Title: Microsoft Internet Explorer 6.0 files will rollback during installation of Windows XP Pro Upgrade Version Known Systems Affected: - Windows XP Professional Upgrade Version 2002 (Windows XP Home Upgrade NOT tested) - Internet Explorer Version 6.0.2600.0000 Update Patches:; Q313675; Risk: High (from the original MS Release) - Internet systems: Critical - Intranet systems: Critical - Client systems: Critical Date: January 15, 2002 Jeffrey Dronenburg Advisory: #01-2002 _______=====+++(*)+++=====_______ Synopsis: 1) When upgrading to Windows XP Pro from previous versions of Windows (only Win 98SE validated), IE 6.0 files are overwritten during the operating system software installation process, effectively rolling the browser software back to original release version 6.0.0000.0000 and removing all installed patches, including Q313675 (See MS01-058). 2) The Microsoft Windows Update web site for XP Pro http://v4.windowsupdate.microsoft.com/en/default.asp will not detect Internet Explorer or recommend update patches. _______=====+++(*)+++=====_______ Notification: * Submitted to Microsoft Feedback http://support.microsoft.com/default.aspx?scid=fh;EN-US;FEEDBACK for Site Content, Features, and Tools on 1/15/2002 at 1:25 AM EST. Vendor alerted immediately upon discovery of vulnerability. Vendor additionally notified of this BUGTRAQ e-mail submission and provided with text of details. * Submitted to BUGTRAQ immediately without waiting for vendor response to further document this serious, already well known potential security breach. The particular vulnerability discussed in this advisory may arise out of a false sense of security created by taking normal security precautions and installing system patches following standard, vendor recommended procedures (i.e. update all application software prior to OS upgrade). _______=====+++(*)+++=====_______ Details: I had previously installed the MS01-058 cumulative patch for IE 6.0 from the MS TechNet web site when it was first released to BUGTRAQ by the Microsoft Security Notification Service last month (13 December 2001). Since then, I have installed the upgrade version of Windows XP Pro from Windows 98SE (please don't debate the wisdom of doing this with me). Remember, I thought that my IE 6.0 configuration was fully patched, and I didn't give it another thought (mistake #1). After installing XP Pro, I went to the Windows Update site and installed all available security patches using auto detection, including the UPnP vulnerability patch. At this point I *assumed* I had a completely patched operating system (mistake #2 -- something about an old adage when you ass*u*me things). Tonight, I went to the Online Solutions web site linked in Jouko Pynnonen's e-mail thread quoted below and was *surprised* -- *stunned* -- when the test revealed a vulnerable browser. I immediately clicked on About Internet Explorer and was completely surprised to find version 6.0.0000.0000. No patches! Evidently, the XP Pro installation must have erased all IE 6.0 patched files and replaced them with original release files. I went back to the Windows Update site for XP Pro and the site again *failed to detect* any missing patches for IE. No critical patches were identified. Evidently, IE 6.0 isn't included in the self-detect on this site as it is on the Windows 98 Update site. I then went to the TechNet security page detailing MS01-058 and reinstalled the patch. Testing passed on the Online Solutions test page linked below. Thank you again, Jouko and Online Solutions for providing this very timely online tool and reminder to test our browsers! _______=====+++(*)+++=====_______ Workaround/Solutions: 1) Validate current version of Internet Explorer by clicking on Help -> About Internet Explorer and ensure that Update Patches:; Q313675; is reflected. 2) Test Internet Explorer on the Online Solutions Web site at http://www.solutions.fi/iebug2. 3) If required: - A patch is available to fix this vulnerability. Please read the Microsoft Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms01-058.asp for vendor information on obtaining this patch. 4) Subscribe to the Microsoft Product Security Notification Service e-mail notification list. This may be the only reliable way to be kept appraised of critical patches and updates to IE from Microsoft until Windows Update is modified. _______=====+++(*)+++=====_______ <!-- onSoapBox --> For the Microsoft personnel screening BUGTRAQ: PLEASE (all caps added for emphasis) include IE on the Windows XP Pro Update site (http://v4.windowsupdate.microsoft.com/en/default.asp). Your customers should not have to go to www.anysite.fi to validate the current patch status of your software products. Of all of the controversies surrounding the current release of the XP operating system, this specific issue is particularly reprehensible and annoying. Your developers put together a great tool to determine system software status and assist your customers in selecting appropriate updates and patches for their systems. Perhaps too great a tool, as it has become an assumption crutch. I happen to be in that <1% of the Windows users population that follows developments in software security (and the BUGTRAQ mailing list along with other SecurityFocus.com lists). What about the remaining 99%? They depend on tools like Windows Update to keep their systems, well, up to date (if they even do that). IMHO, the tool is broken until it fully detects all system updates and patches for your software products, or at least points you to the tool that will (like the Office Update site). <!-- offSoapBox --> _______=====+++(*)+++=====_______ Lessons Learned: Don't rely on vendor supplied automated tools -- check your system thoroughly after any operating system upgrade. Then, check it again. One more time for a confidence check. Repeat continuously. <!-- That must be in a Systems Security 101 book somewhere... --> Cheers, Jeffrey Dronenburg, Sr. MIS Major, Univ. of Maryland, Univ. College Alpha Sigma Lambda Phi Kappa Phi "A day without learning is like apple pie without ice cream. They're both much sweeter the other way around." -Me! :-) P.S. Tonight, I learned another lesson in systems security thanks to the BUGTRAQ... _______=====+++(*)+++=====_______ The Fine Print: Legal Notice: This Advisory is Copyright (c) 2002 Jeffrey W. Dronenburg, Sr. You may distribute it unmodified. When replying to this advisory, you may omit certain sections as long as it does not change the meaning or intent of the advisory, and the omitted sections are replaced with "<snip>". You may not otherwise modify it for distribution, or distribute parts of it without the author's written permission. Disclaimer: The information in this advisory is believed to be true based on my own experiments though it may be proven to be invalid. If you discover through continued experimentation that the results of my own experiments are not valid, please do me the professional courtesy of informing me of your findings, and copying me when posting to mailing lists such as SecurityFocus.com's BUGTRAQ. The opinions expressed in this advisory are my own and not of any government agency or company. The usual standard disclaimers apply, especially the fact that Jeffrey W. Dronenburg, Sr. is not liable for any damages caused by the direct or indirect use of the information provided by this advisory. The information in this advisory is being released to the Information Systems and Network Security Community as a whole in the interest of furthering computer systems security. Jeffrey W. Dronenburg, Sr. bears no responsibility for the content or misuse of the information provided in this advisory or any derivatives thereof. ----- End of Message ----- ----- Portions of Original Quoted Message from BUGTRAQ ----- From: "Jouko Pynnonen" <jouko@solutions.fi> To: <bugtraq@securityfocus.com> Sent: Monday, January 14, 2002 8:58 AM Subject: MSIE may download and run programs automatically - details This posting briefly describes some technical details of the vulnerability discussed in the Bugtraq messages with the subjects "MSIE may download and run progams automatically" (Dec 14 2001) and "File extensions spoofable in MSIE download dialog" (Nov 26 2001). <snip> If you want to check if your browser is vulnerable, you can do it on this web page: http://www.solutions.fi/iebug2 After clicking the link there, a vulnerable IE will download a small program and run it. The program will run in a DOS window and print a message. If this happens, you should patch your browser. The patch has been available since 13 December 2001 at Microsoft's site: http://www.microsoft.com/technet/security/bulletin/MS01-058.asp A non-vulnerable IE will show a download dialog with a filename ending with ".EXE". -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - jouko@solutions.fi http://www.solutions.fi http://www.secmod.com
