Full Report
Just arbitrary coolness regarding Microsoft’s Threat Modeller. It’s XSS-ible… Since this all works in file:///, not overly sure what the benefits of these things will be, but I suppose since different folks may have different privilege levels for different protocol handlers (ie: file:// http:// etc), one might be able to instantiate previously unusable OCX’es, or even redirect to site for exploiting browser vulnerabilities. Never happened unless there are pictures, so refer below…
Analysis Summary
# Vulnerability: Cross-Site Scripting (XSS) in Microsoft Threat Modeller (file:// context)
## CVE Details
* **CVE ID:** Not explicitly provided in the text. (Note: Since the product is deprecated, an official CVE might not have been assigned or publicly linked in this summary.)
* **CVSS Score:** Not provided.
* **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) is implied.
## Affected Systems
* **Products:** Microsoft Threat Modeller (Tool)
* **Versions:** The specific vulnerable version is not listed, but it pertains to the version available around September 2009 which has since been deprecated.
* **Configurations:** Vulnerability is tied to how the tool processes input/data within the context of `file:///` protocol handlers.
## Vulnerability Description
The research identifies a Cross-Site Scripting (XSS) vulnerability within the Microsoft Threat Modeller tool, stemming from its use of the `file:///` protocol handler context. The author suggests that by manipulating inputs viewed via `file:///`, an attacker could potentially instantiate previously unusable ActiveX controls (OCXes) or redirect the user to exploit browser vulnerabilities. This combination, involving the XSS flaw and vulnerable ActiveX controls, could potentially lead to Remote Code Execution (RCE).
## Exploitation
* **Status:** Proof-of-Concept (PoC) is implied, as the researchers found a mechanism that could lead to RCE ("we find ourselves with a nice mechanism for getting remote code execution").
* **Complexity:** Unknown, but implied to be achievable given the research success.
* **Attack Vector:** Local (likely requiring the victim to open a specially crafted file or output generated by the application).
## Impact
* **Confidentiality:** High (Potential information disclosure or session hijacking via redirection/browser exploitation).
* **Integrity:** High (Potential for modification of user data or system state via successful RCE).
* **Availability:** Medium to High (Loss of service or system compromise).
## Remediation
### Patches
* **Status:** Microsoft MSRC indicated that because the product is deprecated, they **will not open a case to investigate the issue**.
* **Vendor Action:** MSRC intended to contact the Download Center to attempt to remove the deprecated tool, as newer tools/versions are available.
* **Specific Patches:** None listed, as the product is deprecated. Users are directed to use current versions/tools.
### Workarounds
* The primary workaround is to **stop using the deprecated Microsoft Threat Modeller tool** and migrate to its current replacement/successor tools.
* Avoid opening files or outputs generated by the tool in untrusted environments, especially if they involve interactions with local resources or protocol handlers.
## Detection
* **Indicators of Compromise:** Attempts to load external resources or execute arbitrary code when viewing Threat Modeller output files via the `file:///` protocol.
* **Detection Methods and Tools:** Traditional XSS/RCE detection mechanisms within endpoint protection or browser security monitors should be considered if artifacts of this tool interact with system resources.
## References
* SensePost Article Date: 15 September 2009
* Vendor Advisory: MSRC confirmed non-investigation due to deprecation status. (No official CVE advisory provided.)