Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution

Article translations Article translations
Article ID: 961051 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/advisory/961051.mspx

WORKAROUND

To work around this problem, use any of the following methods.

Note You must run the commands described in this article as an administrator. In Windows Vista and Windows Server 2008, you must run the commands from an elevated command prompt. To open an elevated command prompt, follow these steps:
  1. Click Start, type cmd in the search box, and then press ENTER.
  2. In the results list, right-click cmd, and then click Run as administrator.

Method 1: Use a System Access Control List (SACL) to disable OLEDB32.dll for fewer applications

This workaround resembles the "Use SACL entries to disable OLEDB32.dll" workaround that is described later in this article. This workaround is more selective about which applications are blocked from accessing OLEDB32.DLL. Internet Explorer is still blocked. However, most other applications are not. This has the benefit of protecting Internet Explorer from attack. However, it still enables other applications that depend on OLEDB32.DLL to function correctly.

To provide this kind of selective protection, this workaround relies on the fact that Internet Explorer runs with Protected Mode turned on by default. This means that the iexplore.exe process runs at a low integrity level. For more information about what this means and how this works, visit the following Microsoft Web page:
http://msdn.microsoft.com/en-us/library/bb250462.aspx
The integrity mechanism makes it possible to block processes from writing to securable objects such as files that have a higher integrity level. It does this by applying a special integrity level entry to the SACL for an object.

Note It is also possible to block a process from being able to read or execute securable objects at a higher integrity level.

How to use this workaround

Notes
  • This workaround applies only to Windows Vista and later versions of Windows.
  • To use this workaround, Internet Explorer must be running with Protected Mode turned on. This requires that both Protected Mode and User Account Control (UAC) are enabled. This is the default setting. To determine whether Protected Mode is enabled, examine the Internet Explorer status bar.
To use this workaround, follow these steps:
  1. Save the following text to a temporary folder:
    • For 32-bit systems
      Save the following text to a text file that is named "BlockAccess_x86.inf":
      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
    • For 64-bit systems
      Save the following text to a text file that is named "BlockAccess_x86.inf":
       [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
      Save the following text to a text file that is named "BlockAccess_x64.inf":
       [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
  2. Open an elevated Administrator command prompt in the temporary folder.
  3. At the command prompt, type the following command, and then press ENTER:
    SecEdit/configure/db BlockAccess.sdb/cfg <inf file>
  4. After the command is finished, you should receive a message that resembles the following:
    The task has completed successfully.
    See the %windir%\Security\Logs\Scesrv.log file for detailed information.

How to validate this workaround

You can use the icacls command to determine whether the workaround was applied. To do this, use one of the following:
  • For a 32-bit operating system
    At the command prompt, type the following command, and then press ENTER:
    icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
  • For a 64-bit operating system
    At the command prompt, type the following commands, and then press ENTER:
    icacls "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"

    icacls "%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"
Every time that you run the icacls command, search through the output for the following line.
Mandatory Label\Medium Mandatory Level:(NW,NR,NX)
If the line is present and includes both the NR and NX values, the workaround has successfully been applied. However, if either the line is missing, or if one of the NR or NX values is missing, the workaround has not been successfully applied.

The effect of this workaround

This workaround affects only ADO/OLE DB applications that are running in Internet Explorer. This is not common. This workaround has minimal effect because all other processes that are running in Medium or higher integrity level would still be able to load and use OLEDB32.dll.

How to undo this workaround

To undo the workaround, follow these steps:
  1. Save the following text to a temporary folder:
    • For 32-bit systems
      Save the following text to a text file that is named "unBlockAccess_x86.inf":
      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
    • For 64-bit systems
      Save the following text to a text file that is named "unBlockAccess_x86.inf":
      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
      Save the following text to a text file that is named: "unBlockAccess_x64.inf":
      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [File Security]
      "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NW;;;ME)"
  2. Open an elevated Administrator command prompt in the temporary folder.
  3. At the command prompt, type the following command, and then press ENTER:
    SecEdit/configure/db UnblockAccess.sdb/cfg <inf file>
  4. After the command is finished, you should receive a message that resembles the following:
    The task has completed successfully.
    See the %windir%\Security\Logs\Scesrv.log file for detailed information.
Use the icacls command to verify that the workaround was removed. Then, you can safely delete the UnblockAccess.sdb and UnblockAccess.inf files. See the "How to validate this workaround" section of "Method 1" for more information about how to use the icacls command to verify that the workaround was removed.

Method 2: Disable the "Row Position" functionality of OLEDB32.dll

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To disable the "Row Position" functionality of OLEDB32.dll, delete the following Row Position registry subkey:
HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}

The effect of disabling the "Row Position" functionality of OLEDB32.dll

All ADO applications that use the RowPosition property and related information are affected. All OLE DB applications that use the OLE DB Row Position Library are affected. MSHTML is affected.

How to undo this workaround

Use the following registry file to restore the Row Position registry subkey:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}]
@="Microsoft OLE DB Row Position Library"
[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}\InprocServer32]
@="C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll"
"ThreadingModel"="Both"
[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}\ProgID]
@="RowPosition.RowPosition.1"
[HKEY_CLASSES_ROOT\CLSID\{2048EEE6-7FA2-11D0-9E6A-00A0C9138C29}\VersionIndependentProgID]
@="RowPosition.RowPosition"

Method 3: Unregister OLEDB32.dll

To unregister OLEDB32.dll, use one of the following.

Note You must run the commands as an administrator.
  • For supported versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 for 32-bit Systems
    At the command prompt, type the following command, and then press ENTER:
    Regsvr32.exe/u "Program Files\Common Files\System\Ole DB\oledb32.dll"
  • For supported versions of Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition, Windows Vista x64 Edition, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    Regsvr32.exe/u "Program Files\Common Files\System\Ole DB\oledb32.dll"

    Regsvr32.exe/u "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"

The effect of unregistering OLEDB32.dll

Applications that rely on OLE DB data access will not function.

How to undo this workaround

To undo this workaround, use one of the following.

Note You must run the commands as an administrator.
  • For supported versions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 for 32-bit Systems
    At the command prompt, type the following command, and then press ENTER:
    Regsvr32.exe "Program Files\Common Files\System\Ole DB\oledb32.dll"
  • For supported versions of Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition, Windows Vista x64 Edition, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    Regsvr32.exe "Program Files\Common Files\System\Ole DB\oledb32.dll"

    Regsvr32.exe "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"

Method 4: Use SACL entries to disable OLEDB32.dll

You can use SACL entries to disable OLEDB32.dll. To do this, use one of the following.

Note You must run the commands as an administrator.
  • For supported versions of Windows 2000, Windows XP, and Windows Server 2003
    At the command prompt, type the following command, and then press ENTER:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/E/P everyone:N
  • For supported versions of Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition, and Windows Server 2003 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/E/P everyone:N

    cacls "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"/E/P everyone:N
  • For supported versions of Windows Vista and Windows Server 2008 for 32-bit Systems
    At the command prompt, type the following commands, and then press ENTER:
    takeown/f "Program Files\Common Files\System\Ole DB\oledb32.dll"

    icacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/save %TEMP%\oledb32.32.dll.TXT

    icacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/deny everyone:(F)
  • For supported versions of Windows Vista x64 Edition, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    takeown/f "Program Files\Common Files\System\Ole DB\oledb32.dll"

    icacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/save %TEMP%\oledb32.32.dll.TXT

    icacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/deny everyone:(F)

    takeown/f "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"

    icacls "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"/save %TEMP%\oledb32.64.dll.TXT

    icacls "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"/deny everyone:(F)

The effect of unregistering OLEDB32.dll

Applications that rely on OLE DB data access will not function.

How to undo this workaround

To undo this workaround, use one of the following:

Note You must run the commands as an administrator.
  • For supported versions of Windows 2000, Windows XP, and Windows Server 2003
    At the command prompt, type the following command, and then press ENTER:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/E/R everyone
  • For supported versions of Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition, and Windows Server 2003 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    cacls "Program Files\Common Files\System\Ole DB\oledb32.dll"/E/R everyone

    cacls "Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"/E/R everyone
  • For supported versions of Windows Vista and Windows Server 2008 for 32-bit Systems
    At the command prompt, type the following command, and then press ENTER:
    icacls "Program Files\Common Files\System\Ole DB"/restore %TEMP%\oledb32.32.dll.TXT
  • For supported versions of Windows Vista x64 Edition, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for Itanium-based Systems
    At the command prompt, type the following commands, and then press ENTER:
    icacls "Program Files\Common Files\System\Ole DB"/restore %TEMP%\oledb32.32.dll.TXT

    icacls "Program Files (x86)\Common Files\System\Ole DB"/restore %TEMP%\oledb32.64.dll.TXT

How to determine whether you are running a 32-bit or a 64-bit edition of Windows

If you are not sure which version of Windows that you are running, or whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe) and review the value that is listed for System Type. To do this, follow these steps:
  1. Click Start, and then click Run or click Start Search.
  2. Type msinfo32.exe and then press ENTER.
  3. In System Information, review the value for System Type.
    • For 32-bit editions of Windows, the System Type value is x86-based PC.
    • For 64-bit editions of Windows, the System Type value is x64-based PC.
For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base:
827218 How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system

Properties

Article ID: 961051 - Last Review: December 14, 2008 - Revision: 3.3
APPLIES TO
  • Windows Internet Explorer 7
  • Windows Internet Explorer 7 for Windows XP
  • Windows Internet Explorer 7 for Windows Server 2003
  • Windows Internet Explorer 7 for Windows Server 2003 IA64
  • Windows Internet Explorer 7 in Windows Vista
  • Windows Internet Explorer 8
  • Microsoft Internet Explorer 6.0 Service Pack 2
  • Microsoft Internet Explorer 6.0 Service Pack 1
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 5.01 Service Pack 4
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Vista Service Pack 1, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Starter
  • Windows Vista Ultimate
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 2, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Keywords: 
kbregistry kbexpertiseinter kbinfo kbsecadvisory kbsecurity kbsecvulnerability kbsurveynew KB961051

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com