[56] in Best-of-Security
daemon@ATHENA.MIT.EDU (proff@suburbia.net)
Thu Mar 6 22:05:54 1997
Delivered-To: bos@suburbia.net
Date: 7 Mar 1997 00:07:33 -0000
From: proff@suburbia.net
To: bos@suburbia.net
Reply-To: best-of-security@suburbia.net
Yet another Internet Explorer bug...
Last updated on 3/5/97
----------------------------------------------------------------------------
Overview:
On certain machines running Internet Explorer 3.0, an icon can be
embedded within a web page. When double-clicked, this icon may
run a remote application without warning. This is not the same as
the ".LNK and .URL" bug discovered recently. Be very afraid.
Who may be victimized:
This bug only effects Internet Explorer 3.0 users (version
4.70.1215). The problem is significantly more serious if the user
is on a platform with CIFS (Windows NT 4.0 with Service Pack 1 or
later installed). If this is the case, the location of the
malicious executable code to be run on the victim's machine could
be anywhere on the Internet. If this is not the case, the
location of the machine containing the code is restricted to
within the scope of Windows name resolution. For example, the
host must be either on the same subnet, listed in the victim's
LMHOSTS file, or listed on the victim's WINS server.
Examples:
Working examples of this bug are provided on a separate page
because Windows name resolution often forces Internet Explorer to
block for 10 to 15 seconds. If this happens, just wait it out,
your computer has not crashed. If you are using Internet Explorer
on a machine that doesn't have CIFS, the wait period may be
significantly longer in order for Windows name resolution to time
out. It should be noted however that CIFS is required for these
examples to function.
Click here to see the Examples page.
Is this related to the "other" Internet Explorer bug of a similar nature
discovered by Paul Greene?
No. This is not the same bug and the patch released to fix the
other bug does not prevent this problem from occurring. The only
similarities between the the discovery of this bug and the
discovery of the other bug is that I go to a college, live in a
dorm, and have friends who helped me with this page. It should
also be noted that this bug is probably the result of the move to
merge Internet Explorer with the Windows desktop, just as the
other bug was.
So how does this work?
Internet Explorer enables a user to use a URL describing a remote
directory. When a user clicks on such a link, they are brought to
what is essentially a Windows Explorer window, but inside of
Internet Explorer. If this URL is used as the basis for an
<IFRAME> tag, an embedded frame can be created with what is
essentially a Windows Explorer window inside. If this window is
made small enough, it appears to be some sort of button, one which
runs a remote program when double clicked. CIFS allows a machine
to use the IP or hostname provided in the URL as a way of
contacting the remote host containing the executable.
New Information:
* 3/5/97 7:30 pm - Microsoft contacted us and they are working
on a fix.
* 3/5/97 5:45 pm - Reported to work in Memphis. (thanks to
anonymous)
Disclaimer:
I discovered a different bug in a Microsoft product a year ago,
and I found that it is very bad for my own personal PR. The bug
was a small and couldn't be used to gain access to a foreign
computer system. I wrote about the bug in an extremely
responsible way and even submitted my description of the bug as a
writing sample on an interview. Nevertheless I was accused of
being irresponsible, and even of being a "hacker." I'll admit
that I might have been irresponsible by not letting Microsoft know
about the problem ASAP, but I am NOT a hacker. Anyone who
attempts to gain access to a computer without authorization is
doing something dishonorable, illegal, and wrong. Period. If
I am somehow made aware that someone has made use of the
information on this page for a malicious purpose, I will not
hesitate to alert the authorities.
In light of my experiences in the past, I feel I should mention
that:
* I do not hold a grudge against Microsoft. I use (and
love!) their products and would like to see them as bug-free
as possible.
* I do not have any idea (or care about) how to "crack Windows
95 screensaver passwords." For some reason I keep getting
mail about this, and I just want it to stop.
* Please drop me an e-mail if you reference this page.
----------------------------------------------------------------------------
Initial discovery by David Ross [Widdle Doggie Now!]
Help from Dennis Cheng and Asher Kobin.
Page created on 3/4/97
) 1997 Widdle Doggie. All rights reserved.