Microsoft has patched a vulnerability in the Web viewing component of Crystal Reports. This component is used in Visual Studio .NET 2003, Outlook 2003 (when used with Business Contact Manager), and Microsoft's CRM solution.
The source of the threat is a Directory Transversal Vulnerability, CAN-2004-0204. This can result in a denial of service event or a confidential information disclosure.
MBSA (Microsoft Baseline Security Analyzer) can't detect this problem, but the Systems Management Server (SMS) will report if the update is needed.
According to Microsoft Security Bulletin MS04-017, "Vulnerability in Crystal Reports Web Viewer Could Allow Information Disclosure and Denial of Service," the vulnerable component is the CrystalDecisions.Web.dll file earlier than version 9.1.9800.9.
Patches are available, and there are several possible workarounds.
This flaw affects:
For the first two pieces of software, any authenticated or anonymous user accessing Crystal Reports Web Viewer can attack using this vulnerability. For CRM 1.2, only authenticated users are capable of launching an attack because they are the only ones who can access the Web Viewer. The threats that are dependent on an IIS installation are due to the different default installation triggered by the presence of IIS.
Microsoft reports that no other versions of these programs are affected by this vulnerability.
Risk level
Microsoft rates this as only a moderate threat, but it bases its evaluation in part on how many people are using the affected products. Since the threat in MS04-017 applies to products that don't ship with every Windows computer, the company rates the threat as only moderate.
However, when I determine threat levels, I normally look at the potential damage to those who are using the vulnerable programs. After all, if your systems can be easily compromised by a flaw, it is little consolation if few others are vulnerable. Therefore, I rate the threat level of this vulnerability as high because a successful attacker could view or modify database files, probably without leaving a trace. The actual level of threat would depend in great part on how critical the information stored in the database is; however, a good firewall configuration would greatly reduce the risk.
This isn't one of those really big threats, but it can cause a lot of problems and requires your attention if you are managing the affected products.
Mitigating factors
1. Only systems with Internet Information Services (IIS) installed are vulnerable.
2. Good firewall security practices should block this attack.
3. Microsoft reports, "The attack is only effective against files where the IIS worker process that is hosting the CrystalDecisions.Web.dll file has delete permissions." Whether this means that the exploit couldn't also be used to view unauthorised files wasn't made clear in the bulletin.
One workaround is that since this only affects systems with IIS installed, disabling IIS would block any attack through this vector. According to Microsoft, executing the net stop w3svc command is actually all that is required to disable IIS. This would, of course, terminate Web content access. See the Security Bulletin for additional workarounds, as well as patches for the affected products.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
6%
1%
