             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   Microsoft Visual FoxPro 6.0 Vulnerability
                     [Microsoft Security Bulletin MS02-049]

September 5, 2002 20:00 GMT                                       Number M-120
______________________________________________________________________________
PROBLEM:       A flaw has been identified that could enable a web page to
               launch the Visual FoxPro 6.0 application on a user's machine
               without the normal Internet Explorer warning received
               beforehand.
AFFECTED       Microsoft Visual FoxPro 6.0
SOFTWARE:      
DAMAGE:        Impact to a user's machine ranges from an attacker being able
               to load and run programs to reformatting the hard drive.
SOLUTION:      Apply Microsoft's patch or upgrade to FoxPro 7.0.
______________________________________________________________________________
VULNERABILITY  The risk is LOW. The most privileges the application could gain
ASSESSMENT:    would be those of the user. The filename to be launched would
               have to be constructed in a particular format.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-120.shtml
 ORIGINAL BULLETIN:
                     http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-049.asp
 PATCHES:
                     http://www.microsoft.com/downloads/Release.asp?ReleaseID=42297
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS02-049 *****]


Summary

Who should read this bulletin: Customers using Microsoft® Visual FoxPro 6.0 

Impact of vulnerability: Attacker could gain control over user’s system. 

Maximum Severity Rating: Moderate. 

Recommendation: Customers using Visual FoxPro 6.0 should install the patch
immediately. 

Affected Software: 

Microsoft Visual FoxPro 6.0 

Technical details 

Technical description: 

In general, when an product installs, it should register itself with 
Internet Explorer. This allows the product to specify how Internet 
Explorer should handle files associated with it when referenced from 
a web page – for instance, it allows the product to specify whether the 
user should be presented with a warning dialogue before such a file is
opened. 

Visual FoxPro 6.0 does not perform this registration, and this gives 
rise to a situation in which a web page could automatically launch a 
Visual FoxPro application (i.e., an .app file). In most cases, this 
would not result in a security vulnerability – because of the way Visual 
FoxPro 6.0 evaluates file names, FoxPro itself could be started but 
the .app file would typically not run. However, if the filename of the 
application were constructed in a particular way, a second error 
(associated with how Visual FoxPro 6.0 evaluates application filenames) 
could not only start FoxPro but allow the application to execute. 

The vulnerability could be exploited by creating a web page that 
references a Visual FoxPro application, and either hosting it on a 
web site or sending it to a user as an HTML mail. If the user had 
installed Visual FoxPro 6.0 – or had installed a product that includes 
the Visual FoxPro 6.0 runtime – and the filename of the application was
constructed in a particular way, the application would execute. This 
would enable the application to not only interrogate databases, but 
also issue system commands in the user’s security context. 

Mitigating factors: 

The vulnerability could only be exploited if Visual FoxPro 6.0 (or 
the Visual FoxPro 6.0 runtime) is installed on the system. Other 
products, and other versions of Visual FoxPro, are not affected by 
the vulnerability. The most privileges the application could gain 
would be those of the user. If the user were operating in a 
less-privileged context, it would limit the damage that the 
application could cause. 

Severity Rating: 
                   Internet Servers  Intranet Servers  Client Systems
Visual FoxPro 6.0        Low                Low           Moderate

The above assessment is based on the types of systems affected by 
the vulnerability, their typical deployment patterns, and the effect 
that exploiting the vulnerability would have on them. 

Vulnerability identifier: CVE-CAN-2002-0696 

Tested Versions:
Microsoft tested Visual FoxPro 6.0 and 7.0 to assess whether they 
are affected by these vulnerabilities. Previous versions are no 
longer supported, and may or may not be affected by these 
vulnerabilities.

Patch availability

Download locations for this patch 

    Microsoft Visual FoxPro 6.0: 
    http://www.microsoft.com/downloads/Release.asp?ReleaseID=42297 

Additional information about this patch 

Installation platforms: 
This patch can be installed on systems running Visual FoxPro 6.0. 
here are no service pack requirements. 

Inclusion in future service packs:
No additional service packs are planned for Visual FoxPro 6.0. 

Reboot needed: No 

Patch can be uninstalled: No 

Superseded patches: None. 

Verifying patch installation: 

To verify that the patch has been installed on the machine, 
confirm that the following registry key has been created on 
the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\VFPODBC\Q326568

To verify the individual files, use the date/time and version 
information provided in the file manifest in Knowledge Base 
article Q326568 

Caveats:

The localized versions of the patch contain a minor error in 
the EULA and the completion dialog, which results in random 
characters being displayed in both. These errors do not affect 
the effectiveness of the patch -- they are display errors only. 
Microsoft will release shortly updated versions of the patches 
that do not contain the errors. 

Localization:
Localized versions of this patch are available at the locations 
discussed in “Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following 
locations: 

Security patches are available from the Microsoft Download Center, 
and can be most easily found by doing a keyword search for 
"security_patch".  Patches for consumer platforms are available 
from the WindowsUpdate web site 

Other information: 

Acknowledgments

Microsoft thanks  Cristobal Bielza and Juan Carlos G. Cuartango 
from Instituto Seguridad Internet (http://www.instisec.com) for 
reporting this issue to us and working with us to protect customers. 

Support: 

Microsoft Knowledge Base article Q326568 discusses this issue and 
will be available approximately 24 hours after the release of this 
bulletin. Knowledge Base articles can be found on the Microsoft 
Online Support web site. Technical support is available from Microsoft 
Product Support Services. There is no charge for support calls a
ssociated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site 
provides additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability 
and fitness for a particular purpose. In no event shall Microsoft 
Corporation or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers 
have been advised of the possibility of such damages. Some states do not 
allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply.

Revisions: 

  V1.0 (September 04, 2002): Bulletin Created. 

[***** End Microsoft Security Bulletin MS02-049 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-110: Buffer Overflow in Multiple Domain Name System (DNS) Libraries
M-111: Integer Overflow in External Data Representation (XDR) Library
M-112: Microsoft Cumulative Patch for SQL Server
M-113: Microsoft Network Connection Manager (NCM) Flaw Could Enable Privilege Elevation
M-114: Apache 2.0 Path Disclosure Vulnerability
M-115: Novell NetWare 6.0 RConsoleJ Authentication Bypass Vulnerability
M-116: Microsoft Cumulative Patch for Internet Explorer
M-117: Microsoft Office Web Components Vulnerabilities
M-118: HP Tru64 Unix Multiple Vulnerabilities
M-119: Cisco VPN 3000 Concentrator Multiple Vulnerabilities