[20011] in bugtraq
Re: User may be fooled to execute programs browsing with IE5.1
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Jes=FAs_L=F3pez_de_)
Tue Apr 3 18:28:31 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <004001c0bc56$0b390730$ef9451d4@servidor>
Date: Tue, 3 Apr 2001 17:52:10 +0200
Reply-To: =?iso-8859-1?Q?Jes=FAs_L=F3pez_de_Aguileta?= <aguileta@EUNATE.NET>
From: =?iso-8859-1?Q?Jes=FAs_L=F3pez_de_Aguileta?= <aguileta@EUNATE.NET>
X-To: Microsoft Security Response Center <secure@microsoft.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi again Scott (and all bugtraq readers),
I'm back with my brand new IE SP1 with the MS01-020 patch installed. But still
have comments.
The problem early described still works in the same way as previously, but I've
find that with this mime part:
-----8<----8<---
Content-Type: application/x-shockwave-flash
name="hello.exxe"
Content-Transfer-Encoding: base64
Content-ID: <KR>
[Here encoded executable]
---8<----8<---
Note: the 2 "xx" in extension is for try avoiding dozen of mail filters that
have rejected my previous message due a "dangerous extension".
IE again ask for "open this file" instead of "open this program". And the
different itīs not only in the type of the question. The Authenticode window
donīt popup if you click the OK button.
Are you sure there isnīt further considerations about this issue?. I donīt have
enough time and knowledge to keep investigating this, but it sounds that normal
protection for executing on-line .exe programs could be circumvented this way.
(at least in my computer).
Thank you again.
Jesus Lopez de Aguileta
-----BEGIN PGP SIGNED MESSAGE-----
Hi Jesus -
I'm afraid the situation may not be what you believe. First, your
system is not patched, despite what the dialogue says. The dialogue
is displayed if you try to install the patch on anything other than
IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1, and the text of the
dialogue is incorrect. This error has been present in several recent
IE patches, and we're working to ensure that it's not present in
future ones. Meantime, here's the passage from the bulletin that
discusses it:
-------- start ----------
Caveats:
If the patch is installed on a system running a version of IE
other
than the one it is designed for, an error message will be displayed
saying that the patch is not needed. This message is incorrect, and
customers who see this message should upgrade to a supported version
of IE and re-install the patches.
-------- end ----------
We checked the code you provided below, and have verified that the
behavior you're seeing is not a vulnerability. Although you're right
that it's possible for a web site to initiate a file download, this
is by-design behavior and is unrelated to the vulnerability discussed
in MS01-020. A Q&A in the FAQ discusses the situation:
-------- start ----------
I heard that even after applying this patch, an e-mail could
start a
file download automatically. Is this true?
Yes. However, this is not related to this vulnerability, and
doesn't
pose a security risk. It's always possible for an e-mail to start a
file download, and of course the author of the mail can give the file
a name that sounds innocuous. However, the file download cannot
actually begin unless and until the user selects a location to which
it should be downloaded, and clicks the OK button.
As a general rule, it is probably worth questioning the
trustworthiness of any e-mail that automatically starts a file
download. The best action is to simply click the Cancel button in the
dialogue.
-------- end ----------
Hope that helps explain the situation. Regards,
Scott Culp
Security Program Manager
Microsoft Security Response Center
