MS08-023: Same bug, four different security bulletin ratings

Security bulletin MS08-023 addressed two ActiveX control vulnerabilities, one in a Visual Studio ActiveX control and another in a Yahoo!’s Music Jukebox ActiveX control.  The security update sets the killbit for both controls.  For more about how the killbit works, see the excellent three-part series (1, 2, 3) from early February in this blog.

One interesting thing you might notice about this bulletin is the diversity of severity ratings between different platforms.  Windows 2000 and XP are rated Critical.  Windows Vista is rated Important.  Windows Server 2003 is rated Moderate.  And Windows Server 2008 is rated Low.  The same bug on different platforms got four different security bulletin ratings!  We thought this might raise some questions so we decided to explain a little more about how the rating system works for browser-based vulnerabilities.

We rate browser-based vulnerabilities Critical when they allow drive-by code execution.  Internally, we refer to them as “browse-and-you’re-owned”.  Simply browsing to the website (or being redirected there via iframe) is enough to trigger the vulnerability – no prompts, no gold bar, nothing but browsing is necessary.  In this specific case of MS08-023 on Windows XP SP2, users who have the ActiveX control installed are vulnerable to drive-by attack.  And even if the ActiveX control is not already installed, an attacker can serve it to the browsing user.  Because this control was signed by Microsoft, if a user had previously chosen to always install software from Microsoft, they will not be prompted.  The security warning dialog below shows how a user could choose to always install software from Microsoft.

IE7 on Vista requires a user to “opt-in” to ActiveX controls they want to run.  If an ActiveX control is not included on the opted-in list, it will not run.  We do not expect users will have opted-in to use this Visual Studio ActiveX control (most of you probably have never even heard of it), so the Vista MS08-023 rating is Important.  You can see what the ActiveX opt-in gold bar looks like below.

Windows Server 2003 ships with the Enhanced Security Configuration (ESC) enabled. Browsing with the ESC enabled prevents any scripting or ActiveX controls from being run (and also enables other browser hardening suitable on a server).  With the ESC enabled, the MS08-023 vulnerabilities are not reachable.  You’d have to explicitly turn this security setting off, and so we’ve rated this issue Moderate. You can see the Enhanced Security Configuration dialog below.

Windows Server 2008 includes both the above mitigations.  It ships with IE7 so it gets the IE7 ActiveX opt-in by default.  And it also ships with the Enhanced Security Configuration feature enabled.  The ESC drops the rating from Critical to Moderate.  The IE7 ActiveX opt-in drops it one more notch from Moderate to Low.    

– Security Vulnerability Research & Defense Bloggers

*Postings are provided “AS IS” with no warranties, and confers no rights.*