FRAMINGHAM (06/29/2000) - A Microsoft Corp. patch aimed at fixing a previously discovered ActiveX flaw may not fully protect users against the vulnerability, according to an advisory issued late last month by Pittsburgh-based Carnegie Mellon University's Computer Emergency Response Team (CERT).
But a Microsoft spokesman insisted that the patch released by the company on June 2 provides protection against the vulnerability in all circumstances where users follow basic security procedures.
The disagreement involves a little-known but potentially serious flaw that was discovered in mid-April with an ActiveX-based shortcut control in the HTML Help feature built into Microsoft's Internet Explorer Web browser.
The shortcuts allow HTML Help files to link to and execute code that helps users understand how to perform certain tasks, said Shawn Hernan, a CERT member.
But under certain conditions - which are described by CERT in its advisory - the feature can be exploited by crackers to plant a malicious help file from a remote location onto a user's system.
Basically, "someone who can exploit this vulnerability can [remotely] do anything you can do on your computer" if the conditions apply, Hernan said.
Earlier this month, Microsoft's own description of the flaw and announcement of the patch acknowledged that attackers exploiting the security hole "could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote Web site."
Scott Culp, a Microsoft security program manager, said the company's patch eliminates the vulnerability by allowing an HTML Help file to use shortcuts only if the file resides on a user's PC. That should provide ample protection as long as users stick to basic security practices such as having a secure firewall and not accepting files from unknown sources, he said.
The security flaw can only be exploited under very rare circumstances and, even then, only if the user actively downloads a malicious file from a remote location, Culp added.
"CERT's advisory oversimplifies the steps that an attacker would need to exploit the flaw," he said. "The scenario they're postulating would open users up to a far broader range of security issues above and beyond this vulnerability."
But CERT claimed the preconditions needed for the vulnerability to be exploited aren't that uncommon and pose a greater threat than Microsoft describes.
"For some sites, the patch provided by Microsoft is adequate," CERT said in its advisory. "For others, particularly those sites using non-Microsoft networking products, the patch does not provide complete protection."
Users need to understand their networks' configurations prior to deciding which, if any, changes are required beyond installing the patch, CERT added.