Vulnerability in Microsoft OWC ActiveX – How to check if my machine is vulnerable?

Hi,

two days ago I blogged about a Vulnerability in Microsoft Office Web Components ActiveX that affects ISA Server 2006. I also provided a workaround found at Security Research & Defense team blog.

Yesterday I received a comment about this blog entry asking me how  to check if the ISA Server been used is vulnerable. The comment also mentioned that could not found the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000000000000046} on the ISA Server computer. So, I decided to check on my ISA Server and for my surprise, it wasn´t there either!! I thought then “what the heck!!??”.

I started to investigate a little more about this “issue” and found great answers that I´ll share with you guys.

First, I read again the blog post of Microsoft Security Research & Defense team blog on how to workaround the vulnerability. When I was reading, I encountered a reference to
another blog entry discussing on how to tell if the ActiveX vulnerabilities are exploitable in Internet Explorer.

On the second blog entry, at the end of the blog post, there´s a C# source code(ClassId.cs) to check if the ActiveX is exploitable. Nice! Here comes the question: “What am I supposed to do with it??”. After all, I´m no developer… Sarcastic

Next step was try to find the ClassId.exe used in the first MS SRD blog entry. I checked at www.microsoft.com/downloads and found nothing! Then, I tried to go to this link INFO: How Internet Explorer Determines If ActiveX Controls Are Safe provided on the second blog post, however, the page was not found.

Then I had the idea to ask one of the developers here at the company to build an executable file from the ClassId.cs file.

He said OK to me! Party

He built the executable file and I tested on my ISA firewall. The result was:

C:\Tools\ClassId>ClassId.exe {0002E559-0000-0000-C000-000000000046}

Clsid: {0002E559-0000-0000-C000-000000000046}
Progid: OWC11.Spreadsheet.11
Binary Path: C:\Program Files\Microsoft ISA Server\OWC11.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
KillBitted: False  –> this means that my Internet Explorer is loading this control, making my ISA Firewall vulnerable.

Oh! But how could it check if in the start of this blog post I told that there was no registry key on the location indicated on MS SRD blog??

Well, I don´t know the answer for this question… I have to review the code and see if I can find anything useful. Like I said before, I´m no developer.

But, how can I make sure if the output is telling the truth? I asked myself the same question. To make sure about it, I applied the workaround of the MS SRD team blog and the output is this:

C:\Tools\ClassId>ClassId.exe {0002E559-0000-0000-C000-000000000046}

Clsid: {0002E559-0000-0000-C000-000000000046}
Progid: OWC11.Spreadsheet.11
Binary Path: C:\Program Files\Microsoft ISA Server\OWC11.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
KillBitted: True

It seems OK!! However, not enough to me. Looking at Microsoft Support web site I found the following article: How to stop an ActiveX control from running in Internet Explorer.

Something really interesting was written in there about the misterious registry key:

2. Use Registry Editor to view the data value of the Compatibility Flags DWORD value of the ActiveX object CLSID in the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\CLSID of the ActiveX control where CLSID of the ActiveX Control is the class identifier of the appropriate ActiveX control.

Note Typically, you will have to manually create this registry key.

3. Change the value of the Compatibility Flags DWORD value to 0x00000400.

Aha! It seems now we have part of the mistery solved!

Well, I couldn´t end this post without thanks the developer who helped me:

Thanks Fabricio Izumi, nice work!!

If you want the executable file, you can send me an e-mail.

Regards,

Paulo Oliveira.

Advertisements
This entry was posted in ISA Server. Bookmark the permalink.

5 Responses to Vulnerability in Microsoft OWC ActiveX – How to check if my machine is vulnerable?

  1. Unknown says:

    Care to share how your developer built the exe? I’ve been trying for the last hour or so and can’t figure out how to do it with Vis Stud 2005 …

  2. Reza says:

    Thanks for your great answer…-Reza

  3. Reza says:

    Can you please give me the .exe file?Thanksimprise_server@yahoo.com

  4. Looks like you are an expert in this field, you got some great points there, but you’ll want to add a facebook button to your blog. I just bookmarked this article, although I had to complete it manually. Simply my $.02 🙂

    – Daniel

  5. Terrance says:

    Can you please send me the ClassId.exe file?
    Thanks..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s