[4705] in WWW Security List Archive
[Fwd: Yet another Internet Explorer bug...]
daemon@ATHENA.MIT.EDU (Fred Donck)
Fri Mar 7 03:43:43 1997
Date: Fri, 07 Mar 1997 07:33:38 +0100
From: Fred Donck <f.c.w.donck@siep.shell.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
This is a multi-part message in MIME format.
--------------28D9799388F
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
See attached for yet another IE bug!
--
Fred Donck Tel: +31 70 311 2374
Unix System Engineer Mobile: +31 654 666 488
Internet/Intranet infrastructure Fax: +31 70 311 2166
E-mail: f.c.w.donck@siep.shell.com / fred@RealIT.com
"In a world without fences, who needs Gates !"
"May the Source be with you"
--------------28D9799388F
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Received: from kseu06.ksepl.shell.nl (kseu06.ksepl.shell.nl [145.6.200.51])
by voyager.siep.shell.com (8.8.4/) with SMTP
id RAA21760 for <ksfdo0@voyager.ksepl.shell.nl>; Thu, 6 Mar 1997 17:59:04 GMT
Received: from charon-1.shell.nl by kseu06.ksepl.shell.nl with SMTP
(1.38.193.5/16.2-NCE/JvdW) id AA16585; Thu, 6 Mar 1997 18:56:17 +0100
Received: (from uucp@localhost) by charon-1.shell.nl (8.8.3/8.8.3) id SAA27771 for <ksfdo0@SIEP.SHELL.COM>; Thu, 6 Mar 1997 18:53:58 +0100 (MET)
Received: from brimstone.netspace.org(128.148.157.143) by charon-1.shell.nl via smap (3.2)
id xma027740; Thu, 6 Mar 97 18:53:50 +0100
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <34026-22131>; Thu, 6 Mar 1997 11:58:16 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 3212367 for BUGTRAQ@NETSPACE.ORG; Thu, 6 Mar 1997 11:52:19
-0500
Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by
netspace.org (8.8.5/8.8.2) with ESMTP id LAA26086 for
<BUGTRAQ@netspace.org>; Thu, 6 Mar 1997 11:51:25 -0500
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with
ESMTP id <32797-22129>; Thu, 6 Mar 1997 11:47:58 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from dfw.dfw.net (aleph1@dfw.dfw.net [198.175.15.10]) by netspace.org
(8.8.5/8.8.2) with SMTP id KAA16241 for <bugtraq@netspace.org>; Thu,
6 Mar 1997 10:21:39 -0500
Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA28271; Thu, 6 Mar 97
09:22:18 CST
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY=------------7D7F82D96CB0A3FE4D779509
Content-Id: <Pine.SUN.3.94.970306092146.26020B@dfw.dfw.net>
Message-Id: <Pine.SUN.3.94.970306092146.26020A-200000@dfw.dfw.net>
Date: Thu, 6 Mar 1997 09:22:17 -0600
Reply-To: Aleph One <aleph1@DFW.NET>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Aleph One <aleph1@DFW.NET>
Subject: Yet another Internet Explorer bug...
To: BUGTRAQ@NETSPACE.ORG
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--------------7D7F82D96CB0A3FE4D779509
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.SUN.3.94.970306092146.26020C@dfw.dfw.net>
http://dec.dorm.umd.edu/index.htm
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
--------------7D7F82D96CB0A3FE4D779509
Content-Type: TEXT/PLAIN; CHARSET=us-ascii; NAME="index.htm"
Content-ID: <Pine.SUN.3.94.970306092146.26020D@dfw.dfw.net>
Content-Description:
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by charon-1.shell.nl id SAA27771
Yet another Internet Explorer bug...
Last updated on 3/5/97
-------------------------------------------------------------------------=
---
Overview:
On certain machines running Internet Explorer 3.0, an icon can be
embedded within a web page. When double-clicked, this icon may
run a remote application without warning. This is not the same as
the ".LNK and .URL" bug discovered recently. Be very afraid.
Who may be victimized:
This bug only effects Internet Explorer 3.0 users (version
4.70.1215). The problem is significantly more serious if the user
is on a platform with CIFS (Windows NT 4.0 with Service Pack 1 or
later installed). If this is the case, the location of the
malicious executable code to be run on the victim's machine could
be anywhere on the Internet. If this is not the case, the
location of the machine containing the code is restricted to
within the scope of Windows name resolution. For example, the
host must be either on the same subnet, listed in the victim's
LMHOSTS file, or listed on the victim's WINS server.
Examples:
Working examples of this bug are provided on a separate page
because Windows name resolution often forces Internet Explorer to
block for 10 to 15 seconds. If this happens, just wait it out,
your computer has not crashed. If you are using Internet Explorer
on a machine that doesn't have CIFS, the wait period may be
significantly longer in order for Windows name resolution to time
out. It should be noted however that CIFS is required for these
examples to function.
Click here to see the Examples page.
Is this related to the "other" Internet Explorer bug of a similar nature
discovered by Paul Greene?
No. This is not the same bug and the patch released to fix the
other bug does not prevent this problem from occurring. The only
similarities between the the discovery of this bug and the
discovery of the other bug is that I go to a college, live in a
dorm, and have friends who helped me with this page. It should
also be noted that this bug is probably the result of the move to
merge Internet Explorer with the Windows desktop, just as the
other bug was.
So how does this work?
Internet Explorer enables a user to use a URL describing a remote
directory. When a user clicks on such a link, they are brought to
what is essentially a Windows Explorer window, but inside of
Internet Explorer. If this URL is used as the basis for an
<IFRAME> tag, an embedded frame can be created with what is
essentially a Windows Explorer window inside. If this window is
made small enough, it appears to be some sort of button, one which
runs a remote program when double clicked. CIFS allows a machine
to use the IP or hostname provided in the URL as a way of
contacting the remote host containing the executable.
New Information:
* 3/5/97 7:30 pm - Microsoft contacted us and they are working
on a fix.
* 3/5/97 5:45 pm - Reported to work in Memphis. (thanks to
anonymous)
Disclaimer:
I discovered a different bug in a Microsoft product a year ago,
and I found that it is very bad for my own personal PR. The bug
was a small and couldn't be used to gain access to a foreign
computer system. I wrote about the bug in an extremely
responsible way and even submitted my description of the bug as a
writing sample on an interview. Nevertheless I was accused of
being irresponsible, and even of being a "hacker." I'll admit
that I might have been irresponsible by not letting Microsoft know
about the problem ASAP, but I am NOT a hacker. Anyone who
attempts to gain access to a computer without authorization is
doing something dishonorable, illegal, and wrong. Period. If
I am somehow made aware that someone has made use of the
information on this page for a malicious purpose, I will not
hesitate to alert the authorities.
In light of my experiences in the past, I feel I should mention
that:
* I do not hold a grudge against Microsoft. I use (and
love!) their products and would like to see them as bug-free
as possible.
* I do not have any idea (or care about) how to "crack Windows
95 screensaver passwords." For some reason I keep getting
mail about this, and I just want it to stop.
* Please drop me an e-mail if you reference this page.
-------------------------------------------------------------------------=
---
Initial discovery by David Ross [Widdle Doggie Now!]
Help from Dennis Cheng and Asher Kobin.
Page created on 3/4/97
=A9 1997 Widdle Doggie. All rights reserved.
--------------7D7F82D96CB0A3FE4D779509--
--------------28D9799388F--
