Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Microsoft security hotfix MS11-071 alias KB2570947 incomplete
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Mon, 14 Nov 2011 17:40:41 +0100

Hi @ll,

the "Microsoft Update Catalog" web site
<https://catalog.update.microsoft.com/v7/site/home.aspx>
(which is usable with Internet Explorer only) needs and installs
the ActiveX control MicrosoftUpdateCatalogWebControl.Dll from
<https://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MUCatalogWebControl.Cab>

The HTTP "Last-Modified" header/timestamp of this .CAB is
    Tue, 08 Feb 2011 21:14:43 GMT
the timestamp of its digital signature (Authenticode) is
    Tue, 08 Feb 2011 21:15:25 GMT

The timestamp/version of the ActiveX control is
    Tue, 08 Feb 2011 12:52:48    7.4.7057.248
the timestamp of its digital signature (Authenticode) is
    Tue, 08 Feb 2011 20:54:11 GMT

The self-registering ActiveX control creates the following
superfluous registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6391AFBB-45A8-4107-A154-F27DB8F03049}\InprocServer32]
@="mscoree.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.UpdateServices.Administration.AdminProxy\CLSID]
@="{6391AFBB-45A8-4107-A154-F27DB8F03049}"

which create a dangling (and unqualified) reference to MSCOREE.DLL,
the core library of the .NET Framework.

On Windows XP, where .NET Framework is not installed by default,
this creates a vulnerability.


The Microsoft security hotfix MS11-071 alias KB2570947 removes
the following superfluous registry entries (very similar to the
ones above) with another dangling reference to MSCOREE.DLL:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5AB5662-131D-453D-88C8-9BBA87502ADE}\InProcServer32]
@="mscoree.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\Microsoft.MMC.FrameworkSnapInFactory\CLSID]
@="{D5AB5662-131D-453D-88C8-9BBA87502ADE}"

but leaves the entries shown above.


FIX
~~~

remove the offending registry entries by importing the following
.REG file:

--- *.REG ---
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5AB5662-131D-453D-88C8-9BBA87502ADE}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.UpdateServices.Administration.AdminProxy]

--- EOF ---


Timeline
~~~~~~~~

2011-09-18    vendor informed about dangling registry entries

2011-09-19    vendor acknowledges receipt, but asks for circumstances

2011-09-19    send requested information to vendor

2011-09-27    send status request to vendor

2011-09-28    vendor replies, asking for more information

2011-09-29    send full information about the culprit to vendor

2011-10-11    send status request to vendor

              no reaction

2011-11-09    send status request to vendor

2011-11-10    vendor replies:

              We have been looking to this, but cannot reproduce this on
              default installations.  Since the issue would require either
              a non-default scenario or extensive user interaction, it is
              not something MSRC would track.  I have, however, passed it
              directly to the product team to investigate through their
              normal bug triage process, and they may contact you directly
              if they need further information.

2011-11-14    publish vulnerability report


Stefan Kanthak


JFTR: if Microsoft weren't such sloppy coders and had a QA department this
      whole class of vulnerabilities would not exist: the path to EVERY
      executable in Windows is well-known, all references can use the
      fully-qualified, absolute path.

      <http://home.arcor.de/skanthak/download/XP_FIXIT.INF> fixes all the
      2500+ unqualified (plus not properly quoted long) filenames left in
      the registry of Windows XP SP3 AFTER fixing the other 2000+ unqualified
      (plus not properly quoted long) filenames in the \i386\HIVE*.INF and
      \i386\DMREG.INF (from which the initial registry is built) on the
      installation media.

      <http://home.arcor.de/skanthak/download/W7_ERROR.INF> documents the
      4500+ unqualified filenames in the registry of Windows 7 Professional
      with SP1, and <http://home.arcor.de/skanthak/download/W7_ISSUE.INF>
      documents some other issues.

      "honi soit qui mal y pense"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Microsoft security hotfix MS11-071 alias KB2570947 incomplete Stefan Kanthak (Nov 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault