Microsoft, CERT disagree on IE patch

A Microsoft patch aimed at fixing a previously discovered ActiveX flaw may not fully protect users against the vulnerabilty, according to a CERT advisory.

          A Microsoft patch aimed at fixing a previously discovered ActiveX flaw may not fully protect users against the vulnerabilty, according to an advisory issued yesterday by Carnegie Mellon University's Computer Emergency Response Team (CERT).

          But in response to the CERT advisory, a Microsoft spokesman today insisted that the patch released by the company on June 2 provides protection against the vulnerabilty in all circumstances where users follow basic security procedures.

          The disagreement involves a little-known but potentially serious flaw that was discovered in mid-April with an ActiveX-based shortcut control in the HTML Help feature built into Microsoft's Internet Explorer Web browser. The shortcuts allow HTML Help files to link to and execute code that helps users understand how to perform certain tasks, said Shawn Hernan, a CERT member.

          But under certain conditions — which are described by CERT in its advisory — the feature can be exploited by crackers to plant a malicious help file from a remote location onto a user's system. Basically, "someone who can exploit this vulnerability can (remotely) do anything you can do on your computer" if the the conditions apply, Hernan claimed.

          Earlier this month, Microsoft's own description of the flaw and announcement of the patch's release acknowledged that attackers exploiting the security hole "could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote Web site."

          Scott Culp, a Microsoft security program manager, said the company's patch eliminates the vulnerability by only allowing an HTML Help file to use shortcuts if the file resides on a user's PC. That should provide ample protection as long as users stick to basic security practices such as having a secure firewall and not accepting files from unknown sources, he said.

          The security flaw can only be exploited under certain very rare circumstances and even then only if the user actively downloads a malicious file from a remote location, Culp added. "CERT's advisory oversimplifies the steps that an attacker would need to exploit the flaw," he said. "The scenario they're postulating would open users up to a far broader range of security issues above and beyond this vulnerabilty."

          But in its advisory, CERT claimed the preconditions needed for the vulnerabilty to be exploited weren't all that uncommon and posed a greater risk than Microsoft describes.

          "For some sites, the patch provided by Microsoft is adequate," CERT said in the advisory. "For others, particularly those sites using non-Microsoft networking products, the patch does not provide complete protection." Users need to understand their network's configuration prior to deciding which, if any, changes are required beyond installing the patch, CERT added.