Nomen Posted November 14, 2014 Share Posted November 14, 2014 -----------The IBM X-Force Research team has identified a significant data manipulation vulnerability (CVE-2014-6332) with a CVSS score of 9.3 in every version of Microsoft Windows from Windows 95 onward.We reported this issue with a working proof-of-concept exploit back in May 2014, and today, Microsoft is patching it. It can be exploited remotely since Microsoft Internet Explorer (IE) 3.0. This complex vulnerability is a rare, “unicorn-like” bug found in code that IE relies on but doesn’t necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.What Does This Mean?First, this means that significant vulnerabilities can go undetected for some time. In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years. Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript). Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32).http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/#.VGNwwPnF-Sq-------------Correct me if I'm wrong, but I don't see oleaut32.dll as being a win-9x file. I've scanned my system for that file and have found many different versions, but none of them with the traditional or expected file-date of 4/23/99. I don't think that file exists on (any) win-98 CD. The one I have in c:\windows is version 2.40.4518 (october 2003). I would imagine that we'll see a patch for the POS2009 version of XP (which should be available now?) and should be easily ported to regular XP systems. Has anyone had a look at it to see if it can be used on win-98? Link to comment Share on other sites More sharing options...
dajhorn Posted November 14, 2014 Share Posted November 14, 2014 Correct me if I'm wrong, but I don't see oleaut32.dll as being a win-9x file. I've scanned my system for that file and have found many different versions, but none of them with the traditional or expected file-date of 4/23/99. I don't think that file exists on (any) win-98 CD. The one I have in c:\windows is version 2.40.4518 (october 2003). This file was usually installed with Internet Explorer or the Visual Studio runtimes. Although it was not bundled in early releases, it eventually became a standard system component, so avoiding it will be difficult. I would imagine that we'll see a patch for the POS2009 version of XP (which should be available now?) and should be easily ported to regular XP systems. Has anyone had a look at it to see if it can be used on win-98? The oleaut32.dll file in POSReady 2009 was updated by this patch: * https://support.microsoft.com/kb/3006226 File: C:\windows\system32\oleaut32.dllDate: Friday, October 17, 2014, 8:17:56 PMVersion: 5.1.2600.6663MD5: 02e2f13ba0e52e41f5e0fb768e11b604SHA256: 43a4d942709dac1059c89dcd5239448bfad155e5b7cb2fc49a3539b8c93473df The schannel files were updated last Patch Tuesday too. Has anyone had a look at it to see if it can be used on win-98? Watch for it here: * http://www.htasoft.com/u98sesp/ Link to comment Share on other sites More sharing options...
jaclaz Posted November 14, 2014 Share Posted November 14, 2014 We reported this issue with a working proof-of-concept exploit back in May 2014, and today, Microsoft is patching it. I'll just bookmark this as an antonym to "in a timely fashion". jaclaz Link to comment Share on other sites More sharing options...
submix8c Posted November 14, 2014 Share Posted November 14, 2014 (edited) Yes, it does exist in Win98SE. Unless you lited/removed from Source.PRECOPY2.CAB->LAYOUT.INF->WIN98_39.CABInstalled to:WINDOWS\SYSTEM\oleaut32.dllSize: 598,288 bytesDate/Time: 4/23/99 22:22:00Version: 2.40.4275.1Yours appears to be integrated/upgraded to Internet Explorer 6 SP1.OAINST.CAB (installed to same folder)Size: 929,792 bytesDate/Time: 03/16/2001Version: 2.40.4518.0 Latest one that functions with Win98SE (I have it on my 98SE):Version: 2.40.4520http://www.msfn.org/board/topic/135336-updated-ie6-crashes-and-other-issues/#entry865847Note the TechNet link is here:https://technet.microsoft.com/library/security/ms08-008Also included in Win98SE AutoPatcher Dec08Upgrade.Also included in Win98SE USP3.33 (inside SP3.CAB). The MS Article link http://support.microsoft.com/kb/3006226 will do no good for 98SE, so forget it (see above links). Just an FYI. Edited November 14, 2014 by submix8c Link to comment Share on other sites More sharing options...
ROTS Posted November 14, 2014 Share Posted November 14, 2014 Lets update this bug to current NT6 OSes. Lets be honest. Microsoft on purposely crafted bugs in their OS. Link to comment Share on other sites More sharing options...
rloew Posted November 16, 2014 Share Posted November 16, 2014 The following Patch will disable the specific function involved.OLEAUT32.DLL 2.40.4518.029E90: 83EC14538B5C241C -> B80D000280C20800 Link to comment Share on other sites More sharing options...
loblo Posted November 16, 2014 Share Posted November 16, 2014 The following Patch will disable the specific function involved.OLEAUT32.DLL 2.40.4518.029E90: 83EC14538B5C241C -> B80D000280C20800 Breaks the execution of the only vbscript I use. Link to comment Share on other sites More sharing options...
herbalist Posted November 16, 2014 Share Posted November 16, 2014 (edited) On mine, the version is 2.40.4522 As far as I know, it works fine. It contains the same hex string, but at 2A050.This version came from the 98 unofficial service pack, sesp21a-en.exe Edited November 16, 2014 by herbalist Link to comment Share on other sites More sharing options...
rloew Posted November 16, 2014 Share Posted November 16, 2014 The following Patch will disable the specific function involved.OLEAUT32.DLL 2.40.4518.029E90: 83EC14538B5C241C -> B80D000280C20800Breaks the execution of the only vbscript I use. Until a proper fix can be made, something had to give.Microsoft's workaround was to disable VBScript entirely. Link to comment Share on other sites More sharing options...
dencorso Posted November 16, 2014 Share Posted November 16, 2014 Well, in any case, none of the versions mentioned above are actually the latest. In fact, it's complicated... But it turns out that the latest OLEAUT32.DLL that works with Win 9x/ME is: v. 2.40.4520.0 from MS08-008 (KB946235) !!! OLEAUT32.DLL v.2.40.4520.0, with PE Timestamp of 12/3/2007, is actually *newer* than v. 2.40.4522.0, which has a PE Timestamp of 06/20/2003 !!! I've discussed it at some lenght here and here. And, since this subject ends up touching on PE Timestamps, let me point out my own little tool to read them may be of help: Here's another link to it: PETmStp.7z Link to comment Share on other sites More sharing options...
Nomen Posted November 17, 2014 Author Share Posted November 17, 2014 Well, in any case, none of the versions mentioned above are actually the latest. In fact, it's complicated... :crazy:But it turns out that the latest OLEAUT32.DLL that works with Win 9x/ME is: v. 2.40.4520.0 from MS08-008 (KB946235) !!!I take it that you are indicating the package which can be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=11782Or this direct link: http://download.microsoft.com/download/8/c/a/8cada3d5-e737-4a5d-8c27-e1fbc4c32be7/VB6-KB946235-x86-ENU.exeWhich contains several different OS-specific versions of oleaut32.dll (NT4, 2K, Server 2003, XP and Vista). I believe you are indicating that the NT4 version (2.40.4520) is the one (the last one) that works with 9x/ME. The 2k version is 2.40.4532 - and we know it to NOT work with 98?Interestingly, the XP-SP1 version (3.50.5022.0) says this in the comments section:--------Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems----------? Link to comment Share on other sites More sharing options...
dencorso Posted November 17, 2014 Share Posted November 17, 2014 I believe you are indicating that the NT4 version (2.40.4520) is the one (the last one) that works with 9x/ME. Yes! Link to comment Share on other sites More sharing options...
submix8c Posted November 17, 2014 Share Posted November 17, 2014 (edited) Huh! Latest one that functions with Win98SE (I have it on my 98SE):Version: 2.40.4520http://www.msfn.org/...es/#entry865847Note the TechNet link is here:https://technet.micr...curity/ms08-008Also included in Win98SE AutoPatcher Dec08Upgrade.Also included in Win98SE USP3.33 (inside SP3.CAB).USP3.33=Unofficial Service Pack 3 (successor to sesp21a).Technet link specifically points to "Microsoft Visual Basic 6.0 Service Pack 6 (KB946235)" FYI: those are designated as "Unofficial", including the one listed on MDGx. Note that it's a "repackage". The one to use from the VB6 update is the "oant4.dll" and *not* the "oant4ts.dll" (Terminal Server) one. Also note that many NT files were specifically designed (apparently) with Win9x (i.e. Win95) in mind and work on either OS. Take a look at the properties of some of them if you feel like that may not be true (specifically a Win95 OS). Hope this clarifies the confusion. edit: And I do believe this whole "version" subject ("which is newer?") has been brought up before. Edited November 17, 2014 by submix8c Link to comment Share on other sites More sharing options...
MiKl Posted November 17, 2014 Share Posted November 17, 2014 In oleaut.dll 4520 the same string can be found at 29f20 The following Patch will disable the specific function involved.OLEAUT32.DLL 2.40.4518.029E90: 83EC14538B5C241C -> B80D000280C20800Breaks the execution of the only vbscript I use. Until a proper fix can be made, something had to give.Microsoft's workaround was to disable VBScript entirely.In oleaut.dll 4520 the same string is located at 29f20. I suppose I can use the fix for this version as well ? Link to comment Share on other sites More sharing options...
rloew Posted November 17, 2014 Share Posted November 17, 2014 In oleaut.dll 4520 the same string can be found at 29f20The following Patch will disable the specific function involved.OLEAUT32.DLL 2.40.4518.029E90: 83EC14538B5C241C -> B80D000280C20800Breaks the execution of the only vbscript I use. Until a proper fix can be made, something had to give.Microsoft's workaround was to disable VBScript entirely.In oleaut.dll 4520 the same string is located at 29f20. I suppose I can use the fix for this version as well ?Probably.As long the string appears only once and in this area, it will probably work.It will not work on XP+ Files. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now