft Security Bulletin MS99-051: Frequently Asked Questions,
: http://www.microsoft.com/security/bulletins/MS99-051faq.asp.
This URL produces the following text:
Microsoft VBScript runtime error `800a000d'
Type mismatch: `CInt'
/security/inc/scripts.txt, line 279
but only with JavaScript turned on. Without JavaScript, the page is
utterly blank.
: - Microsoft Knowledge Base (KB) article Q246972,
: IE 5 Task Scheduler Allows Privilege Elevation on Windows NT Systems,
: http://support.microsoft.com/support/kb/articles/q245/7/29.asp.
: (NOTE: It may take 24 hours from the original posting of this bulletin
: for this KB article to be visible)
This URL gets me to a KB item entitled `Windows 95 and Windows 98 File
Access URL Update', which has nothing to do with Q246972.
: - Microsoft Security Advisor web site,
: http://www.microsoft.com/security/default.asp.
This URL produces the following text:
Microsoft VBScript runtime error `800a000d'
Type mismatch: `CInt'
/security/inc/scripts.txt, line 279
Is there anywhere that has some actual information about this?
--
jim knoble
jmknoble@pobox.com
