Controversy Surrounds Huge IE Hole

Suchetha wrote in with a Wired News bit talking about security hole in IE that allows malicious web pages to reformat a hard drive. The Wired talks more about bugtrack's handling of the whole thing, and how it essentially posted working code for the exploit. Was it irresponsible or not?

Active content...

[wowbagger]

I cannot help but notice that in almost all cases, the security problems in both IE and Mozilla have been in the realm of active content - Javascript, Flash, and ActiveX.

Hence why I as a matter of course disable them.

How about encouraging webmasters and web designers to avoid requiring them unless absolutely necessary?

Re:Irresponsible?

[Proaxiom]

It's not as easy as that. The folks at Symantec have a good point: it was already available in a number of public forums, so disclosure wasn't an issue anymore.

The criticism has a bit of a different skew:
"Symantec's actions give the impression that they are encouraging people to create and release malicious code. Given that Symantec also sells security and antivirus software, I think there is a terrible conflict of interest here."

I have to admit I wonder about this myself from time to time.

Slashdotted Already - Article Text

Posting as Anon since I don't need the Karma:

----------

Serious Internet Explorer Defect

This is a developing issue and the information presented here is preliminary in nature and subject to frequent changes. Last significant update - 11/08/02-1830

SUMMARY

A simple way to exploit an unfixed defect in Internet Explorer has been discovered that allows malicious web sites, and possibly malicious email messages read with Outlook or Outlook Express, to take control of a computer. All you would need to do is click a web link and the owner of the web site could take almost any action they desired on your computer.

Simple, working exploit software was recently published to a public mailing list.

There is no patch to fix the problem. Anti-virus and personal firewall software will not prevent an exploit. It is hoped that Microsoft will provide a patch to fix this defect in the near future.

It is impossible to predict how, when, or even if someone will take advantage of this but due to the ease with which bad things can be accomplished it was decided to post an announcement. Nothing at all may happen. Or someone could write a virus or put up a malicious web site to take advantage of the situation at any time. The last time a defect exploit with similar characteristics was published, it was quickly incorporated into many email viruses making it unnecessary to click an attachment to get infected.

The following practices are recommended for users of Internet Explorer, Outlook, and Outlook Express until more information becomes available:

1. Users of Outlook and Outlook Express should perform the following simple, unobtrusive procedure to disable scripts from executing in email messages:

Click the Tools menu item and select Options

Click the Security tab

In Outlook Express, make sure the Virus Protection security zone is set to Restricted site zone as shown in the window below:

In Outlook, make sure the Secure Content Zone is set to Restricted Sites as shown in the window below:

These are the default settings for Outlook 2002 and Outlook Express 6. Users of earlier versions should change the setting to Restricted.

2. Indiscriminate browsing of untrusted or questionable web sites should be avoided or scripting should be disabled as described in the additional security measures below. Note that hyper links sometimes appear in email or instant messages. If these messages are from malicious individuals, they could lead you to a malicious web site.

3. Indiscriminate clicking of hyper links in unexpected or suspect email messages, instant messages, and peer sharing resources should be avoided or scripting should be disabled in Internet Explorer as described in the additional security measures below.

ADDITIONAL SECURITY MEASURES AND INFORMATION

There is only one technical defense against an exploit at the present time and that is to disable scripting in Internet Explorer, Outlook, and Outlook Express. Instructions for disabling scripting in the mail clients were included in the recommendations above and should have little or no effect on day to day use.

Unfortunately, disabling scripting in Internet Explorer will adversely affect the operation of many web sites including E-campus and the Windows Update Site. There is, however, a way to specify trusted web sites that are are allowed to use scripting and disable it for all others. Users desiring to decrease risk may follow the instructions at the following web site under the section titled "Optional Internet Explorer Security Measures":

http://www.jmu.edu/computing/info-security/engin ee ring/issues/ie.shtml#opt

Risk associated with this exploit and most others can be somewhat reduced by using a non-Administrative Windows account when browsing the web, reading email, and other day to day computer use.

The defect has been verified in Internet Explorer 5.5 and 6 SP1 running on Windows 98 and XP SP1 respectively. It is likely all varieties of 5.5 and 6 are vulnerable. A quick attempt on a Windows 95 computer running IE 5.0 was unsuccessful but not enough research was done to know why.

A possible symptom of an exploit is a Window similar to the one below suddenly appearing on your screen after clicking a hyperlink or opening an email message. The exact appearance of the Window may vary depending upon the version of Internet Explorer and operating system. Note that this window will appear if you click Help and under that circumstance the window appearance is not an indication of an exploit. If you are affiliated with James Madison University and see this window unexpectedly appear after clicking a web hyperlink or reading an email message, please contact Gary Flynn at x82364 ASAP. People affiliated with James Madison University can find my home number in the local directory and are encouraged to call me at home if such an event takes place after normal working hours.

Schneier on "Full Disclosure"

[Charles+Dodgeson]

The most sensible thing I've ever read about this kind of question is crptogram article last year by Bruce Schneier.

Re:Shooting the messenger ..

[zyklone]

Ok, I expected that more people read bugtraq.. which is obviously not the case.

Their version of november is not actually the real november. From Andreas Sandblads mail:
"Microsoft was initially contacted 2002-10-04."

He Gave Them a Month

[serutan]

If you read Sandblad's actual BugTraq posting you will see that he had notified Microsoft more than a month before posting the details of the exploit. Quoting:

Microsoft was initially contacted 2002-10-04. After several mail exchanges, their final response were that the technique used to run programs with parameters from the "Local computer zone" was no security vulnerability. A fix should instead be applied for all possibilities for content in the "Internet zone" to access the "Local computer zone".

How much time does a company have to actually fix a problem this serious? When somebody takes the trouble to notify a company about a defect, they've already demonstrated helpfulness and responsibility. It would make sense for the company to take that helpful, responsible person into the loop, and at least update them periodically about what is being done about the problem. That would give a helpful person like Sandblad a basis for continuing to wait. In this case Microsoft gave no indication that they were doing anything about the problem or intended to do anything about it. Continuing to sit on the information certainly wouldn't give them any further incentive. Sandblad reported this problem, got a thanks-but-no-thanks, then after a month of no news went over their heads to the public. I would say he handled it very responsibly.

Re:OT but relevant

[Espen]

A simple 'ps ux' suggest IE runs as the user who launched it, not root. Something else must be going on here.

Worse than goatse

[phorm]

Not to troll, but perhaps slashdotters should be extra careful of the links they click (for those on IE) in the near future.
Goatse is disturbing and easily detected, but I'd imagine that this script could be setup almost anywhere, making it easy to slip in a slashdot comment.

And yes, I'm sure there are probably enough trolls on here that somebody would try it if they knew how.

"Mined" web pages have been proposed before

Looks like automated formats via "mined" web pages in Explorer have been around for a while now. This Bugtraq link is from back in 1999:

http://online.securityfocus.com/archive/1/28213/ 20 02-09-30/2002-10-06/0

Bits of note include:

"The key is the Format command's "/autotest" flag, which I believe was
put into place early on in MS-DOS's history to assist in batch
processing, and was probably dropped from the documentation some time
back (it's not in my DOS 5.0 manual as far as I can tell -- although
that's not too far in the past). It can be tested for by entering:
"Format a: /autotest" at the MS-DOS C:\ prompt.

The automated format via web page can be accomplished as follows (with
the example shown demonstrating how to create a link on a web page which
will automatically format Drive A):

1) Either:

Create a .pif file ("Format.pif") with the Command Line set to:

"C:\WINDOWS\COMMAND\FORMAT.COM a: /autotest"

And Working Line set to:

"C:\WINDOWS\COMMAND"

Or:

Create a .bat file ("Format.bat") with a single command:

"format a: /autotest"

(Should the user wish to format another disk, the a: may be
replaced with c:, d:, e:, etc.)

2) Link to the file on a web page as follows:

Click Me

Or:

Click Me

According to the method chosen for implementation in step 1. These
links may be placed beneath graphics or text, as would be found on a
regular web page.

3) Upload the html document and .pif or .bat file to the targetted web
server directory and wait for an unwary user to click the link and
'Open'.

Spooky, eh?

These steps don't create a Trojan Horse so much as an out-right "Cyber Mine" which will be activated on a user's machine the instant they click the link and accept the file into their system. As the download of the 1k file is almost instantaneous, damage will be made to the user's data in a matter of seconds. "

Fight javascript with javascript

[Anonymous+Custard]

After reading the proof-of-concept script at http://online.securityfocus.com/archive/1/298748, I now know at least to avoid blind links.

Also, I've come up with this possible solution:

In IE, bring the potentially malicious page to the front, then press Ctrl-O to get the Open prompt. Enter this:

javascript:void(location.replace=null)

then click OK. Now anytime that a javascript on that page tries to do a location.replace command will now instead issue a null command (no command at all). (Assuming the script hasn't already been activated, under an onLoad event or something)

This works with annoying exit pop-up ads too:
javascript:void(window.onunload=null);

You can do this with all sorts of javascript commands that get abused. Find some offensive pages, look at their source, and disable the commands you see used often. (onunload is probably the worst and most often used).

Major inspiration from this cnet builder page.