Jump to content

Microsoft Security Advisory (972890)

Guest wsxedcrfv

By Guest wsxedcrfv
in Windows 9x/ME

 Share

Recommended Posts

Guest wsxedcrfv

Guest wsxedcrfv

Posted
Posted

Does anyone know if win-98 is (or could potentially be) vulnerable to this:

http://www.microsoft.com/technet/security/...ory/972890.mspx

Does anyone else think it's a good idea to start a thread (or even a sticky) listing the MS security advisories since June 2006 that:

a) impact or are relevant to windows 98, and

b) are patchable in some way (ie using patch files from win-2k)

?

Link to comment
Share on other sites

cluberti

cluberti

Posted
Posted

The control won't be IE-version dependant (it's technically not a flaw in ActiveX, but this specific control, so any browser, including IE on Win9x, could be vulnerable to loading it and being affected), and since the Video control was something shipped for Win98, you'd actually be more likely to have it than folks using, say, Windows XP or newer.

So, yes, you could be vulnerable and should act accordingly.

Link to comment
Share on other sites
Guest wsxedcrfv

Guest wsxedcrfv

Posted
Posted
The control won't be IE-version dependant (it's technically not a flaw in ActiveX, but this specific control, so any browser, including IE on Win9x, could be vulnerable to loading it and being affected), and since the Video control was something shipped for Win98, you'd actually be more likely to have it than folks using, say, Windows XP or newer.

Does that mean that the *exact* same exploit code that was designed and tested against XP platforms would also work as intended on 9x systems?

"Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer. By preventing the Microsoft Video ActiveX Control from running in Internet Explorer, there is no impact to application compatibility."

Are they saying that no web site or web-content makes use of this activex control function? So be removing it, I will not experience any loss of viewability of multimedia content?

What about IP web-cams? Many of those cameras make use of activex and java controls for viewing their content streams. Will such functionality be lost if the dll in question is removed from a system?

Link to comment
Share on other sites
dencorso

dencorso

Posted
Posted
Does that mean that the *exact* same exploit code that was designed and tested against XP platforms would also work as intended on 9x systems?
Possibly. As for your other questions, the only way to try to answer them is to do some testing. And I think the first one would be, as you yourself suggested, to test the Win 2k hotfix .dll in 9x. Or you can start the way Tihiy proposed, by unregistering and renaming the file. :)
Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
What about IP web-cams? Many of those cameras make use of activex and java controls for viewing their content streams. Will such functionality be lost if the dll in question is removed from a system?
The activex portion of the Microsoft Video Control was written at the time to stream video in the browser via said activex control, but around the same time other controls (like flash and quicktime) took the market and the Microsoft Video control went largely unused for this purpose. Unless you have software which uses it (and most IP web-cams I've seen use a java-based control or flash to display the video), you should remain unaffected by doing something like unregistering the control. Note that this *is* used by some TV capture/display boards and media center-type software (including Windows Media Center on XP, although that won't matter to most folks here), which is why Microsoft recommends disabling just the ActiveX COM CLSID, rather than disabling it entirely. This will cause it to still be useful locally to applications, but it will stop working from the browser.
Link to comment
Share on other sites
Guest wsxedcrfv

Guest wsxedcrfv

Posted
Posted

Why isin't it possible to just rename the file?

I did. It apparently wasn't in use.

MSVIDCTL.DLL

My version is 6.05.00001.900 Built by Directx

File date: July 9, 2004.

This file doesn't seem to be present on the Win-98 CD or part of a default win-98 install.

What exactly makes use of this file? Web surfing? What would be affected if it's missing?

Does this file come as part of DirectX 9x?

More stuff:

http://www.dslreports.com/forum/r22660114-...ility-exploited

Note the following, posted by Millenniumle on page 2 of that thread:

---------

I'm left dumb-founded that Microsoft codes IE to by default examine file content and run files contrary to type. It circumvents IE's own security settings by allowing code to be trivially introduced under the guise of a benign file type.

---------

The IE security setting "Open files based on content, not file extension" does not seem to exist in IE6. What is IE6's behavior in that regard?

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted
Why isin't it possible to just rename the file?
It is, but technically you should leave it registered but disable it via the CLSID's in the registry. This DLL has uses outside of IE as well, the CLSID is only for the activex control portion of this .dll. Renaming it would technically break any other apps that use it, whereas setting the CLSIDs in the article to "killbit" them will only disable it's use in IE.
What exactly makes use of this file? Web surfing? What would be affected if it's missing?
Actually, Windows Media Center and DX9 make use of it, but only if you write software designed to use this COM object. I don't know of any (legitimate) web sites using this for video content. Everyone uses the WMP control, flash, or silverlight at this point.
Does this file come as part of DirectX 9x?
Yes, although it can be installed by other software.
---------

I'm left dumb-founded that Microsoft codes IE to by default examine file content and run files contrary to type. It circumvents IE's own security settings by allowing code to be trivially introduced under the guise of a benign file type.

---------

Blindly trusting a file to report the correct extension for it's type is more insecure. Also, checking the type as well as the extension seems like more security, rather than less. In addition, this can be used to verify that the MIME type and the file's contents actually match, rather than blindly trusting the extension and then passing it off to the handler or opening in IE. It's a bit of a security vs usability compromise, and assuming the file type, MIME type, and extension match, why the fuss, really? Lastly, it wasn't intended as a security boundary anyway, it was intended so that bad web devs or web server admins sending the wrong MIME type or extension for a file don't cause IE to fail to open it if it understands the content - that was the real intention, from what I understand.
The IE security setting "Open files based on content, not file extension" does not seem to exist in IE6. What is IE6's behavior in that regard?
This setting was introduced in IE6, but only on XPSP2 (IE6 on W2K and previous platforms only goes up to SP1) and higher. If you're running Win9x, you do not have this option, and IE uses the file type and MIME type passed only.
Link to comment
Share on other sites
Queue

Queue

Posted
Posted (edited)

Here's a .reg file that should set all the killbits. When I say should, I mean it sets the ActiveX killbit for all CLSIDs listed in the Microsoft article, so I'm assuming their list is accurate and complete.

EDIT - Scroll down and get whatever420's .reg file, it has 8 more entires than mine did (which were found by directly extracting the contents of Microsoft's patch).

Queue

Edited by Queue
Link to comment
Share on other sites
eidenk

eidenk

Posted
Posted

If you don't use IE (or any app that embeds it's engine such as Explorer, Outlook, mshta or hh) for going online and that those applications are additionally blocked by your firewall, then you should never need to bother anymore with any newly discovered activeX vulns IMO. Any flaw in that reasoning ?

Link to comment
Share on other sites
Guest wsxedcrfv

Guest wsxedcrfv

Posted
Posted

Microsoft has a downloadable patch according to this: http://blogs.technet.com/srd/archive/2009/...vidctl-dll.aspx

Specifically here: http://go.microsoft.com/?linkid=9672398

And specifically this msi file: MicrosoftFixit50287.msi

When I try to install it on my win-98 system, I get this:

======================

Microsoft Fixit 50287

This microsoft fix it does not apply to your operating system or application version.

There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor.

====================

I don't know what version of the Windows installer package I have on this particular win-98 machine, but all attempts to download and install v 3.0, 3.1 and 4.5 have failed.

Is there a hack for win-98 that will allow me to run this .msi file?

Just what is the most recent Windows Installer Package (legit or hacked) for win-98 anyways?

Link to comment
Share on other sites
whatever420

whatever420

Posted
Posted
Is there a hack for win-98 that will allow me to run this .msi file?

Doubtful...

But... there are apps out there that will let you unpack the MSI file...

MSI Unpacker

I unpacked the MSI file and made a REG file out of the info I found...

There are 8 more KILLBIT entries included in this REG file than in the one Queue posted...

KB972890_msvidctl.dll_Killbits.reg

Link to comment
Share on other sites
Guest wsxedcrfv

Guest wsxedcrfv

Posted
Posted

Why are there so many CLSID's?

If we're dealing with just one control, why not just one CLSID kill-bit entry?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...