Nachfolgende Mail habe ich heute erhalten. Es handelt sich hierbei um eine Information von Microsoft, die über einen Verteiler an Leute, die sich dafür registriert haben, verschickt wird. Die Adresse für diese Mailingliste befindet sich auch am Ende dieser Info. Wer sich registrieren lassen möchte, um bei Erscheinen von Security-Patches für alle Microsoft-Produkte informiert zu werden, kann dies dort tun.
- ---------------------------------------------------------------------- Title: Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning (Q326568) Date: 04 September 2002 Software: Microsoft Visual FoxPro 6.0 Impact: Attacker could gain control over user's system. Max Risk: Moderate Bulletin: MS02-049
Issue: ====== In general, when an product installs, it should register itself with Internet Explorer. This allows the product to specify how Internet Explorer should handle files associated with it when referenced from a web page - for instance, it allows the product to specify whether the user should be presented with a warning dialogue before such a file is opened.
Visual FoxPro 6.0 does not perform this registration, and this gives rise to a situation in which a web page could automatically launch a Visual FoxPro application (i.e., an .app file). In most cases, this would not result in a security vulnerability - because of the way Visual FoxPro 6.0 evaluates file names, FoxPro itself could be started but the .app file would typically not run. However, if the filename of the application were constructed in a particular way, a second error (associated with how Visual FoxPro 6.0 evaluates application filenames) could not only start FoxPro but allow the application to execute.
The vulnerability could be exploited by creating a web page that references a Visual FoxPro application, and either hosting it on a web site or sending it to a user as an HTML mail. If the user had installed Visual FoxPro 6.0 - or had installed a product that includes the Visual FoxPro 6.0 runtime - and the filename of the application was constructed in a particular way, the application would execute. This would enable the application to not only interrogate databases, but also issue system commands in the user's security context.
Mitigating Factors: ==================== - The vulnerability could only be exploited if Visual FoxPro 6.0 (or the Visual FoxPro 6.0 runtime) is installed on the system. Other products, and other versions of Visual FoxPro, are not affected by the vulnerability. - The most privileges the application could gain would be those of the user. If the user were operating in a less-privileged context, it would limit the damage that the application could cause.
Acknowledgment: =============== - Cristobal Bielza and Juan Carlos G. Cuartango from Instituto Seguridad Internet (http://www.instisec.com) - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Send an email to unsubscribe to the Service by following these steps: a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to process the subscription request, and can be anything you like. b. Send the e-mail. c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply. d. You will receive an e-mail telling you that your name has been removed from the subscriber list.