Msdds.dll And Microsoft Security Advisory (906267)

A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit
Published: August 18, 2005
Microsoft is investigating new public reports of a possible vulnerability in Internet Explorer. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time. Microsoft is aggressively investigating the public reports.
The Microsoft DDS Library Shape Control (Msdds.dll) is a COM object that could, when called from a Web page displayed in Internet Explorer, cause Internet Explorer to unexpectedly exit. This condition could potentially allow remote code execution if a user visited a malicious Web site. This COM Object is not marked safe for scripting and is not intended for use in Internet explorer.

Microsoft Security Advisory (906267)

The above advisory was brought to my attention by a post to the DSHEILD list the other day but not from information from Microsoft. The information about this ‘possible’ exploit was on the FrSIRT site which even goes to list example code that could be used to generate an exploit.

The accepted practice from the respectable sites these days is on finding a possible problem you inform the vendor such that they can take action to prevent the effects of any such exploit.

What appears to have happened in this case is that FrSite have released not only information about a possible exploit, but also the code required to generate the exploit (or at least provide a good headstart). Just the mention of the possible problem is usually enough for those who create these exploits to get going. Giving them a headstart just encourages more people to ‘have a go’.

At present there are no known exploits to take advantage of this, and some efforts to reproduce the problem have so far failed. It appears now that Microsoft have acknowledged the possibility of a problem and will no doubt be throwing resources at it to reduce the problems caused if (and more likely when) an exploit is released. (If in fact there is a problem).

With the present trojan and its variants (the zotob) doing the rounds you would think MS were busy enough, so the last thing that they needed was for some irresponsible company to release the details of another exploit while they were busy working the previous one.

For the mean time I would keep on the lookout for any suspiscious activity and make sure you are patched and up to date with any MS patches.

Don’t think that because you have a good Anti-Virus installed that you are protected.

UPDATE: 16:22 19/08/2005

It appears that some sense has been shown by FrSIRT, in that they have now taken down the example exploit code.

Updated: 20 AUG 2005 02:00
Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

http://www.microsoft.com/technet/security/advisory/906267.mspx

Updated: 20 AUG 2005 02:15
Mitigating Factors:

• The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in Windows.

• The Microsoft DDS Library Shape Control (Msdds.dll) does not ship in the .NET Framework.

• Customers who do not have Msdds.dll on their systems are not affected by this vulnerability.

• The affected versions of Msdds.dll are 7.0.9064.9112 and 7.0.9446.0. Customers who have Msdds.dll with version 7.0.9955.0, 7.10.3077.0, or higher on their systems are not affected by this vulnerability.

• Customers who use Microsoft Office 2003 are not affected by this vulnerability.

• Customers who use Microsoft Access 2003 are not affected by this vulnerability.

• Customers who use Microsoft Office XP Service Pack 3 are not by default affected by this vulnerability. See Frequently Asked Question “I am running Microsoft Office XP Service Pack 3, am I affected by this vulnerability?” for additional details.

• Customers who use Microsoft Access 2002 Service Pack 3 are not by default affected by this vulnerability. See Frequently Asked Question “I am running Microsoft Office XP Service Pack 3, am I affected by this vulnerability?” for additional details.

• Customers who use Microsoft Visual Studio 2003 are not affected by this vulnerability.

• Customers who use Microsoft Visual Studio 2002 Service Pack 1 are not affected by this vulnerability.

Make sure you check the link to the MS site for the latest updates on this ‘new vulnerability’.

  • Replacing the vulnerable Msdds.dll version (7.0.9064.9112) with the
    version found on MS SQL 2000 SP4 (7.10.3077.0) seems to work.
    Posted by : J Wolfgang Goerlich on the MS Technet forum.