Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Microsoft Internet Explorer "Msdds.dll" Remote Code Execution (Affects XP SP2, etc.)
French Security Incident Response Team ^ | August 17, 2005

Posted on 08/18/2005 1:51:17 AM PDT by HAL9000

FrSIRT Advisory : FrSIRT/ADV-2005-1450
CVE Reference : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-08-17
* Technical Description *

A critical vulnerability was identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This issue is due to a memory corruption error when instantiating the "Msdds.dll" (Microsoft Design Tools Diagram Surface) object as an ActiveX control, which could be exploited by an attacker to take complete control of an affected system via a specially crafted Web page.

This vulnerability has been confirmed with Microsoft Internet Explorer 6 SP2 on Windows XP SP2 (fully patched).

Note : It is currently unclear whether the "Msdds.dll" library is installed with Microsoft Office, Microsoft Visual Studio, or with other applications. More information will be provided when further details are available.

* Exploits *

http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php

* Affected Products *

Microsoft Internet Explorer 6 for Microsoft Windows XP SP2
Microsoft Internet Explorer 6 for Microsoft Windows XP SP1

Microsoft Visual Studio .NET 2003
Microsoft Visual Studio .NET 2002

* Solution *

The FrSIRT is not aware of any official supplied patch for this issue.

* References *

http://www.frsirt.com/english/advisories/2005/1450
http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php

* Credits *

Vulnerability reported by an anonymous person

* ChangeLog *

2005-08-17 : Original Advisory
2005-08-17 : Updated vulnerable products


TOPICS: News/Current Events; Technical
KEYWORDS: microsoft; msdds; msddsddl; windows
Navigation: use the links below to view more comments.
first 1-2021-32 next last

1 posted on 08/18/2005 1:51:19 AM PDT by HAL9000
[ Post Reply | Private Reply | View Replies]

To: HAL9000
* Solution *

The FrSIRT is not aware of any official supplied patch for this issue.

Uhhh thanks i guess....

2 posted on 08/18/2005 1:53:34 AM PDT by Echo Talon (http://echotalon.blogspot.com)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

Mozilla.

Nuff Said.


3 posted on 08/18/2005 1:53:39 AM PDT by konaice
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

The first thing on the Microsoft End User Agreement ought to be this phrase: "Use at your own risk".


4 posted on 08/18/2005 1:55:21 AM PDT by twntaipan (EU: The Eurabian Union?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: twntaipan
The first thing on the Microsoft End User Agreement ought to be this phrase: "Use at your own risk".

At the very least, the disclaimer must read like the one for "Happy Fun Ball".

5 posted on 08/18/2005 2:09:20 AM PDT by Caipirabob (Democrats.. Socialists..Commies..Traitors...Who can tell the difference?)
[ Post Reply | Private Reply | To 4 | View Replies]

To: twntaipan
The first thing on the Microsoft End User Agreement ought to be this phrase: "Use at your own risk".

You mean like:

YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE APPLE SOFTWARE IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. EXCEPT FOR THE LIMITED WARRANTY ON MEDIA SET FORTH ABOVE AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW...SHOULD THE APPLE SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

?

6 posted on 08/18/2005 2:14:23 AM PDT by Leroy S. Mort
[ Post Reply | Private Reply | To 4 | View Replies]

To: HAL9000
I suffered a remote exploit in April and it was devastating. A worm must have opened it up, but a hacker got me good. Took over my machines (5 of them) took away my administrative privileges, changed my tax software and added a smiley face to it for fun after doing a mock return with my name and social security number. Added software to my computer (sun micro systems software) and internet printing ( I guess to print out my most valuable items).

Took forever to get rid of it as it would not let me delete anything or do any kind of restores. Would format my hard drives and the damn hacker would come back within hours, I thought there was a siren going off every time I fixed my machine.

Turned out that I did not have the latest patch on my link-sys router and the hacker was able to exploit it. Found out when I went to change password on it for the umteenth time, and saw it was sending the new password to a website.

Have added a hardware (Soho) Firewall to the existing software firewall, anti-virus and spyware programs, disabled any sort of remote procedure and still do not feel safe.

If it helps, the hacker loved the XP Pro more than the regular XP Home, and was able to do the most damage with it.

7 posted on 08/18/2005 2:30:34 AM PDT by GeorgiaBushie (Undocumented freeper)
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000

More:

FrSIRT Advisory : FrSIRT/ADV-2005-1419
CVE Reference : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-08-16

* Technical Description *

Apple has released security patches to correct multiple vulnerabilities affecting Mac OS X. These flaws could be exploited by remote or local attackers to execute arbitrary commands, cause a denial of service, obtain elevated privileges, or disclose sensitive information.

- A buffer overflow error in the apache htdigest program could be exploited by a remote attacker to execute arbitrary commands.

- Apache restricts access to files in a case sensitive manner, but the HFS+ filesystem accesses files in a case insensitive manner, which could be exploited by remote attackers to read ".ht*" and ".DS_Store" files.

- An error in apache makes it possible to bypass the normal file handlers, which could be exploited by attackers to retrieve file data and resource fork content via HTTP requests.

- A buffer overflow error in AppKit when processing specially crafted rich text files could be exploited by attackers to execute arbitrary commands.

- A buffer overflow error in AppKit when processing specially crafted Word (.doc) files could be exploited to execute arbitrary commands.

- An unspecified error in AppKit could be exploited by malicious users (with physical access) to create additional accounts.

- An error when selecting the "Require pairing for security" option in Bluetooth preferences could cause the System Profiler to be labeled with "Requires Authentication: No.".

- A buffer overflow error in the CoreFoundation framework when handling specially crafted command line arguments could be exploited to execute arbitrary commands.

- An error in CUPS when handling multiple simultaneous print jobs or when receiving a partial IPP request and a client terminates could be exploited by attackers to cause a denial of service.

- A buffer overflow error in Directory Services when handling authentication could be exploited by remote attackers to execute arbitrary commands.

- Multiple errors in the privileged tool "dsidentity" could be exploited by malicious users to add or remove identity user accounts in Directory Services.

- An error in "slpd" could lead to an insecure temporary file creation in the world-writable "/tmp" directory, which could be exploited by local attackers to obtain elevated privileges.

- An error in HItoolbox could cause, under certain circumstances, secure input fields to be disclosed to VoiceOver services.

- A heap overflow error in Kerberos when handling password history could be exploited by local attackers to execute arbitrary code on a Key Distribution Center (KDC).

- Multiple buffer overflow vulnerabilities in Kerberos could b exploited by remote attackers to compromise a KDC or cause a denial of service. For additional information, see : FrSIRT/ADV-2005-1066

- An error in Kerberos authentication when enabled in addition to LDAP could be exploited by attackers to gain "root" privileges.

- An error in the handling of Fast User Switching can allow a local user who knows the password for two accounts to log into a third account without knowing the password.

- An error in Mail.app when used to print or forward HTML messages, could cause the application to load remote images even if a user's preferences disallow it, which may be considered as a privacy leak.

- Multiple errors in MySQL could be exploited by remote authenticated users to execute arbitrary commands.

- Multiple errors in OpenSSL could be exploited by remote attackers to cause a denial of service.

- A buffer overflow error in the "ping" utility could be exploited by local users to obtain elevated privileges.

- An error in QuartzComposerScreenSaver could be exploited by local users to open webpages while the RSS Visualizer screen saver is locked.

- An error in Safari when clicking on a link in a specially crafted rich text file could be exploited by attackers to execute arbitrary commands.

- An error in Safari when handling submitted forms in an XSL formatted page could cause sensitive information to be inadvertently submitted to the wrong site.

- An error in the password assistant when adding multiple accounts could cause the previously suggested passwords to be disclosed.

- A buffer overflow error in the authentication procedure of "servermgrd" could be exploited by remote attackers to execute arbitrary commands.

- An error in the Server Admin tool could cause certain firewall policies to not be written to the Active Rules.

- Multiple input validation errors in SquirrelMail could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser. For additional information, see : FrSIRT/ADV-2005-0800

- A buffer overflow error in the "traceroute" utility could be exploited by local users to obtain elevated privileges.

- An error in Safari when clicking on a link in a specially crafted PDF file could be exploited by attackers to execute arbitrary commands.

- Multiple input validation errors in Weblog Server could be exploited to conduct cross site scripting attacks.

- An integer overflow error in libXPM when handling a specially crafted "bitmap_unit" value could be exploited by attackers to execute arbitrary commands or cause a denial of service. For additional information, see : FrSIRT/ADV-2005-0471

- A buffer overflow error in Zlib when processing malformed data streams could be exploited by attackers to execute arbitrary code. For additional information, see : FrSIRT/ADV-2005-0978

* Affected Products *

Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.4.2
Apple Mac OS X 10.3.9

* Solution *

Apple Mac OS X 10.3.9 :
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=07801&platform=osx&method=sa/SecUpd2005-007Pan.dmg

Apple Mac OS X 10.4.2 :
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=07794&platform=osx&method=sa/SecUpd2005-007Ti.dmg

Apple Mac OS X Server 10.3.9 :
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=07796&platform=osx&method=sa/SecUpdSrvr2005-007Pan.dmg

Apple Mac OS X Server 10.4.2 :
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=07795&platform=osx&method=sa/SecUpdSrvr2005-007Ti.dmg

* References *

http://www.frsirt.com/english/advisories/2005/1419
http://docs.info.apple.com/article.html?artnum=302163


OOPS, that's for Apple.


8 posted on 08/18/2005 2:35:19 AM PDT by cabojoe
[ Post Reply | Private Reply | To 1 | View Replies]

To: Leroy S. Mort; twntaipan

There aren't a lot of software producers willing to accept liability for consequential damages as a result of bugs.

That reluctance is reasonably well-established as being due to the near impossibility of producing any large application that is 100% free of bugs.

Without that release of liability, virtually no one would be able to publish software without being sued into bankruptcy.

Hence the disclaimers.


9 posted on 08/18/2005 2:40:46 AM PDT by Majic (Temporary taxes are as common as temporary death.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Majic

Exactly. I challenge anyone to show me a software EULA that renders the company producing it liable for bug damage.


10 posted on 08/18/2005 2:45:10 AM PDT by Leroy S. Mort
[ Post Reply | Private Reply | To 9 | View Replies]

To: cabojoe
And how did the security firm that you cut and paste this from find out about the vulnerability? Apple announced them after posting the Security Update 2005-007 which fixed them.

That being said... in the interest of accuracy, Apple also had to fix the fix by releasing Security Update 2005-007 V1.1 because it broke 64 bit applications. ;^)>

11 posted on 08/18/2005 2:59:14 AM PDT by Swordmaker (Beware of Geeks bearing GIFs.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Swordmaker
Hey I'm just trying to be consistant. If Mac users always need to post Windows exploits, I thought I'd start returning the favors. In the interest of having a more amiable relationship between the Mac and Windows people around here, let's try something. Why don't the Mac guys post their exploits and fixes, and Windows users can do the same. I like you guys, but the consistant posting by Mac users of Windows problems seems contrary to this statement:

" Are you so insecure in your choice of computer you have to be insulting to those who have not made the same choice?" 14 posted on 08/18/2005 1:13:16 AM PDT by Swordmaker (Beware of Geeks bearing GIFs.)

12 posted on 08/18/2005 3:13:35 AM PDT by cabojoe
[ Post Reply | Private Reply | To 11 | View Replies]

To: cabojoe
Why don't the Mac guys post their exploits and fixes, and Windows users can do the same. I like you guys, but the consistant posting by Mac users of Windows problems seems contrary to this statement:

This thread was posted by HAL9000 without a negative comment. Your insertion of the Mac Security Update list was obviously intended to be a snide negative comment on the Mac... includding your gratuitous "OOPS, that's for Apple."

As for posting Mac vulnerabilities, I beat you to that by at least 48 hours:

Apple Security Update 2005-007

And posted the announcement about the flaw in THAT update as soon as I could after that was announced:

Security Update breaks 64 bit Applications

Which was immediately invaded by PC snobs insulting Mac users calling us names such as "MacMoonies" and "Mac cultists" and refering to our computers as "Toys".

All of which you are obviously quite aware because you cut and pasted my comment to Hank Reardon from one of those threads. As I related in that thread, an unbiased assessment of comparable threads show FAR MORE insults and thread invasions coming from PC users in Mac threads than vice versa. So, your "returned favor" is, I think, a case of a pot calling the kettle black.

13 posted on 08/18/2005 4:04:52 AM PDT by Swordmaker (Beware of Geeks bearing GIFs.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: cabojoe
If Mac users always need to post Windows exploits, I thought I'd start returning the favors.

Incidentally, there is a difference between "exploits" and "vulnerabilities".

Both the Microsoft flaw reported in this thread and the Apple announcements which you posted involve "vulnerabilities" which, to the best of the information available, have not been "exploited" unlike this exploited flaw (offered as a favor to PC users):

Windows Worm Beginning to Spread

14 posted on 08/18/2005 4:12:28 AM PDT by Swordmaker (Beware of Geeks bearing GIFs.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Swordmaker; Hank Rearden

You guys won't change your ways, even when an olive branch is thrown your way. I'm sure I read about the Apple patch two days ago, I just don't happen to find posting it my job, as a Windows user. I'm often more apt to be reading hardware reviews for myself, than worrying about Mac and their security. The mindless needling of Windows users is what causes the hammer to come down like what Hank did tonight. You guys use negative advertising in much the same way as democrats, then you cry like a victim when the hammer comes down. I seriously could care less about a box that is bundled with software. I use boxes that I build, with the AMD 64 processor under freon at -55 C, processor overclocked 22%, ram overclocked 44% and I have no use for a machine that I can't even set my ram timings on, or set my HTT, or my multiplier. I run circles around the best you guys have. Don't worry, you might learn about those things when your switch comes. If you want the bickering to stop...you might just clean up your own backyard.


15 posted on 08/18/2005 5:55:21 AM PDT by cabojoe
[ Post Reply | Private Reply | To 14 | View Replies]

To: GeorgiaBushie
Turned out that I did not have the latest patch on my link-sys router and the hacker was able to exploit it. Found out when I went to change password on it for the umteenth time, and saw it was sending the new password to a website.

How did you happen to see this?

16 posted on 08/18/2005 6:03:47 AM PDT by TechJunkYard (my other PC is a 9406)
[ Post Reply | Private Reply | To 7 | View Replies]

To: cabojoe; Swordmaker; Hank Rearden

One thing I have noticed in watching both Apple and Windows threads is that Windows users who complain about Windows act like people who are trapped in some tyrannical state from which they cannot escape, while Apple users are a little more philosophical and believe that, while Apple Computer and the Apple OS are not perfect, it's still the best system out there for what they want to do.


17 posted on 08/18/2005 6:04:54 AM PDT by SlowBoat407 (A living affront to Islam since 1959)
[ Post Reply | Private Reply | To 15 | View Replies]

To: TechJunkYard
When I typed the router address http://192.168.1.1 and changed my password, I would hit the save changes button and a mozilla web address followed by the new password (I use IE 6) would show up in the address bar; I assume it was going to some website. Had the address written down, but would not be able to locate it right now.

Problem went away after the new patch and the addition of a Soho external fire wall.

Know it had to be a router problem as the hacker would change the way that I connected to the internet, it gave me a manually configured connection that was way above my expertise.

18 posted on 08/18/2005 6:22:37 AM PDT by GeorgiaBushie (Undocumented freeper)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Swordmaker
"...FAR MORE insults and thread invasions coming from PC users in Mac threads than vice versa."

And I see FAR MORE Windows threads started as flamebait by Mac users than vice versa. I'm serious about improving the relationship between users around here. I was hoping you would see that, even though I did go to an extreme to illustrate it.

19 posted on 08/18/2005 6:30:23 AM PDT by cabojoe
[ Post Reply | Private Reply | To 13 | View Replies]

To: GeorgiaBushie
Also, got so aggravated with the hacker, took out 5 computers, that I went to buy a new computer. Worked fine, hooked straight to the dsl modem and kept it off the network for two days as I loaded necessary programs. Took it on the network alone, unplugged all other computers, and it got hacked within hours.

The network congiguration was changed from the standard windows to a VPN after hooking this computer to the router, set up remote procedure calls and changed my admin privileges.

Forgot to mention that the mozilla address only stayed up for aboutg 8 seconds and the computer would make the noise associated with sending/posting something.

Make any sense?

20 posted on 08/18/2005 6:44:52 AM PDT by GeorgiaBushie (Undocumented freeper)
[ Post Reply | Private Reply | To 18 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-32 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson