[343] in Best-of-Security
BoS: Security Alert> Internet Explorer bug may corrupt Web visitor's
daemon@ATHENA.MIT.EDU (Con Zymaris)
Tue Sep 9 19:28:33 1997
Date: Mon, 08 Sep 1997 23:15:30 +1000
From: Con Zymaris <conz@cyber.com.au>
Reply-To: conz@cyber.com.au
Old-X-Originally-To: To: cyber@cyber.com.au
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Internet Explorer bug may corrupt Web visitor's PC files
By Brian McWilliams
PC World Online
Posted at 7:20 AM PT, Sep 5, 1997
A new security hole has been discovered in Microsoft's Internet
Explorer browser. The bug allows a malicious
Webmaster to silently corrupt the files of PC users who visit a site.
"A malicious page could overwrite, say, your autoexec.bat file, or any
of your system files," said Tim Macinta,
discoverer of the IE file corruption bug and chief technology officer
for a Massachusetts start-up called Endware. "You
do need to know the name of the file for it to be overwritten, but
system files are in a pretty standard place in almost
every Windows box. So a malicious Web page could take out most users'
Windows files," he added.
Macinta said his exploit of the system is written in Java and takes
advantage of a hole in a DirectX component that
shipped with Internet Explorer 4. But the attack also can affect
anyone who's running IE 3 and has upgraded its Java
virtual machine to the latest version.
Unlike recently reported browser bugs, this one doesn't breech the
privacy of a user's system; it doesn't enable
hackers to read files on your PC or intercept your inputs to the
browser. But Macinta said this bug is problematic
because it runs quietly in the background, once the Web page has
finished loading. And that page doesn't have to be at
some out-of-the-way hacker's Web site.
"If someone wanted to be malicious, they could hack into a government
Web site and put a malicious program on
there," he speculated. "If they don't change the appearance of the Web
site, it could go unnoticed for quite a while and
it would be hard to catch," he added.
Macinta has posted a demo of his program on the Web at
http://web.mit.edu/twm/www/expbug2/. While he said he
hasn't released source code for the exploit, he claims the flaw in
Microsoft's DirectX software development kit could
be obvious to others.
Microsoft is downplaying the severity of the IE file corruption bug.
Internet Explorer Product Manager Kevin Unangst
said that the company had already discovered the hole in DirectX
during its security audit of IE 4. When the final
version of the browser ships on Sept. 30, Unangst said it won't be
susceptible to this exploit.
"We take it seriously, but it only happens with the beta software," he
insisted. "We were already aware of the problem
and it was a very specific set of circumstances to take advantage of
it. Since it's already been fixed, we want to
reassure users that when they download the IE4 product on the 30th, it
will contain this updated DirectX component
that fixes and blocks that hole."
Macinta blamed the presence of the bug on Microsoft's decision to
provide Windows-specific extensions to Java. But
Unangst disputed Macinta's claim.
"This has nothing to do with any kind of splintering of Java," Unangst
said. "We support, and have been supporters of,
the existing Java models and Java far beyond what I think anyone
expects. The functionality that our Java
implementation will offer is what makes Java attractive to developers
on Windows."
Last week a new security hole was discovered in Netscape's Navigator
browser, and, of course, over the past year
there have been several other security bugs that have required patches
and updates from Netscape and Microsoft.
While there are no reports yet of these browser security bugs are
being exploited by malicious hackers, it may just be a
matter of time, according to Lance J. Hoffman, a professor of computer
science at George Washington University, in
Washington.
"In general, not always but in general, users want the added utility
and they'll take a chance on security," Hoffman said.
"We haven't had any real Three Mile Islands in the computer world
where it's going to require all sorts of labeling and
regulation and this and that. Those will come, but we really haven't
had those yet," he added.
Microsoft Corp., in Redmond, Wash., can be reached at
http://www.microsoft.com/.
PC World Online, an InfoWorld Electric sister publication, can be
reached at http://www.pcworld.com/.
