Recently, there was a public post in milw0rm (http://www.milw0rm.com/exploits/5530), talking about an issue in the ActiveX control of Microsoft Works 7 WkImgSrv.dll. The PoC claims that it would achieve remote code execution. McAfee Avert Labs Blog also had a post about this (http://www.avertlabs.com/research/blog/index.php/2008/04/17/potential-microsoft-works-activex-0-day-surfaces/).
At first glance the issue sounds serious, right? Upon further investigation, there is no useful attack vector.
The following is the output using the code (ClassId.cs) we posted in another previous SWI blog: Not safe = not dangerous? How to tell if ActiveX vulnerabilities are exploitable in Internet Explorer.
ActiveX Object CLSID: 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6
Implements IObjectSafety: False
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
It shows that this ActiveX object is not SFS nor SFI, nor implements IObjectSafety.
What would happen if we try to load this ActiveX object in Internet Zone? IE simply would not load it.
Note the zone above shows “Internet”. This is due to the mitigation introduced in 2005 by MS05-052 in IE.
Here’s the details of what happens in MS05-052, from the previous SWI blog: The Kill-Bit FAQ: Part 2 of 3.
“In MS05-052, IE made a change that affects the way controls are instantiated in the Internet zone. The IObjectSafety check is now frontloaded so that IE can determine control safety status quickly and abort instantiation as soon as a control is identified as unsafe.”
The mitigation introduced in MS05-052 only applies to the Internet Zone. If the object was loaded in the Local Machine Zone (LMZ), IE would instantiate it. However, any elevation from the Internet Zone to the LMZ would be considered “Zone Elevation” which IE should block and this does not occur on this case. For more details about IE’s zone elevation feature, please refer to http://msdn2.microsoft.com/en-us/library/ms537185(VS.85).aspx. Moreover, IE further protects the user by locking down the Local Machine Zone by default. For more details about LMZ lock down feature, please refer to http://technet.microsoft.com/en-us/library/bb457150.aspx#EHAA.
Now what would happen in Intranet Zone? IE Gold bar pops up to block the use of this ActiveX object in script.
We would like to clarify that this is not due to the mitigation introduced in MS05-052. Instead, it is related to the following setting.
– Security Vulnerability Research & Defense Bloggers *Postings are provided “AS IS” with no warranties, and confers no rights.*
– Security Vulnerability Research & Defense Bloggers
*Postings are provided “AS IS” with no warranties, and confers no rights.*