Another ancient vulnerability reported going back to Win-95

[Nomen]

-----------

The IBM X-Force Research team has identified a significant data manipulation vulnerability (CVE-2014-6332) with a CVSS score of 9.3 in every version of Microsoft Windows from Windows 95 onward.

We reported this issue with a working proof-of-concept exploit back in May 2014, and today, Microsoft is patching it. It can be exploited remotely since Microsoft Internet Explorer (IE) 3.0. This complex vulnerability is a rare, “unicorn-like” bug found in code that IE relies on but doesn’t necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.

What Does This Mean?

First, this means that significant vulnerabilities can go undetected for some time. In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years. Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript). Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32).

http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/#.VGNwwPnF-Sq

-------------

Correct me if I'm wrong, but I don't see oleaut32.dll as being a win-9x file. I've scanned my system for that file and have found many different versions, but none of them with the traditional or expected file-date of 4/23/99. I don't think that file exists on (any) win-98 CD. The one I have in c:\windows is version 2.40.4518 (october 2003).

I would imagine that we'll see a patch for the POS2009 version of XP (which should be available now?) and should be easily ported to regular XP systems. Has anyone had a look at it to see if it can be used on win-98?

[dajhorn]

Correct me if I'm wrong, but I don't see oleaut32.dll as being a win-9x file. I've scanned my system for that file and have found many different versions, but none of them with the traditional or expected file-date of 4/23/99. I don't think that file exists on (any) win-98 CD. The one I have in c:\windows is version 2.40.4518 (october 2003).

 

This file was usually installed with Internet Explorer or the Visual Studio runtimes.  Although it was not bundled in early releases, it eventually became a standard system component, so avoiding it will be difficult.

 

 

I would imagine that we'll see a patch for the POS2009 version of XP (which should be available now?) and should be easily ported to regular XP systems. Has anyone had a look at it to see if it can be used on win-98?

 

The oleaut32.dll file in POSReady 2009 was updated by this patch:

 

* https://support.microsoft.com/kb/3006226

 

File: C:\windows\system32\oleaut32.dll

Date: Friday, October 17, 2014, 8:17:56 PM

Version: 5.1.2600.6663

MD5: 02e2f13ba0e52e41f5e0fb768e11b604

SHA256: 43a4d942709dac1059c89dcd5239448bfad155e5b7cb2fc49a3539b8c93473df

 

The schannel files were updated last Patch Tuesday too.

 

 

 Has anyone had a look at it to see if it can be used on win-98?

 

Watch for it here:

 

* http://www.htasoft.com/u98sesp/

[jaclaz]

We reported this issue with a working proof-of-concept exploit back in May 2014, and today, Microsoft is patching it. 

 

I'll just bookmark this as an antonym to "in a timely fashion".

 

 

jaclaz

[submix8c]

Yes, it does exist in Win98SE. Unless you lited/removed from Source.

PRECOPY2.CAB->LAYOUT.INF->WIN98_39.CAB

Installed to:

WINDOWS\SYSTEM\oleaut32.dll

Size: 598,288 bytes

Date/Time: 4/23/99 22:22:00

Version: 2.40.4275.1

Yours appears to be integrated/upgraded to Internet Explorer 6 SP1.

OAINST.CAB (installed to same folder)

Size: 929,792 bytes

Date/Time: 03/16/2001

Version: 2.40.4518.0

 

Latest one that functions with Win98SE (I have it on my 98SE):

Version: 2.40.4520

http://www.msfn.org/board/topic/135336-updated-ie6-crashes-and-other-issues/#entry865847

Note the TechNet link is here:

https://technet.microsoft.com/library/security/ms08-008

Also included in Win98SE AutoPatcher Dec08Upgrade.

Also included in Win98SE USP3.33 (inside SP3.CAB).

 

The MS Article link http://support.microsoft.com/kb/3006226 will do no good for 98SE, so forget it (see above links).

 

Just an FYI.

Edited November 14, 2014 by submix8c

[ROTS]

Lets update this bug to current NT6 OSes.

Lets be honest. Microsoft on purposely crafted bugs in their OS.

[rloew]

The following Patch will disable the specific function involved.

OLEAUT32.DLL 2.40.4518.0

29E90: 83EC14538B5C241C -> B80D000280C20800

[loblo]

The following Patch will disable the specific function involved.

OLEAUT32.DLL 2.40.4518.0

29E90: 83EC14538B5C241C -> B80D000280C20800

 

Breaks the execution of the only vbscript I  use. 

 

 

[herbalist]

On mine, the version is 2.40.4522 As far as I know, it works fine. It contains the same hex string, but at 2A050.

This version came from the 98 unofficial service pack, sesp21a-en.exe

Edited November 16, 2014 by herbalist

[rloew]

The following Patch will disable the specific function involved.

OLEAUT32.DLL 2.40.4518.0

29E90: 83EC14538B5C241C -> B80D000280C20800

Breaks the execution of the only vbscript I use.

Until a proper fix can be made, something had to give.

Microsoft's workaround was to disable VBScript entirely.

[dencorso]

Well, in any case, none of the versions mentioned above are actually the latest. In fact, it's complicated... 

But it turns out that the latest OLEAUT32.DLL that works with Win 9x/ME is: v. 2.40.4520.0 from MS08-008 (KB946235) !!! 

 

OLEAUT32.DLL v.2.40.4520.0, with PE Timestamp of 12/3/2007, is actually *newer* than v. 2.40.4522.0, which has a PE Timestamp of 06/20/2003 !!! I've discussed it at some lenght here and here.

 

And, since this subject ends up touching on PE Timestamps, let me point out my own little tool to read them may be of help:

Here's another link to it: PETmStp.7z

[Nomen]

Well, in any case, none of the versions mentioned above are actually the latest. In fact, it's complicated... :crazy:But it turns out that the latest OLEAUT32.DLL that works with Win 9x/ME is: v. 2.40.4520.0 from MS08-008 (KB946235) !!!

I take it that you are indicating the package which can be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=11782

Or this direct link: http://download.microsoft.com/download/8/c/a/8cada3d5-e737-4a5d-8c27-e1fbc4c32be7/VB6-KB946235-x86-ENU.exe

Which contains several different OS-specific versions of oleaut32.dll (NT4, 2K, Server 2003, XP and Vista). I believe you are indicating that the NT4 version (2.40.4520) is the one (the last one) that works with 9x/ME. The 2k version is 2.40.4532 - and we know it to NOT work with 98?

Interestingly, the XP-SP1 version (3.50.5022.0) says this in the comments section:

--------

Microsoft OLE 3.50 for Windows NT and Windows 95 Operating Systems

----------

?

[dencorso]

I believe you are indicating that the NT4 version (2.40.4520) is the one (the last one) that works with 9x/ME.

Yes!

[submix8c]

Huh!

 

Latest one that functions with Win98SE (I have it on my 98SE):

Version: 2.40.4520

http://www.msfn.org/...es/#entry865847

Note the TechNet link is here:

https://technet.micr...curity/ms08-008

Also included in Win98SE AutoPatcher Dec08Upgrade.

Also included in Win98SE USP3.33 (inside SP3.CAB).

USP3.33=Unofficial Service Pack 3 (successor to sesp21a).

Technet link specifically points to "Microsoft Visual Basic 6.0 Service Pack 6 (KB946235)"

 

FYI: those are designated as "Unofficial", including the one listed on MDGx. Note that it's a "repackage". The one to use from the VB6 update is the "oant4.dll" and *not* the "oant4ts.dll" (Terminal Server) one. Also note that many NT files were specifically designed (apparently) with Win9x (i.e. Win95) in mind and work on either OS. Take a look at the properties of some of them if you feel like that may not be true (specifically a Win95 OS).

 

Hope this clarifies the confusion.

 

edit: And I do believe this whole "version" subject ("which is newer?") has been brought up before.

Edited November 17, 2014 by submix8c

[MiKl]

In oleaut.dll 4520 the same string can be found at 29f20

 

 

 

The following Patch will disable the specific function involved.

OLEAUT32.DLL 2.40.4518.0

29E90: 83EC14538B5C241C -> B80D000280C20800

Breaks the execution of the only vbscript I use.

Until a proper fix can be made, something had to give.
Microsoft's workaround was to disable VBScript entirely.

In oleaut.dll 4520 the same string is located at 29f20. I suppose I can use the fix for this version as well ?

[rloew]

In oleaut.dll 4520 the same string can be found at 29f20

The following Patch will disable the specific function involved.

OLEAUT32.DLL 2.40.4518.0

29E90: 83EC14538B5C241C -> B80D000280C20800

Breaks the execution of the only vbscript I use.

Until a proper fix can be made, something had to give.

Microsoft's workaround was to disable VBScript entirely.

In oleaut.dll 4520 the same string is located at 29f20. I suppose I can use the fix for this version as well ?

Probably.

As long the string appears only once and in this area, it will probably work.

It will not work on XP+ Files.