|
|
楼主 |
发表于 2005-7-6 21:38:47
|
显示全部楼层
Microsoft Security Advisory (903144)
A COM Object (Javaprxy.dll) Could Cause Internet Explorer to Unexpectedly Exit
Published: June 30, 2005 | Updated: July 5, 2005
Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but we are aggressively investigating the public report.
Microsoft has completed the initial investigation and recommends disabling Javaprxy.dll in Internet Explorer. For more information, including links to an available download, please see “Disable the Javaprxy.dll COM object from running in Internet Explorer” in the Workarounds section. At the completion of the overall investigation, Microsoft will take the appropriate action to help protect our customers, which may include providing additional mitigation or workaround guidance through this Security Advisory, and a security update through our monthly release process or an out-of-cycle security update, depending on the results of the investigation and customer needs.
Microsoft encourages users to exercise caution when opening links in e-mail. For more information about Safe Browsing, visit the Trustworthy Computing Web site.
We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.
Customers who believe they may have been affected by this issue can contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.
General Information
Overview
Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability and the availability of a workaround from the Microsoft Download Center. Please see the Workarounds section of the security advisory for more information.
Advisory Status: Under Investigation.
Recommendation: Review the suggested actions and configure as appropriate.
This advisory applies to the following software.
Related Software
Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1
Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium), Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition
Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition
Top of section
Frequently Asked Questions
Is this a security vulnerability that requires Microsoft to issue a security update?
We are currently investigating the issue to determine the appropriate course of action for customers. We will include the fix for this issue in an upcoming security bulletin.
What causes this issue?
When a COM object, the JVIEW Profiler (Javaprxy.dll), is instantiated in Internet Explorer, it can cause Internet Explorer to unexpectedly exit.
How do I know if I have Javaprxy.dll is on my system?
Javaprxy.dll is an interface to a debugger in the Microsoft Java Virtual Machine. Customers can either search for this file or use the following command at a command prompt:
Jview
If the resulting response is “‘jview’ is not recognized as an internal or external command” then you do not have the Microsoft Java Virtual Machine on your system.
Customers can use the MSJVM Diagnostic Tool, which is available from the Microsoft Java Virtual Machine Support page, to perform remote and local scans to detect for the presence of MSJVM and MSJVM-related software.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run malicious code on the local system. This could allow an attacker to take complete control of the affected system.
How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by creating a malicious Web page and persuading the user to visit the page. An attacker could also attempt to compromise a Web site to have it display a Web page with malicious content to try to exploit this vulnerability.
Will Microsoft release updates to this advisory as more information becomes available?
Yes. We provided an initial notification on June 30, 2005 to make customers aware of the issue. We have since updated this advisory with additional guidance as specified in the revisions section at the bottom of this advisory.
Is this issue publicly reported?
While this issue was first reported to Microsoft responsibly, details about the reported vulnerability have been made public. Microsoft continues to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while a security update is being developed.
Top of section
Mitigating Factors
• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also try to compromise a Web site and have it display malicious content. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or to a site that has been compromised by the attacker.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• The Microsoft Java Virtual Machine is not included in the following software by default:
• Windows XP Service Pack 1a and Windows XP Service Pack 2
• Windows Server 2003 and Windows Server 2003 Service Pack 1
However, the Microsoft Java Virtual Machine may have been installed by an application. It could also be present as a result of upgrading the operating system. Customers can use the MSJVM Diagnostic Tool, which is available from the Microsoft Java Virtual Machine Support page. Customers can use this tool to perform remote and local scans to detect for the presence of MSJVM and MSJVM-related software. See the “How do I know if I have the Javaprxy.dll on my system?” question in the FAQ section of this document for additional information.
The risk of attack from the HTML e-mail vector can be reduced if you meet all the following conditions:
• Apply the update that is included with Microsoft Security Bulletin MS03-040 or a later Cumulative Security Update for Internet Explorer.
• Use Microsoft Outlook Express 6 or a later version in its default configuration.
• Use Microsoft Outlook 2000 Service Pack 2 or a later version in its default configuration.
• By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configurations. Additionally, the Microsoft Java Virtual Machine is not included in Windows Server 2003 by default.
Top of section
Workarounds
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Disable the Javaprxy.dll COM object from running in Internet Explorer
Disable attempts to instantiate the Javaprxy.dll control in Internet Explorer by setting the kill bit for the control using one of the following options:
Option 1: Disable Javaprxy.dll by using the registry key update that is available from the Microsoft Download Center by visiting the Microsoft Web site for the corresponding version of IE:
Note The download will be labeled as KB903235
• Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
http://www.microsoft.com/downloa ... &displaylang=en
• Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack
http://www.microsoft.com/downloa ... &displaylang=en
• Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1
http://www.microsoft.com/downloa ... &displaylang=en
• Internet Explorer 6 for Microsoft Windows XP Service Pack 2
http://www.microsoft.com/downloa ... &displaylang=en
• Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
http://www.microsoft.com/downloa ... &displaylang=en
• Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium), Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
http://www.microsoft.com/downloa ... &displaylang=en
• Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition, and Microsoft Windows XP Professional x64 Edition
http://www.microsoft.com/downloa ... &displaylang=en
• Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
http://www.microsoft.com/downloa ... &displaylang=en
• Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition
http://www.microsoft.com/downloa ... &displaylang=en
Additional information and download instructions are available on the Microsoft Download Center Web site.
Note This registry key update can be applied to all supported versions of Internet Explorer.
Option 2: Disable Javaprxy.dll by creating the registry key manually
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
The CLSID for the Javaprxy.dll control is ‘03D9F3F2-B0E3-11D2-B081-006008039BF0’
For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Javaprxy.dll control from being instantiated in Internet Explorer
Impact of Workaround: None
Top of section
Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls in these zones
You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.
To raise the browsing security level in Microsoft Internet Explorer, follow these steps:
1.
On the Internet Explorer Tools menu, click Internet Options.
2.
In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3.
Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.
Note If no slider is visible, click Default Level, and then move the slider to High.
Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.
Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.
Top of section
Change your Internet Explorer to prompt before running or disable ActiveX controls in the Internet and Local intranet security zone
You can help protect against this vulnerability by changing your settings to prompt before running ActiveX controls. To do this, follow these steps:
1.
In Internet Explorer, click Internet Options on the Tools menu.
2.
Click the Security tab.
3.
Click Internet, and then click Custom Level.
4.
Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5.
Click Local intranet, and then click Custom Level.
6.
Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7.
Click OK two times to return to Internet Explorer.
Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the "Restrict Web sites to only your trusted Web sites" workaround.
Top of section
Unregister the Javaprxy.dll COM Object
To unregister Javaprxy.dll, follow these steps:
1.
Click Start, click Run, type "regsvr32 /u javaprxy.dll" (without the quotation marks), and then click OK.
2.
A dialog box appears to confirm that the unregistration process has succeeded. Click OK to close the dialog box.
3.
Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround: Applications that require the Microsoft Java Virtual Machine may no longer function correctly.
Top of section
Modify the Access Control List on Javaprxy.dll to be more restrictive
To modify the Access Control List (ACL) on Javaprxy.dll to be more restrictive, follow these steps:
1.
Click Start, click Run, type "cmd" (without the quotation marks), and then click OK.
2.
Type the following command at a command prompt. Make a note of the current ACL’s that are on the file (including inheritance settings) for future reference in case you have to undo this modification:
cacls %windir%\system32\javaprxy.dll
3.
Type the following command at a command prompt to deny the ‘everyone’ group access to this file:
cacls %windir%\system32\javaprxy.dll /d everyone
4.
Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround: Applications that require the Microsoft Java Virtual Machine may no longer function correctly.
Top of section
Restrict access to Javaprxy.dll in Internet Explorer by using a Software Restriction Policy
To restrict access to Javaprxy.dll in Internet Explorer on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Javaprxy.dll.
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
We recommend that you back up the registry before you edit it.
Use the following .reg file to un-register Javaprxy.dll in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"TransparentEnabled"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{09687f8a-0ca9-4639-b295-a3f5b5be8fc5}]
"LastModified"=hex(b):50,09,1f,b1,04,4a,c5,01
"Description"="Block javaprxy.dll"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6a,00,61,00,76,00,61,00,70,\
00,72,00,78,00,79,00,2e,00,64,00,6c,00,6c,00,00,00
Impact of Workaround: Applications that require the Microsoft Java Virtual Machine may no longer function correctly.
Top of section
Remove the Microsoft Java Virtual Machine from your system using the Java Removal Tool
Customers can use the MSJVM Diagnostic Tool available from the Microsoft Java Virtual Machine Support page to perform remote and local scans to detect for the presence of MSJVM and MSJVM-related software.
Customers can then use the Java Removal Tool to permanently remove the Microsoft Java Virtual Machine from their system. For more information about how to qualify for access to the Java Removal Tool from Microsoft Product Support Services, see Microsoft Knowledge Base Article 826878.
Warning: Removing the Microsoft Java Virtual Machine from your system is permanent. Microsoft cannot provide Windows operating system recovery media to you that includes the MSJVM for reinstallation. Microsoft no longer includes the MSJVM in Windows operating system products.
Impact of Workaround: Applications that require the Microsoft Java Virtual Machine will no longer function correctly.
Top of section
Top of section
Suggested Actions
• Customers who believe they may have been affected can contact Product Support Services. You can contact Product Support Services in the United States and Canada for help with security update issues or viruses at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled automatic updates will automatically receive all Windows Updates. For more information about security updates, visit http://www.microsoft.com/security/.
• We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps at Protect Your PC Web site.
• For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
Top of section
Resources:
• You can provide feedback by completing the form at the following Web site.
• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
• International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
• The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
• June 30, 2005: Advisory published
• July 1, 2005: Advisory updated with additional mitigations and workarounds
• July 5, 2005: Advisory updated with Microsoft Download Center information for the registry key update that disables Javaprxy.dll in Internet Explorer |
|
发表于 2005-7-6 21:38:05