RE: [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow

["Eric Lawrence" <ericlaw () Exchange Microsoft com>]

To further restrict the potential impact of coding flaws in ActiveX
controls, consider sitelocking.  
Sitelocking can help prevent your control from being illegitimately used
elsewhere.

http://msdn.microsoft.com/downloads/samples/internet/default.asp?url=/do
wnloads/samples/internet/components/SiteLock/default.asp

-Eric
This posting is provided "AS IS" with no warranties, and confers no
rights.

-----Original Message-----
From: Chris Wysopal [mailto:weld () vulnwatch org] 
Sent: Tuesday, June 24, 2003 1:51 PM
To: Jason Coombs
Subject: RE: [Symantec Security Advisor] Symantec Security Check ActiveX
Buffer Overflow



On Tue, 24 Jun 2003, Jason Coombs wrote:

> 1) Does this ActiveX control bear a digital signature? If so, the 
> problem it causes does not go away simply because there is a new 
> version available from Symantec. An attacker in possession of the bad 
> code with its attached digital signature can fool a victim whose 
> computer does not currently have the vulnerable code installed into 
> trusting the ActiveX control due to the fact that Symantec's digital 
> signature will validate against the trusted root CA certificate 
> present by default in Windows -- the existence of the digital 
> signature on the bad code effectively transfers ownership of millions 
> of other people's computers to anyone who should become interested in 
> attacking those computers; it is extremely important that Symantec 
> take further action above and beyond compiling a new version of the
affected code because of the ongoing threat posed for the duration of
the validity of the digital signature.

You are absolutely right about attackers using the old control to carry
out an attack.

The new control should have a new CLSID and the kill bit should be set
for the old control's CLSID.  Information from the Microsoft knowledge
base on how to set the kill bit is here:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.
com:80/support/kb/articles/q240/7/97.asp&NoWebContent=1

Unfortunately the only way to get this kill bit to be set on the
majority of machines is to get Microsoft to do it through a Windows
update. Until that happens the old signed control can be used by
attackers.

This is the real flaw in the system.  The kill bit is only useful to
Microsoft as Symantec has no way of getting all Windows users to set
this bit on the bad CLSID before they are attacked.  Perhaps Microsoft
should allow other vendors to send them CLSIDs to kill.  Or maybe they
already do allow this but it is not publicized.

-Chris


> Sincerely,
>
> Jason Coombs
> jasonc () science org