U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA04-184A)

Internet Explorer Update to Disable ADODB.Stream ActiveX Control

Original release date: July 02, 2004

Systems Affected

  • Microsoft Windows systems

Overview

Microsoft has released a security update for Internet Explorer (IE) that disables the ADODB.Stream ActiveX control. This update reduces the impact of attacks against cross-domain vulnerabilities in IE.

Description

A class of vulnerabilities in IE allows malicious script from one domain to execute in a different domain which may also be in a different IE security zone. Attackers typically seek to execute script in the security context of the Local Machine Zone (LMZ). One such vulnerability (VU#713878) is described in US-CERT Technical Alert TA04-163A. Other cross-domain vulnerabilities have similar impacts.

After obtaining access to the LMZ through one or more of the vulnerabilities noted above, attackers typically attempt to download and run an executable file. Writing the executable to disk can be accomplished using the ADODB.Stream ActiveX control. In order to defeat this technique, Microsoft has released an update that disables the ADODB.Stream control. From Microsoft Knowledge Base Article 870669:

An ADO stream object contains methods for reading and writing binary files and text files. When an ADO stream object is combined with known security vulnerabilities in Internet Explorer, a Web site could execute scripts from the Local Machine zone. To help protect your computer from this kind of attack, you can manually modify your registry.

It is important to note that there may be other ways for an attacker to write arbitrary data or to execute commands without relying on the ADODB.Stream control.

Further information is available from Microsoft in What You Should Know About Download.Ject. Instructions for securing IE and other web browsers against malicious web scripts are available in the Malicious Web Scripts FAQ.

Impact

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.

Recent incident activity known as Download.Ject (also JS.Scob.Trojan, Scob, JS.Toofeer) uses cross-domain vulnerabilities and the ADODB.Stream control to install software that steals sensitive financial information.

Solution

Until a complete solution is available from Microsoft, consider the following workarounds.

Disable Active scripting and ActiveX controls

Disabling Active scripting and ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent widely used payload delivery techniques from functioning. Instructions for disabling Active scripting in the Internet Zone can be found in the Malicious Web Scripts FAQ. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone. Also, Service Pack 2 for Windows XP (currently at RC2) includes these and other security enhancements for IE.

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels. While this is generally good security practice, following this behavior will not prevent exploitation of this vulnerability in all cases. For example, a trusted web site could be compromised and modified to deliver exploit script to unsuspecting clients.

Disable ADODB.Stream ActiveX control

One way to disable the ADODB.Stream control is to apply the update from the Microsoft Download Center (KB870669) or the Windows Update web site.

The ADODB.Stream control can also be disabled by modifying the Windows registry as described in Microsoft Knowledge Base Article 870669.

Both of these methods disable ADODB.Stream by setting the kill bit for the control in the Windows registry.

Note that disabling the ADODB.Stream control does not directly address any cross-domain vulnerabilities, nor does it prevent attacks. This workaround prevents a well-known and widely used technique for writing arbitrary data to disk after a cross-domain vulnerability has been exploited. There may be other ways for an attacker to write arbitrary data or execute commands.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see What You Should Know About Download.Ject and Microsoft Knowledge Base Article 870669.

Appendix B. References


Feedback can be directed to the author: Art Manion


Revision History

  • July 2, 2004: Initial release

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top