‘Critical’ Windows Help, SQL Flaws Patched

Microsoft has patched a “critical” security flaw in the
HTML Help facility in most major versions of its Windows OS, warning that an
unchecked buffer could allow hackers to take control of vulnerable systems.

A security advisory from the Redmond-based
software giant said the ActiveX control in the Windows HTML Help facility
contained the vulnerability, which was detected by Rapid7, Inc.

“One of the functions exposed via the (ActiveX) control contains an
unchecked buffer, which could be exploited by a web page hosted on an
attacker’s site or sent to a user as an HTML mail. An attacker who
successfully exploited the vulnerability would be able to run code in the
security context of the user, thereby gaining the same privileges as the
user on the system,” Microsoft warned.

Compromised software include Windows 98, Windows 98 Second Edition, Windows
ME, Windows NT 4.0, Windows NT 4.0 (Terminal Server Edition), Windows 2000
and the new Windows XP.

The company also warned that a second vulnerability exists because of flaws
associated with the handling of compiled HTML Help (.chm) files that contain
shortcuts.

Because shortcuts allow HTML Help files to take specific action on the
system, only trusted HTML Help files should be allowed to use them. Two
flaws allow this restriction to be bypassed, Microsoft warned.

The HTML Help facility incorrectly determines the Security Zone in the case
where a web page or HTML mail delivers a .chm file to the Temporary Internet
Files folder and subsequently opens it. Instead of handling the .chm file in
the correct zone (the one associated with the web page or HTML mail that
delivered it), Microsoft warned that the HTML Help facility incorrectly
handles it in the Local Computer Zone, considering it trusted and allowing
it to use shortcuts.

“This error is compounded by the fact that the HTML Help facility doesn’t
consider what folder the content resides in. Were it to do so, it could
recover from the first flaw, as content within the Temporary Internet Folder
is clearly not trusted, regardless of the Security Zone it renders in,”
according to the advisory.

While determining the flaw to be “critical,” Microsoft however said an
attack scenario “would be complex” and would involve using an HTML mail to
deliver a .chm file that contains a shortcut, then making use of the flaws
to open it and allow the shortcut to execute.

It said an HTML mail-based attack could not be exploited on systems where
Outlook 98 or Outlook 2000 were used alongside the Outlook Email Security
Update, or Outlook Express 6 or Outlook 2002 were used in their default
configurations.

The company issued a patch (download here) to plug the holes but warned that users of
Internet Explorer Versions must be running 5.01, 5.5, or 6.0 for the patch
to be effective.

Separately, Microsoft issued bulletins for two other flaws with “moderate”
ratings. Those exist in the file decompression tool in Windows Millennium
Edition, Windows XP and the Windows 98 Plus Pack.

Microsoft said the bugs could allow the execution of dangerous code on a
compromised system.

Redmond also released a cumulative
security patch for SQL Server 2000 and 7.0 that includes the
functionality of all previously released patches as well as fixes for four
other new bugs.

The new vulnerabilities fixed by the SQL server patch (download here) include:

• Unchecked Buffer in SQL Server 2000 Authentication Function – A buffer
  overrun in a section of code in SQL Server 2000 (and MSDE 2000) associated
  with user authentication that could allow an attacker to either cause the
  server to fail or gain the ability to overwrite memory on the server,
  thereby potentially running code on the server in the security context of
  the SQL Server service.
• Unchecked buffer in Database Console Commands – A buffer overrun
  vulnerability that occurs in one of the Database Console Commands (DBCCs)
  that ship as part of SQL Server 7.0 and 2000. In the most serious case,
  exploiting this vulnerability would enable an attacker to run code in the
  context of the SQL Server service, thereby giving the attacker complete
  control over all databases on the server.
• Flaw in Output File Handling for Scheduled Jobs – A vulnerability
  associated with scheduled jobs in SQL Server 7.0 and 2000, which in certain
  situations could allow an unprivileged user to submit a job that would
  create a file containing valid operating system commands in another user s
  Startup folder or simply overwrite system files in order to disrupt system
  operation.
• Change in Operation of SQL Server – The patch also changes the operation
  of SQL Server to prevent non-administrative users from running ad hoc
  queries against non-SQL OLEDB data sources. Although the current operation
  does not represent a security vulnerability per se, the new operation makes
  it more difficult to misuse poorly coded data providers that might be
  installed on the server.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020