[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference gyro::internet_toolss

Title:	Internet Tools
Notice:	Report ALL NETSCAPE Problems directly to kdlucas@netscape.com.rnet? Read note 448.L for beginner information.
Moderator:	teco.mro.dec.com::tecotoo.mro.dec.com::mayer

Created:	Fri Jun 25 1993
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	4714
Total number of notes:	40609

4518.0. "Internet Explorer Security Problem in the news." by IPNG::CARSON (Pete Carson, Networks for OpenVMS Engineering) Tue Mar 04 1997 13:56

Internet Explorer browser
           has security flaw 

           Microsoft says
           student found
           problem

  
           March 4, 1997
           Web posted at: 9:45 a.m. EST 

           SEATTLE (CNN) -- Microsoft Corp.
           said Monday it expected to post "within
           48 hours" a fix to a security flaw in its
           Internet Explorer (IE) browser that could
           allow a Web site operator to secretly run
           programs or destroy files on someone
           else's personal computer. 

           Although the company said it had no
           customer reports of security breaches, a
           computer security expert said the
           problem was extremely serious because
           it bypasses the widely used software's
           security measures. 

           "It is as if you allowed someone to type
           on your computer and you go out to
           lunch," said Simson Garfinkel, an
           author of Internet security books and
           columnist for Hotwired magazine and
           the Boston Globe. 

           The flaw could result in all sorts of
           mischief, such as preventing another
           person's computer from starting up or
           sending e-mail from another person's
           account, Garfinkel said. 



           Microsoft officials said Monday they
           were testing a solution for the problem
           and expected to have it quickly posted to
           the company's site on the World Wide
           Web. 

           Internet Explorer, Microsoft's key
           Internet product, is used by millions of
           people worldwide to access the Web.
           Microsoft estimates it has a 25 percent
           to 30 percent market share, behind
           Netscape Communications Corp.'s
           Navigator program. 

           Netscape: Not us

           Officials at Netscape
           stressed that their product
           does not have the security
           flaw. 

           "Netscape does not have any similar
           problem nor have we had any attack so
           wide in scope with any technology," said
           Eric Greenberg, senior security product
           manager for Netscape. 

           "Microsoft is newer to the Internet arena
           and is encountering some of the
           problems with trying to catch up,"
           Greenberg said. 

           Student finds bug, posts info

                       Paul Balle, a product
                       manager for
                       Microsoft's Internet
           Explorer team, said Microsoft learned of
           the flaw Monday after it was discovered
           last week by a student at Worcester
           Polytechnic Institute in Worcester,
           Massachusetts. 

           Student Paul Greene and his friends
           posted information about the flaw on
           their Web site, called Cybersnot. 

           "We take this very seriously," Balle said.
           "The moment we found out about it, we
           got our developers and program
           managers on it." 

           Balle said the bug is especially
           worrisome because it bypasses even the
           highest levels of Internet Explorer's
           security systems. 

           Student says only Internet
           Explorer affected

           On the Cybersnot Web page, Greene
           said that "Windows 95 comes with a
           variety of potentially damaging programs
           which can easily be executed." 

           As an example, Greene said certain
           links could create and delete some
           directories on a Windows 95 machine. 

           Greene said in an interview with
           InfoWorld Electric, posted to that Web
           site Monday afternoon, that the problem
           appears only to affect Internet Explorer. 

           "The ramification for IE is that any
           anti-Microsoft jerk can set up their Web
           site to be destructive to anyone using
           Internet Explorer and safe for all other
           browsers," InfoWorld quoted Greene as
           saying. 

           Although Microsoft was responding
           quickly, security expert Garfinkel said
           eradicating the problem would still
           depend on all existing Internet Explorer
           users modifying their software. 

           "The reason that it is so serious is that it
           is very easy to exploit this bug and the
           knowledge on how to exploit it has been
           widely disseminated to the public," he
           said. 

           "There are millions of people using
           Internet Explorer that would not move
           quickly to update," he added. 

           Balle said that in the year that Internet
           Explorer versions 3.0 and 3.1 have been
           available, this was the first time the
           security problem had been reported to
           Microsoft. 

           The problem primarily is in those
           versions of Internet Explorer, but
           possibly might affect previous versions,
           he said. 

           How flaw could work

           The flaw involves basic
           functions found within
           Microsoft's Windows 95
           and Windows NT operating systems. 

           When a PC user clicks on a hyperlink on
           a Web page, Balle explained, a Web
           page creator could have that link
           connect to file known as a "shortcut" in
           Windows 95 and NT. Shortcuts are
           widely used to start computer programs
           or functions. 

           If the "webmaster" for the Web page can
           guess the precise location and code
           needed on the user's computer,
           shortcuts on the Web page could
           surreptitiously select and start programs
           on the user's hard drive. 

           "If they can guess it, they can get to it,"
           Balle said. 

           Many widely available programs such as
           Windows 95 have standard locations or
           addresses where their components are
           stored on computers. Unless a PC user
           custom-installed or otherwise modified
           a program, the addresses would be
           simple to guess. 

           The Associated Press contributed to this
           report.

T.R	Title	User	Personal Name	Date	Lines
4518.1	http://www.cybersnot.com	NETRIX::"nishikigi@gw2.tbj.dec.com"		`Tue Mar 04 1997 21:02`	103
	http://www.cybersnot.com/iebug.html� Cybersnot Industries Internet Explorer Bug Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155)) Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug which allows web page writers to use ".LNK" and ".URL" files to run programs on a remote computer. This bug is particularly damaging because it uses NO ActiveX, and works even when Internet Explorer is set to its highest security level. It was tested on Microsoft Internet Explorer Version 3.0 (4.70.1155) running Windows 95. This demo assumes that Windows is installed in "C:\WINDOWS". Windows 95 DOES NOT PROMPT BEFORE EXECUTING THESE FILES. .URL files are WORSE than .LNK files because .URLs work in both Windows 95 and Windows NT 4.0 (.LNK's only work in Windows 95). .URL files present a possibly greater danger because they can be easily created by server side scripts to meet the specific settings of a user's system. We will provide .URL files for execution in the next day or so. The "shortcuts" can be set to be minimized during execution which means that users may not even be aware that a program has been started. Microsoft's implementation of shortcuts becomes a serious concern if a webpage can tell Internet Explorer to refresh to an executable. Or worse, client side scripts (Java, JavaScript, or VBScript) can use the Explorer object to transfer a BATCH file to the target machine and then META REFRESH to that BATCH file to execute the rogue command in that file. The following table outlines which areas and users each shortcut type effects: File Type Windows 95 Windows NT Execute Apps Command Line Args Allowed Searches Path .LNK Yes No Yes Yes No .URL Yes Yes Yes No Yes Security Comparision .URL vs .LNK Naturally, the files must exist on the remote machine to be properly executed. But, Windows 95 comes with a variety of potentially damaging programs which can easily be executed. The following link will start the standard calculator which comes with Windows 95. Windows Calculator (.lnk). Windows Calculator (.url). This bug can be used to wreak havoc on a remote user's machine. The following links will create and delete some directories on a Windows 95 machine. Create a directory "C:\HAHAHA". Open "C:\HAHAHA" Remove the directory "C:\HAHAHA" The META REFRESH tag can be used to execute multiple commands in sequence. This demo copies a .BAT file into your Internet Explorer cache and then runs the .BAT file. This .BAT will create a new key in your registry called "HKEY_CURRENT_USER/Software/Cybersnot". It will then open your AUTOEXEC.BAT and CONFIG.SYS in notepad. Finally, it will open REGEDIT so that you can view the key it creates. This demo does not destroy anything and should not cause any problems on your system. HOWEVER by clicking below, you are doing so at your own risk and agree not to hold us liable for any problems which may (but probably won't) arise. .BAT Demo Well! We've made it to the news! Here is what people are saying: InfoWorld CNetNews And Microsoft says a bug-fix will be available tonight (March 3, 1997) at: http://www.microsoft.com/ie/default.asp Internet Explorer Bug Discovered By Paul Greene Page and Examples by Geoffrey Elliott & Brian Morin [Posted by WWW Notes gateway]
4518.2	Fix for US 3.01 available	JOKUR::BOICE		`Wed Mar 05 1997 07:55`	6
	Microsoft has a code fix for the US 3.01 version at: http://www.microsoft.com/ie/security/update.htm This looks like the page where MS will communicate other available versions and country fixes.
4518.3		teco.mro.dec.com::tecotoo.mro.dec.com::mayer	Danny Mayer	`Wed Mar 05 1997 08:39`	10
	The fix for 3.01 Intel Build 1215 or later is now available for NT 4.0 or Windows 95. It is NOT yet available for IE 3.0 (Build 1155-1158) or for Alpha. I have the fix up on the IBG Software Distribution Server (but don't use IE 3.0 to fetch it :-)) at URL: http://ibgzko.zko.dec.com/sdk/ in the Released Kits area. Danny
4518.4		VAXCPU::michaud	Jeff Michaud - ObjectBroker	`Wed Mar 05 1997 10:19`	3
	So what did they implement for a "fix"? Do they now do like Netscape and pop up a confirmation dialog box before executing the program?
4518.5		teco.mro.dec.com::tecotoo.mro.dec.com::mayer	Danny Mayer	`Wed Mar 05 1997 10:48`	4
	I also forgot to mention that the fix is only currently available for IE 3.01 US English. Danny
4518.6		QUARK::LIONEL	Free advice is worth every cent	`Wed Mar 05 1997 11:42`	3
	Yes, with the fix, you get a confirmation box. Steve
4518.7		STAR::KMCDONOUGH	SET KIDS/NOSICK	`Thu Mar 06 1997 12:27`	11
	Considering that it's only a matter of time before some MS hating sites exploit this large security hole, I'm surprised that Corporate Security hasn't sent out mail to the troops about the problem and the patch. This could have a much larger impact than the average virus. Kevin
4518.8		QUARK::LIONEL	Free advice is worth every cent	`Thu Mar 06 1997 15:36`	6
	It seems to me that Corporate Security doesn't move too quickly on things like this. I don't know why this is - perhaps there's a lengthy review process on the memos. For example, I got a memo warning about Excel viruses a couple of months after they started propogating. Steve
4518.9	It takes a while to know what's real	POWDML::SDANCAUSE		`Thu Mar 06 1997 16:54`	15
	Hi, Part of .08 is correct. It takes us a while to verify the problem sometimes, and sometimed its a while before we have an answer we can stand behind. This problem has been worked, and the information was posted on the web at corpsec.mso.dec.com, submitted to Reader's Choice, livewire and VTX this morning, so complete information as it related to internal Digital will be forthcoming. Regards, Steve Dancause Corporate Information Security
4518.10		teco.mro.dec.com::tecotoo.mro.dec.com::mayer	Danny Mayer	`Fri Mar 07 1997 12:03`	8
	You are incorrect about this delay. I had been in touch with corporate security since the news broke on Tuesday morning. We had to wait for the fix and gather some more information about it. As Steve Dancause said the information about this has already gone out to the Digital community. Corporate Security can't do too much until Microsoft has a fix available. We are still awaiting the Alpha version of the patch. Danny
4518.11		STAR::KMCDONOUGH	SET KIDS/NOSICK	`Fri Mar 07 1997 12:28`	6
	Glad to be proved wrong in this case. Thanks for the update. Kevin
4518.12		teco.mro.dec.com::tecotoo.mro.dec.com::mayer	Danny Mayer	`Mon Mar 10 1997 10:33`	21
	The latest fix for 3.01 Intel Build 1215 or later is now available for NT 4.0 or Windows 95. It is not yet available for Alpha and non-US English languages. I have the fix up on the IBG Software Distribution Server (but don't use IE 3.0 to fetch it :-)) at URL: http://ibgzko.zko.dec.com/sdk/ in the Released Kits area. The 3.01b fix includes the fixes for the MIT and U Maryland bugs. You may want to check the Microsoft site for other languages. Note that the Corporate security advisory requires that you upgrade to IE 3.01 if you are running IE 3.0 or IE 2.0 since they are vunerable to these bugs and no patches will be available for IE 2.0. You can identify IE 3.0 by its build number 1155-1158 in the About page. IE 3.01 is identified by Build 1215 or later. For reasons that are beyond me, both IE 3.0 and IE 3.01 identify themselves in the about page as IE 3.0 even though they identify themselves in the HTTP User-agent field header correctly. Danny
4518.13		SKYLAB::FISHER	Gravity: Not just a good idea. It's the law!	`Tue Mar 11 1997 13:02`	3
	This was just the excuse I needed to switch back to Netscape Navigator. :-) Burns
4518.14		60675::nessus.cao.dec.com::Mayne	A wretched hive of scum and villainy	`Tue Mar 25 1997 17:43`	34
	Microsoft are obviously too excited about their HP partnership to worry about an Alpha version. PJDM INTERNET EXPLORER 3.02 Microsoft is releasing Internet Explorer 3.02, a new version of Internet Explorer for Windows 95 and Windows NT 4.0 users that packages up fixes for the various security threats reported to Microsoft. We strongly encourage all Internet Explorer users to visit http://www.microsoft.com/ie/security/update.htm to download and install the software update for maximum security. Here's why: * Internet Explorer 3.02 encompasses all previous patches and replaces all previous full versions of Internet Explorer for Windows 95 and Windows NT. * As a part of this release, Internet Mail and News has been updated to address attachments being launched without adequate user warning. * Internet Explorer 3.02 also includes Auto-Proxy and Auto-Configuration that network administrators and Internet service providers have asked for to help them deploy and maintain the browser for employees and customers. * For international users, the new version of Internet Explorer will be available in a variety of languages within a few days at http://www.microsoft.com/ie/security/intl_fix.htm.
4518.15		teco.mro.dec.com::tecotoo.mro.dec.com::mayer	Danny Mayer	`Wed Mar 26 1997 09:30`	5
	Microsoft is building IE 3.02 for ALL platforms. They always build the Intel versions first. I will be making the IE 3.02 available shortly on the IBG Software Distribution Server. Danny