Select the product you need help with

MS02-046: Buffer overrun in TSAC ActiveX control might allow code execution

Article ID: 327521 - View products that this article applies to.

This article was previously published under Q327521

SYMPTOMS

The Terminal Services Advanced Client (TSAC) Web control is an ActiveX control you can use to run Terminal Services sessions in Internet Explorer. The downloadable ActiveX control provides almost the same functionality as the full Terminal Services Client, but is designed to deliver this functionality over the Web.

The TSAC control does not come installed as part of any Windows client. Instead, clients obtain the control from Web servers that offer terminal services. The configuration process that makes it possible for an Internet Information Services (IIS) server to provide terminal services involves installing a .cab file that contains the control on the server. The server then delivers the .cab file to any client computer that needs it, and the client installs the control from the .cab file.

A security vulnerability results because the control contains an unchecked buffer in the code that processes one of the input parameters. By calling the control on a client and overrunning the buffer, an attacker can gain the ability to run code in the security context of the currently-logged-on user. This makes it possible for the attacker to control the user's computer. The attacker can mount an attack by either hosting a Web page that exploits the vulnerability against any user who visits it, or by sending an HTML e-mail message to another user.

Back to the top | Give Feedback

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389

(http://support.microsoft.com/kb/322389/EN-US/ )

How to Obtain the Latest Windows XP Service Pack

Download Information

For administrators of Web sites that provide terminal services to obtain the updated TSAC ActiveX control, visit the following Microsoft Web site:

Collapse this imageExpand this image

http://www.microsoft.com/windowsxp/downloads/tools/rdwebconn.mspx

(http://www.microsoft.com/windowsxp/downloads/tools/rdwebconn.mspx)

Users must install the August 22, 2002 cumulative patch for Internet Explorer. For additional information about how to do so, click the article number below to view the article in the Microsoft Knowledge Base:

323759

(http://support.microsoft.com/kb/323759/EN-US/ )

MS02-047: August 22, 2002, Cumulative Patch for Internet Explorer

Release Date: August 22, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591

(http://support.microsoft.com/kb/119591/EN-US/ )

How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

This patch replaces the functionality of the previous Connect.asp file with a new Microsoft Dynamic HTML-based (DHTML-based) Default.htm file, but the patch does not remove the previous Connect.asp file. Administrators who have modified this page can port the modifications to the new Default.htm page and then delete the Connect.asp and Mstsax.cab files.

You do not have to restart your server after you apply the updated TSAC ActiveX control.

Users who are members of the "Regular Users" group cannot install ActiveX controls. The administrator must repeat the method that was used previously to install the ActiveX control on the user's computer. For additional information about how to do so, click the article numbers below to view the articles in the Microsoft Knowledge Base:

241163

(http://support.microsoft.com/kb/241163/EN-US/ )

How to Publish ActiveX Controls in Windows 2000 Using IntelliMirror

280579

(http://support.microsoft.com/kb/280579/EN-US/ )

HOWTO: Install ActiveX Controls in Internet Explorer Using the Active Directory

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Time   Version     Size     File name
   -----------------------------------------------------
   16-Apr-2002  18:32                2,022  Bluebarh.gif
   16-Apr-2002  18:32                2,085  Bluebarv.gif
   10-Aug-2002  07:23               21,723  Default.htm
   10-Aug-2002  13:31              310,400  Msrdp.cab
   01-Jul-2002  21:38               11,595  Readme.htm
   16-Apr-2002  18:32                9,644  Win2000l.gif
   16-Apr-2002  18:32                1,958  Win2000r.gif

The English version of the Msrcp.cab file has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Time   Version        Size     File name
   -----------------------------------------------------
   10-Aug-2002  07:23                   1,561  Msrdp.inf
   10-Aug-2002  04:16  5.1.2600.1095  600,064  Msrdp.ocx

Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Terminal Services Advanced Client (TSAC) web control. This problem was first corrected in Windows XP Service Pack 1.

Back to the top | Give Feedback

MORE INFORMATION

After you install this update, permissions for the HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing and HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\HardwareID keys are modified so that the Users group has read-only access. This change may cause connection problems with older RDP or Citrix clients. To resolve this problem, install an updated client or give the Users group Set Value and Create Subkey permissions on the HardwareID key by using Registry Editor (Regedt32.exe).

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-046.mspx

(http://www.microsoft.com/technet/security/bulletin/MS02-046.mspx)

To prevent potential exploits in older versions of the Terminal Services Web client, Internet Explorer now blocks these OCX controls:

Terminal Services Advanced Client (TSAC) 1.0 ActiveX control - Globally Unique Identifier (GUID): {1fb464c8-09bb-4017-a2f5-eb742f04392f}
Windows XP version of the TSAC - GUID: {791fa017-2de3-492e-acc5-53c67a2b94d0}
Windows .NET BETA versions of the TSAC - GUID: {931a8c29-3ea9-494d-91e7-22e9a9247687}

Administrators of the Terminal server and Web developers may also have to modify existing Active Server Pages (ASP) code to load the updated control. To do so, open the ASP files in a text editor such as Notepad and change any Object tags that refer to the Terminal Services ActiveX control so that the Clsid and Codebase attributes reference the following new values:

CLASSID="CLSID:9059f30f-4eb1-4bd2-9fdc-36f43a218f4a"
CODEBASE="msrdp.cab#version=5,1,2600,1095"

NOTE: The updated Terminal Services ActiveX control package automatically replaces the Clsid and Codebase attributes in the default Web page and changes the ID attribute to MsRdpClient. If you use custom code to script the Terminal Services ActiveX control, make sure that your code uses the same ID attribute in the OBJECT tag that you reference elsewhere in your custom code.

Back to the top | Give Feedback