[4642] in WWW Security List Archive
Big IE hole
daemon@ATHENA.MIT.EDU (Daniel Rinehart)
Tue Mar 4 01:42:41 1997
Date: Mon, 3 Mar 1997 22:42:37 -0500 (EST)
From: Daniel Rinehart <danielr@ccs.neu.edu>
To: www-security@ns2.rutgers.edu
In-Reply-To: <199703032245.AA06785@kcpgw2.kcp.com>
Errors-To: owner-www-security@ns2.rutgers.edu
http://www.news.com/News/Item/0,4,8447,00.html
Windows can be hacked through IE
By Nick Wingfield
March 3, 1997, 5:15 p.m. PT
Internet Explorer contains a security hole that could
allow hackers to completely bypass the browser's
built-in checks for screening dangerous code.
The hole, discovered by a trio of students from the
Worcester Polytechnic Institute last week, is not
related to ActiveX, a technology for running software
components within Explorer that has been criticized
for being insecure. Instead of creating a malicious
ActiveX control, the students were able to remotely
create and delete folders using Shortcuts, a Windows
95 and NT feature for triggering actions and
applications on the operating systems.
Microsoft today acknowledged that the security hole
could allow a malicious Web site to delete files and
folders from users' systems. However, the students
who discovered the glitch maintain that it goes
beyond those actions, for it could also reformat users'
hard drives or upload files from their PCs.
The company is working on a fix for the problem that
it hopes to post later this evening, according to Dave
Fester, lead product manager for Internet Explorer.
The glitch does not affect Netscape
Communications' Navigator, according to Geoff
Elliott, one of the students who found the hole.
Microsoft has vigorously defended the security
protections in Explorer, but it appears to have been
caught off guard by the latest breach. Explorer
contains a feature called Authenticode that examines
ActiveX controls and Java applets to make sure that
they have been digitally signed by a trusted source. If
users ignore the Authenticode warnings about
unsigned programs, their systems are wide open to
attacks.
A group of German hackers, the Chaos Computer
Club, demonstrated an ActiveX control in January
that made unauthorized bank funds transfers from a
user's bank account.
"For executables, we have great security," said
Fester. "This is going around that. You download a
link, and it points you to a program on your own
computer."
Instead of executable code, the latest glitch involves
".url" and ".lnk" files--also known as Windows 95
and NT Shortcuts. A malicious Web site operator
could post a link to an ".url" file that, for example,
creates a folder on a user's computer and then
deletes it. The Shortcut is able to do that simply by
remotely activating a command in Windows 95 rather
than sending code over the network.
The Worcester students have set up a Web site that
demonstrates some of the ways in which the hole can
be exploited.
Microsoft's Fester said that a Web site would need to
know the name of a folder, such as "MSOffice" for
Microsoft's Office applications, in order to delete it.
He also said that none of the files or applications in
the folder could be deleted if they were open. But the
Worcester students added today that a site could go
further than deleting folders and files with a Shortcut,
possibly even wiping a PC hard disk clean or
snatching files off a computer.
One of the Worcester students, Brian Morin, said that
the security stemmed from Explorer's close
integration with Windows.
"It is interesting to note that everybody is so paranoid
about Java and ActiveX [while] nobody bothered to
look at the simple and obvious security holes that
arise when Internet Explorer is tied so closely to the
desktop," he said.
Some analysts echoed that observation. "I suspect
more of these things will start to appear as Microsoft
integrates Explorer with Windows," said Ira
Machefsky, a senior industry analyst at the Giga
Information Group.
Copyright 1995-97 CNET, Inc. All rights reserved.
