På 1999-Nov-29 klokka 17:42:36 -0800 skrivet Ben Greenbaum: : ---------- Forwarded message ---------- : Date: Mon, 29 Nov 1999 17:18:19 -0800 : From: Microsoft Product Security <secnotifat_private> : To: MICROSOFT_SECURITYat_private : Subject: Microsoft Security Bulletin (MS99-051) : : The following is a Security Bulletin from the Microsoft Product Security : Notification Service. : : Please do not reply to this message, as it was sent from an unattended : mailbox. : ******************************** : : Microsoft Security Bulletin (MS99-051) : -------------------------------------- : : Patch Available for "IE Task Scheduler" Vulnerability : Originally Posted: November 29, 1999 [...] : Issue : ===== [...] : The IE 5 Task Scheduler controls who can create and submit "AT jobs." The : utility that is used to create AT jobs can only be run by an administrator, : and the Task Scheduler will only execute AT jobs that are owned by : administrators. However, if a malicious user had change access to an : existing file owned by an administrator (it would not need to be an AT job), : he or she could modify it to be a valid AT job and place in the appropriate : folder for execution. This would bypass the control mechanism and allow the : job to be executed. : : This vulnerability would primarily affect machines that allow normal users : to interactively log onto them. The patch eliminates this vulnerability by : digitally signing all AT jobs at creation time, and verifying the signature : at execution time. Is this really a solution to the problem? It seems to me that the actual problem is this part if a malicious user had change access to an existing file owned by an administrator (it would not need to be an AT job), he or she could modify it to be a valid AT job and place in the appropriate folder for execution[....] Isn't that true for most files to which a malicious user has `change' access? Regardless of that, how does the patch stop malicious users from producing AT jobs that have valid signatures and putting them in place? [...] : More Information : ================ : Please see the following references for more information related to this : issue. : - Microsoft Security Bulletin MS99-051: Frequently Asked Questions, : http://www.microsoft.com/security/bulletins/MS99-051faq.asp. This URL produces the following text: Microsoft VBScript runtime error `800a000d' Type mismatch: `CInt' /security/inc/scripts.txt, line 279 but only with JavaScript turned on. Without JavaScript, the page is utterly blank. : - Microsoft Knowledge Base (KB) article Q246972, : IE 5 Task Scheduler Allows Privilege Elevation on Windows NT Systems, : http://support.microsoft.com/support/kb/articles/q245/7/29.asp. : (NOTE: It may take 24 hours from the original posting of this bulletin : for this KB article to be visible) This URL gets me to a KB item entitled `Windows 95 and Windows 98 File Access URL Update', which has nothing to do with Q246972. : - Microsoft Security Advisor web site, : http://www.microsoft.com/security/default.asp. This URL produces the following text: Microsoft VBScript runtime error `800a000d' Type mismatch: `CInt' /security/inc/scripts.txt, line 279 Is there anywhere that has some actual information about this? -- jim knoble jmknobleat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:50 PDT