[5052] in WWW Security List Archive
ACTIVE-X, MS Internet Exploror Concerns - forwarded message from Van , Vo (fwd)
daemon@ATHENA.MIT.EDU (Speedy)
Sun Apr 13 07:57:03 1997
Date: Sun, 13 Apr 1997 05:17:06 -0400 (EDT)
From: Speedy <vc51680@pegasus.cc.ucf.edu>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Here is a message forwarded by a friend of mine concerning security with
MS Internet Explorer, that I thought some of you may like to see and
check on due to it's nature.
Although I personally trust the source from where I received this,
I don't use MS Internet Explorer myself and therefore I have not
comfirm the reported problem below myself.
- Speedy
------- start of forwarded message (RFC 934 encapsulation) -------
Resent-From: grad@cs.ucf.edu
Resent-Sender: grad-request@cs.ucf.edu
Subject: Yet another MS Explorer security note.
Date: Sat, 12 Apr 1997 21:28:19 -0400 (EDT)
http://web1.zdnet.com/wsources/content/current/sec0.html
Hi all. This is yet another security release concerning MS Internet Explorer.
This is actually an ActiveX problem. A partial solution is mentioned in the
article. For more info on the ActiveX problem, point your browser to
http://www5.zdnet.com/anchordesk/story/story_813.html
By David Berlind
Testing by Joe Moran
04/04/97
Norton Utilities, Internet Explorer Combo Puts
Systems in Harm's Way
Combination of NU 2.0 for Windows 95 and Internet Explorer 3.x
highlights security weaknesses in ActiveX controls
Your worst fears have come true. McAfee Associates has discovered, and
Windows Sources has confirmed, a flaw in the underlying architecture
of Internet Explorer and Windows 95 that renders users of the Web
vulnerable to a range of catastrophes. These disasters range from an
involuntary reformatting of your hard drive to breach of information
once thought to be secure.
Users running the combination of Windows 95, Internet Explorer 3.x,
and Symantec's Norton Utilities 2.0 for Windows 95, one of the most
popular and widely used software utility products for Windows 95, are
currently known to be at risk. (In the spirit of disclosure, users
should be aware that McAfee Associates and Symantec Corp. are
competitors in the utilities and anti-virus software market.)
Neither Verisign's Authenticode (which is built-in to Internet
Explorer) or recent IE security patches posted on Microsoft's Web site
offer any protection. According to Reston, VA-based research firm PC
Data, 143,559 licenses have been issued for Norton Utilities, and
125,825 users have Internet Explorer. The number of users who have
actually deployed both at the same time is unknown.
The problem lies in TUNEOCX.OCX, a core component of Norton Utilities'
System Genie. When installed, this OCX is marked as scriptable, which
allows ActiveX-aware Web page scripts to make use of this ActiveX
control. This control supports a "run" option that allows the script
to execute any local application, such as the FORMAT or FTP (net-based
file transfer) commands.
Windows Sources analysis of Norton Utilities found that this component
essentially granted unauthorized access to any system resource that is
normally accessible from the desktop itself. As a result, any
programmer with access to one of Microsoft's scripting tools
(VBScript, MS C++, Visual C++, Visual J++, etc.) can leverage this
control to perform any task on the target system -- unbeknownst to the
system's user.
For example, a Web page hacker could build a page that, when viewed by
Internet Explorer, runs a few lines of VBScript code that wipes out a
hard drive, installs a Trojan horse, or invokes file transfer and
directory utilities to retrieve confidential information. Worse yet,
all these tasks could be performed in the background without the user
ever knowing what's happening to their system.
Verisign's Authenticode, billed by Microsoft as a protection mechanism
built into Internet Explorer that allows users to intervene before
potentially dangerous code is downloaded, is ineffective against this
sort of invasion. That's because Authenticode watches for software
that's about to be downloaded, but not VBScripts that activate
software components that are already installed on the system (e.g.:
TUNEOCX.OCX).
Although the aforementioned combination of software is currently the
only known group at risk, there could be other combinations of
application and ActiveX-based browsers that are equally vulnerable.
The smoking gun in this example is Norton Utilities 2.0, but NU simply
exposes an important and oft-debated feature/weakness in Microsoft's
ActiveX architecture. Other products that are already deployed en
masse could be "offering" the same service to those with malicious
intent.
In tests, Windows Sources found the same combination running on
Windows NT (including the NT-based version of NU) to be
safe. HealthyPC, another PC tune-up utility from Symantec also tested
safe at Windows Sources.
SYMANTEC, MICROSOFT RESPOND
According to Symantec Sr. Product Manager Tom Andrus, "It is a
problem. We know how serious it is. But we think that it is very
uncommon. To our knowledge, there are no Norton Utilities users in the
world that have run into this."
To Symantec's credit, Norton Utilities 2.0 includes a feature called
Live Update that automatically updates a user's system with new
drivers and software, when that system is connected to the
Internet. "We've worked out a fix and it's in the hands of our quality
assurance group right now," said Andrus. "By this afternoon, a fix
will be up on-line so that any PC that connects to the Internet while
running Live Update will be automatically fixed so as not to allow
this again." For more information, users can go to www.symantec.com.
Microsoft sought to put this situation in a more positive light,
highlighting the ability to quickly fix the problem rather than the
problem itself.
"The fact that [Symantec] could fix it so quickly is a major testament
to the flexibility of the ActiveX architecture," said Microsoft
Program Marketing Manager Cornelius Willis. "Yes, this is a threat
but there are so many threats. Vendors can mark off-the-shelf software
safe-to-script or not-safe-to-script. For example, Microsoft Excel is
marked not-safe-to-script because it has access to system
resources. Therefore Excel is invulnerable to such attack. VBScript
and JavaScript will only instantiate controls that are marked
safe-to-script and this was one of them."
"Plug-ins (a la Netscape's Navigator) have no digital certificates or
safe-to-script toggles and we feel that ActiveX is the only
architecture that offers any kind of accountability for downloaded
software," added Willis.
But, in Windows Sources tests of the Norton Utilities example, ActiveX
offered no opportunity to engage this accountability since it involved
a script acting against an already installed component (from
shrink-wrapped software) rather than the downloading of software.
SOLVING THE PROBLEM
There are preventative measures users can take to protect
themselves. Following one of these five steps will help protect your
system from the effects of the toxic software combination:
1) Download the patch from Symantec
2) Uninstall Norton Utilities
3) Disable support for ActiveX-scripting in Internet Explorer
4) Switch to a non-ActiveX-based browser such as Netscape's Navigator,
5) Stay off the Net.
Be warned also that, going forward, addressing the problem through
Norton Utilities is not a complete fix. Downloading a patch or
uninstalling NU will not protect a system if other equally vulnerable
software is already installed. Additionally, disabling ActiveX
scripting or switching to a non-ActiveX browser may disable other web-
and ActiveX-based applications. Manually disabling Norton Utilities
without uninstalling it is unlikely to safeguard the system and
therefore is not recommended.
Corporate sites that use Windows 95's centralized policy management
features may also disable the ability to run Internet Explorer
throughout their local area networks. Unfortunately, the same policy
management feature doesn't provide centralized management of Internet
Explorer's run options, making it impossible to reach across corporate
nets and just disable support for ActiveX scripting.
Finally, for those who are really paranoid, switching to Windows NT
might be one last measure of assurance. Under Windows NT, software
cannot be executed without a security token that authenticates the
code's privileges to the system's resources. Such code usually
inherits the rights of the user sitting at the machine, thus limiting
intruding code to only the resources the user has rights to access.
Provided that the user doesn't have administrator-level rights, the
malicious code's impact could be far less catastrophic.
For further discussion on this important issue, ask questions and
express your opinions in the ActiveX Expert Answers Forum.
------- end -------
Another forward note from a friend:
At one point they talk about how many people are using NU2 and IE, but
don't know how may have both. Well, NU2 comes with and installs IE, and
uses it as part of its functionality, so, it is probably pretty high.
Though, when I was looking at the Norton help news group, there were a
lot of people complaining that IE was required. I don't recall all of
the details, but one response said you could use Netscape, but you still
had to install IE, and then you could uninstall IE. The Uninstall of IE
would NOT remove ALL of the stuff that was installed! Specifically, some
ActiveX controls would remain! The whole think seemed kind of spooky
to me!
--
