CVE-1999-0839

Vulnerability

The vulnerability resides in the Task Scheduler component of the Offline Browsing Pack included with Internet Explorer 5 on Windows NT 4.0. The Task Scheduler does not properly restrict the creation of AT jobs; a normal user with change access to an existing file owned by an administrator can modify it to become a valid AT job and place it in the appropriate folder for execution. The affected software is Internet Explorer 5 on Windows NT 4.0 when the Offline Browsing Pack is installed (not installed by default). [1]

Exploitation

An attacker must have interactive logon access to the machine and possess change permissions on an existing file owned by an administrator. The attacker modifies that file to be a valid AT job and places it in the scheduled tasks folder. The Task Scheduler then executes the job in the SYSTEM context. No additional user interaction is required beyond the initial modification. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary code with SYSTEM privileges, resulting in full compromise of the machine. This is a privilege escalation from a normal user to SYSTEM. [1]

Mitigation

Microsoft released a version upgrade (patch) that digitally signs all AT jobs at creation time and verifies the signature at execution time, preventing unauthorized modifications. The patch is available via Microsoft Security Bulletin MS99-051. [1] As the vulnerable component is not installed by default, removing the Offline Browsing Pack also mitigates the issue.