The CERT/CC is
    part of the Software Engineering Institute at Carnegie Mellon University Improving Security
CERT® Coordination Center

 Home | What's New | FAQ | Site Contents | Contact Us | SEARCH

About Us | Alerts | Events | Improving Security | Other Resources | Reports | Survivability Research | Training and Education


CERT® Incident Note IN-2000-06

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Exploitation of "Scriptlet.Typelib" ActiveX Control

Date: Tuesday, June 6, 2000

Overview

We have received reports of email-borne viruses that exploit a vulnerability created by unsafe configuration of the Microsoft ActiveX control named "Scriptlet.Typelib".

Description

The Microsoft ActiveX control Scriptlet.Typelib allows local files to be created or modified, so it is unsafe to allow untrusted programs to access this control. The control is incorrectly marked "safe for scripting" as shipped with Internet Explorer versions 4.0 and 5.0. As a result, malicious programs may be able to execute the control without requesting approval from the user. For example, an HTML-format email message that is rendered using Internet Explorer may be able to execute the Scriptlet.Typelib control to create and modify local files.

We are aware of two email-borne viruses that are designed to exploit this vulnerability. Malicious VBScript programs known as Bubbleboy and kak are designed to infect systems by altering the Windows registry and propagating themselves through email. In both cases, a malicious VBScript is delivered in the form of an HTML-format email message with characteristics that might entice a user to view the message. If the HTML in the email message is rendered by Internet Explorer, the VBScript may be executed. In vulnerable configurations, the Scriptlet.Typelib ActiveX control can be called by the malicious program to create and modify local files.

It is important to note that some mail user agents, such as Outlook 2000 and Outlook Express 5, use Internet Explorer to render HTML-format email messages. Rather than explicitly executing a malicious file attachment, a user may cause a malicious program to execute simply by viewing a message.

It is possible that other methods of delivering and executing malicious code can be used to exploit vulnerable configurations of Scriptlet.Typelib; for example, through a maliciously crafted web page.

We began receiving reports of kak and kak variants in late February 2000, and we continue to receive reports of new infections. As of this writing, we have not received any direct reports of Bubbleboy infections.

Information about kak and its variants can be found at

Aladdin Knowledge Systems:
http://www.ealaddin.com/home/csrt/valerts.asp#VBS_KAK
Computer Associates International, Inc.:
http://www.cai.com/virusinfo/encyclopedia/descriptions/wscript.htm
F-Secure:
http://www.f-secure.com/v-descs/kak.htm
Network Associates (McAfee & Dr. Solomon):
http://vil.nai.com/villib/dispVirus.asp?virus_k=10509&
Norman Data Defense Systems:
http://www.norman.no/virus_info/js_kak_worm.shtml
Proland Software:
http://www.pspl.com/virus_info/worms/kak.htm
Sophos Anti-Virus:
http://www.uk.sophos.com/virusinfo/analyses/vbskakworm.html
Symantec:
http://www.symantec.com/avcenter/venc/data/wscript.kakworm.html

Information about BubbleBoy can be found at

Central Command, Inc.:
http://www.avpve.com/viruses/worms/bubblebo.html
Computer Associates International, Inc.:
http://www.cai.com/virusinfo/encyclopedia/descriptions/bubble.htm
F-Secure:
http://www.f-secure.com/v-descs/bubb-boy.htm
Network Associates, Inc. (McAfee & Dr. Solomon's Software):
http://vil.nai.com/villib/dispVirus.asp?virus_k=10418
Norman Data Defense Systems:
http://www.norman.no/virus_info/vbs_bubble.shtml
Proland Software:
http://www.pspl.com/trojan_info/win32/bubbleboy.htm
Sophos Anti-Virus:
http://www.uk.sophos.com/virusinfo/analyses/vbsbubbleboy.html
Symantec:
http://www.symantec.com/avcenter/venc/data/vbs.bubbleboy.html
Trend Micro, Inc.:
http://www.antivirus.com/vinfo/security/sa110999.htm

Impact

Viruses or other malicious code contained in HTML-format email or web pages can exploit Scriptlet.Typelib to create and modify local files.

Solutions

Microsoft produced a patch that will remove the "safe for scripting" marking from the Scriptlet.Typelib ActiveX control. More information about the vulnerable condition and the patch is available from Microsoft at:

http://www.microsoft.com/security/bulletins/ms99-032.asp
http://www.microsoft.com/technet/security/bulletin/fq99-032.asp
http://support.microsoft.com/support/kb/articles/q240/3/08.asp

With the patch applied, the default action is for the user to be prompted before Scriptlet.Typelib is executed. Even with the patch installed, a user can choose to allow the control to be executed. If the control is allowed to execute, local files can still be created and modified.

Authors: Kevin Houle, Chad Dougherty, Brian King


This document is available from: http://www.cert.org/incident_notes/IN-2000-06.html

CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

To subscribe to the CERT mailing list for advisories and bulletins, send email to [email protected]. Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information

Copyright 2000 Carnegie Mellon University.