Extremely Critical IE6/SP2 Exploit Found

Spad writes "Secunia is reporting on three vulnerabilities in IE6 running on XP SP2. Any of these, in combination with an inappropriate behaviour where the ActiveX Data Object (ADO) model can write arbitrary files, can be exploited to compromise a user's system. Moreover, the vulnerability can be used to delete files from the user's system. Secunia says 'Solution: Use another product.'"

Test site

[Dancin_Santa]

They've also posted a test site.

No, you click it first.

Re:Test site

[MarkRose]

I click it but nothing happens. When are site designers going to learn there are other browsers besides IE? Don't they know that Firefox's market sharing is growing? Clueless idiots!

Re:Test site

[farnz]

It allows a malicious web page to do anything on your system that you can do locally; if the user you run IE as can do it, the attacker can do it too. So, if you can read these critical files, the attacker can, too. If you can modify them, guess what? The attacker can change them too.

If I were a black-hat planning to exploit this vulnerability, I'd put a remote control program like Back Orifice and a HTTP tunnelling program onto the web for BO to use for connectivity. Then the exploit downloads and installs them, and I have full control of your system whenever I want it.

Re:Test site

[CerebusUS]

This is NOT a new vulnerability. This is an upgraded severity on a vulnerability that was reported almost 3 months ago:

From the article:
Secunia Advisory: SA12889 Print Advisory
Release Date: 2004-10-20
Last Update: 2005-01-07 ...

Changelog:
2004-10-21: Updated advisory.
2004-10-28: Added another workaround in "Solution" section and linked to Microsoft Knowledge Base article.
2004-11-02: Updated with additional information in "Description" and "Solution" section.
2004-11-29: Updated "Description" section with additional information from Paul.
2004-12-23: Added link to US-CERT vulnerability note.
2004-12-25: Updated "Description" section with additional information from Paul and Michael Evanchik.
2005-01-07: Increased rating. Added link to test. Updated "Description" and "Solution" sections.

So they upped the severity rating and added another workaround. This isn't really news. You've been vulnerable to this for almost 3 months now.

Re:Test site

[Alsee]

If Firefox is going to have any chance at competing then the developers are going to have to get on the ball and implement fully compatible functionality. It is absolutely unacceptable that the Secuna test site does not function as intended.

I know we all want to blame Microsoft for breaking compatibility, but face it, IE is the de facto standard. It is up to us to ensure that if it works in IE then it will work in Firefox just as well, if not better.

-

Re:Test site

[Citizen+of+Earth]

I know we all want to blame Microsoft for breaking compatibility, but face it, IE is the de facto standard.

I think that the Firefox developers should give credit where its due. They should organize another pledge campaign to raise $10,000.00 to give to Microsoft as a token of good will for all of the advertising that Microsoft has done for Firefox. Although the actual advertising contribution of Microsoft is at least a thousand times greater, this would help coax Microsoft toward continuing their generous support and [this is the serious part] the press would eat it up, contributing another $5M worth of free advertising.

But can it be used to...

[FullCircle]

delete IE?

or maybe install Firefox?

Heh

[tektek]

Even a fully patched sp2 is in danger. Good news for Firefox fanboys?

Re:Heh

[Owndapan]

The exploit worked on my fully patched WinXP SP2 box, running EZ Firewall/Antivirus suite, and running as a non-admin user.

I think this exploit deserves a bit more attention than "serves clueless n00bs right". Although to be fair my default browser (FireFox) was unaffected ;)

Re:Heh

It's amazing how the WinFanboys can live in such denial. It's like people you know who live in a really bad neighbourhood and deny there's anything wrong. "Oh we're OK, we live in a safe area. As long as you put bars on all your windows, don't leave the house when it's dark, put up bullet proof windows, and don't make eye contact with the neighbours like sensible people you're perfectly safe". It's the old "Apart from how it's broken, it works perfectly" line. Used car salesmen use similar techniques. "She blows a bit of smoke and rattles some, but you know this was one of the best models made. They don't make 'em like they used to (watch out for the leaky floorpan too)"

The blame-the-users mentality also serves to protect MS itself. If the general consensus is that users are at fault for succumbing to vulnerabilities then MS has no responsibility to fix it, and is under no pressure to do so.

Keep sucking it up will you. There's a good boy.

Re:Heh

Yeah, if your grandma hasn't spent at least $50 on third-party security software plus a yearly antivirus subscription fee, plus made sure to configure her firewall correctly and run virus and spyware scans weekly, plus made sure to create a restricted user account that she runs IE under, why then she has only herself to blame. Obviously Microsoft is doing everything in its power to protect her.

Re:Heh

[R.Caley]

...But one with proper security controls put in place like a good virus scanner/firewall/IE settings/anti spyware and creating a non-admin user for web browsing will not be affected.

And a car with the wheels nailed to the ground, the doors welded and all the windows painted over is pretty safe from theves. When you saw those precautions advised in the manufacturer's literature, would you buy the car?

Re:Heh

[molnarcs]

Bad news for everyone - except for some open source advocacy. Gives a nice opportunity to show how MS talks bullshit - when they talk about security. Did anyone notice the date when Microsoft was notified?

Provided and/or discovered by:
1) Discovered independently by:
* http-equiv
* Andreas Sandblad of Secunia Research (reported to Microsoft on 2004-10-13).

That's right, Microsoft "we take security very seriously" Corporation has known about this vulnerability for almost two months, yet they leaved it unpatched? Why?

Delete files?

[lachlan76]

One would assume that any vulerability that could run arbitary code would be able to delete files.

Re:Delete files?

[Spy+Hunter]

Exactly. Even on vulnerabilities that can execute arbitrary code, they always list a bunch of other silly little things they can do, like cross-site scripting or my personal favorite "view the content of arbitrary files in known locations".

If they reported the evening news the same way it would sound like this: "Today terrorists announced they have armed an atomic bomb in the middle of Los Angeles. They also announced that they have control of several hand grenades and also some water balloons and cap guns, and they're not afraid to use them!"

Re:Delete files?

[lachlan76]

Actually, I would have said it was more like "Today terrorists have announced that they have armed an atomic bomb in the middle of Los Angeles. If it goes off, it may burn you!"

A worm that deletes everything.

[caluml]

We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people"

Re:A worm that deletes everything.

[LewsTherinKinslayer]

"We need a worm/virus that deletes everyones files. That would make keeping your computers patched a high priority for most of the users. At the moment, viruses are just something that affects and annoys "other people""

Similarly, we need a firebug to go around lighting people's houses on fire to show how having smoke detectors should be a high priority.

I realize you're not being 100% serious, but this reasoning is stupid.

Re:A worm that deletes everything.

[eofpi]

Well, there's always hoping for this to happen....

Re:A worm that deletes everything.

[tom1974]

That would make keeping your computers patched a high priority for most of the users.

What has that to do anything with this story? RTFA and please stop blaming the user for everything.

Running WinXP SP2 and fully patched system. I run Norton anti-virus, spybot, Ad-aware and now MS Antispyware and enabled autoupdate.

Checked out Secunia, ran their test and my system was found vulnerable.

What more should I patch?

Re:A worm that deletes everything.

[skiman1979]

It's a shame that Windows users need to install antivirus, spybot, ad-aware, and other scanners (and run them on a monthly...weekly...daily basis to keep their computers clean. Also, don't forget about regedit. Seems Windows registry likes to corrupt itself. I dread the day that Linux gets to that point.

Now we use IE6 and XP only for banking

[Green+Salad]

It was mandatory for us to switch to Mozilla. Problem is all our financial vendors make use of Active-X.

Result: Now we use Mozilla for casual browsing and use insecure products only when conducting important business!

Re:Now we use IE6 and XP only for banking

[SharpFang]

Switch to providers who don't lock you in with crappy service. And tell them clearly "Supporting only insecure Microsoft products you don't meet our security standards. Good Bye!"

I'm not a big company, I'm just a private user. I very recently switched banks I use for personal finances. I left a "common" bank with its units in in several thousands of locations, and introducing new fees and increasing old ones now and then to maintain them all, and with quite crappy and really expensive Internet service, that was supposed to work in Mozilla/Firefox but it more often didn't than did, and I signed up for an Internet bank. Reduced costs of maintenance resulting in zero fees on all operations and account maintenance, no other fees, (except of withdrawal from ATM, very cheap too), and as they are an Internet bank, finally a REALLY professional Internet service. Working flawlessly in any browser, probably including Lynx :)

I don't know how it works for big companies but I strongly encourage you to leave your old-fashioned banks and move to "Internet banking". Reducing number of channels where money flows lets them focus on keeping the channels they maintain highest quality.

Whoa

[FractusMan]

I use Mozilla. I tried that test link, nothing at all happens. I have SP2 installed and all configured proper - except IE, which I didn't bother to touch at all since installation. I figured, hey, I've got an 'untouched' copy of IE here. I open it, I go to the test site, I click that link: WHOA. Holy crap. Help document pops up, and then (the scary part) a command prompt flicks open, does SOMETHING, and then a new window is up. Yikes. I guess some part of me always hoped these exploits were exaggerated in their swiftness and ability to bypass your input.

it's not a vulnerability...

[i+3+joo!]

it's an IE feature.

It fries Safari

[kiddailey]

Pardon the technical terminology :)

With Safari 1.2.4 (v125.12), I get a "Safari cannot find the Internet plug-in." error dialog and then the beachball of death. Joy. Well, at least it's not opening the terminal.

Re:It fries Safari

[coyotecult]

Beachball of death is just so much more fun and sunny sounding than blue screen of death! MS should've reworked their PR on that one.

Re:It fries Safari

[Alsee]

Ohhh geez, I can just imagine the image:

Blue sky
Bright yellow sun
White fluffy clouds
Cheezy rainbow across the sky, and under the arc of the rainbow:
A FATAL EXCEPTION 0E HAS OCCURRED AT 0157:BF7FF831
Green grass
Smiling happy sunflowers
Pink fluffy bunnies hopping around and singing happy happy songs and dancing with the sunflowers.
PRESS CONTROL+ALT+DELETE TO RESTART YOUR COMPUTER. YOU WILL LOSE ANY UNSAVED INFORMATION IN ALL APPLICATIONS.
HAVE A HAPPY DAY!

-

Surfing with IE

[The+Bringer]

I have made my own little extreme sport out of it. I fill my old box with all of my financial information, and surf around using IE. I think Microsoft is pretty impressed, because they keep sending me boxes of Viagra and dog crap.

No explanation about what the test does...

[kiddailey]

What's scary is that page doesn't even detail what the test will do on your machine! Clicking the link is risky enough even if you did know what it was going to do (ie. how do you know their server hasn't been compromised and the test altered).

All it says is "The test requires that you have Windows installed in 'c:/windows/'." Uh... Why? is it actually doing something in there? Does it just need to access cmd.exe?

Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.

Re:No explanation about what the test does...

[typhoonius]

Click at your own risk, indeed. I suggest running it on a machine that you plan to reformat or under an emulator like VPC.

It opens an HTML Help document, then a command console that quickly closes (dunno what that did), then opens an IE page with this helpful document.

Re:No explanation about what the test does...

[0x461FAB0BD7D2]

The Secunia test uses the ntshared.chm MS-HTML help file, via ActiveX, to call this script, which, in turn, starts a new IE which goes to this site.

The JMCardle test does something similar, but calls this script instead, which just runs

mkdir C:\\ie6vulnerability.jmcardle

in Command Prompt

Re:No explanation about what the test does...

[js7a]

This is a pretty good security advisory. It looks like it was actually meant to be understood by end users, and not just other security professionals. Then again, it seems to be taking a measurement without obtaining explicit permission first, and I'm sure that makes people nervous. But under the circumstances, it's probably not a bad decision to just go ahead. I mean, why not?

Re:No explanation about what the test does...

[mattyrobinson69]

No, internet explorer belongs here:

\Program Files\Internet Explorer\Iexplore.exe

Sounds like youve got a virus

Re:No explanation about what the test does...

[LiquidCoooled]

The test requires the C:\windows folder because it directs the Help display control(hhctrl.ocx) to a default help files stored within the windows folder:

"c:/windows/help/ntshared.chm"

Once this help object is loaded, it can be activated, and malicious code can be injected using a second instance.

Without a known help file location, the script is useless.

Fairly simple solution

[jazman]

although it requires a bit of messing around. IE - Tools - Options - Security.

select Internet Zone; click Custom Level; set just about everything to Disable or Prompt.

select Trusted Sites; click Sites; remove https requirement (because the use of https is no guarantee of safety). Then go to Custom Level, then set some items to Prompt, most to Enable.

This way, anything that isn't in your Trusted Sites list can't get up to any substantial shenanigans. When a page doesn't work, add the site to the Trusted Sites list.

Then, even if the page is one that attempts to initiate a cascade of pr0n sites that only open more up each time you close one, it may be able to open the first level of the cascade, but unless the cascaded ones are also on your Trusted list that's where the cascade will stop.

Some pages redirect you to another site; some have frames on different sites and so on, and this can get a bit tedious, but for the most part this makes IE6 invulnerable to Secunia's tests.

Also I only use IE for secondary browsing, where something REALLY won't work in Firefox, which is also protected by Proxomitron.

Re:Fairly simple solution

[nagora]

What the hell is wrong with people?

1. People really do fear change,
2. Microsoft has succeeded in producing a massive lock-in with their products,
3. Many people, wrongly, think that a "big name", whether in computers or cars or whatever, means big support and that small companies can not have the resources to make "fully functioned" products. The trick here is that many of the extra functions were added to push the upgrade sales, not for any utility,
4. Many people are stupid,
5. Large companies get quiet "bonuses" for standardising on third-rate crap from Microsoft (and Intel, for that matter - I was offered free hardware if I would make our company website slower, to encourage upgrading of machines),
6. Many many people have too little time to bother finding out about the alternatives.

   That's part of the answer, anyway.

Re:But...

[ozmanjusri]

Why not just put it into .hlp files like it used to be? I don't recall any security issues with those.

Not since December 27 2004, anyway...

"XFocus also reported a hole in winhlp32.exe, the Windows .hlp file parsing program. The vulnerability is forged from a decoding error within the .hlp header. A perpetrator can exploit the flaw by triggering a heap-based buffer overflow."
http://www.esecurityplanet.com/patches/article.php /11778_3452081

Sophos Anti-virus detects pages using this exploit

[kasihan]

I use Sophos Anti-virus - and it alerts on the cached copy of the test page as containing a virus/exploit EXP/Phel-A:

http://www.sophos.com/virusinfo/analyses/expphela. html/


EXP/Phel-A detects files that exploit the HTML Help Control Vulnerability which affects systems installed with Microsoft Windows XP Service Pack 2.

This vulnerability allows arbitrary code execution on the vulnerable system by bypassing security constraints established by the operating system.

BFD

I don't see what the big deal is. Provided that all of your users are rocket-scientists that never, ever do anything stupid that allows any hostile code access to their machines, then all your company's intranet sites should be safe and aren't going to include this IE exploit. IE will remain safe to use.

As for the internet, let's be serious. Anyone who, since 1995 (when ActiveX was introduced), has used MSIE on the internet, is just plan stupid, and has never had a reasonable expectation of either security or privacy. This has literally been known for nearly a decade now. "Fool me once, shame on you. Fool me 621498 times, shame on me."

Re:BFD

[Ghostgate]

"Fool me once, shame on you. Fool me 621498 times, shame on me."

GWB said that, right?

Re:But...

[RAMMS+EIN]

``Secondly, why in the HELL is anyone using HTML files for help documents?''

Why not HTML? Windows help is hypertext, and HTML is the standard for exactly that. I'm all the happier when people use standard formats rather than proprietary ones.

And for the record: HTML is completely secure. It's just data that gets rendered. Security holes are always either in the code that processes the HTML (which is a problem with that code, not with HTML) or in extensions (which is a problem with the extension and the program that uses the extension).

Ya I pretty much have to recommend no IE now

[Sycraft-fu]

I'm a Windows guy, and generally I think MS does good work (please no retarded flames on this I won't respond). However IE is just not worth using as a web browser these days. I have switched to Firefox, switched all lab systems I control, and recommend to everyone that they switch. It is just as fast, in my experience, has support for more of the W3 standards, and is more customizable. The only area it falls behind in it rendering broken code, and that's rare enough it's not a big deal.

The security issues are another consideration as well. Active X controls in a webpage were a nice idea, as a way to add neat funtionality, however it simply opens up the possibility of too many exploits. It's not a matter of doing better checking of code or such, it's just too much power for a website to have.

So, even liking MS generally, I have to recommend against IE. Firefox is currently better in all the ways that really matter.

Also, I've noticed some people mention online banking as a problem. Bank of America works fully with Firefox and has generally been a deceant bank. Though I imagine if Firefox grows much more banks will have little choice but to support it.

What did Microsoft do to SP2

[Nuskrad]

I'm running XPSP1 with all critical updates installed. To get the exploit to run with IE on my computer I have to manually change the security level to low, allow an unsigned ActiveX control to run when it warns me I shouldn't, and confirm the overwriting of files. What the hell did Microsoft do in SP2 to make it vunerable?

Help me!!

[Piranhaa]

Hey can someone please tell me how I can find out where my windows is installed? It says here http://secunia.com/internet_explorer_command_execu tion_vulnerability_test that windows needs to be installed in c:\windows\ for their test exploit to work 'properly'

Computer specs: iBook g3 800mhz...

I hope that helps a little

McAfee virusscan itself is also affected in a way!

[PommeFritz]

I have McAfee virusscan 9.0 installed.
Clicking the test link with IE proved that my system is vulnerable (if using IE, which I'm not, ofcourse). I had expected McAfee to block this web page, but it didn't. So I went to the internet security options panel in IE, and disabled all ActiveX controls.
But lo and behold, McAfee virusscan stopped working!
All their dialogs and panels seem te be using IE's HTML engine for display, and all I get now is first an error "your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly" and then an empty window when trying to access any of McAfee's information or settings dialogs!!
What a load of crap. I will send them a complaint, and remove their product from my computer right now, to replace it with a good, free virusscanner. Any recommendations? Thanks.

Re:That's exactly my point...

[irc.goatse.cx+troll]

Launches the new IE window using cmd /c iexplore.

Reported to Microsoft ...

[un1xl0ser]

In case anyone missed this, it was reported to Microsoft on 2004-10-13.

Three months later, no sign of a patch.

Non-admin won't help you much

[MarkByers]

creating a non-admin user for web browsing This assumes that there are no local exploits to promote users to superusers. It is a much better idea to use a secure product, rather than hoping that there are no security vulnerabilities in the Windows kernel.

good reflexes

[camcorder]

...(reported to Microsoft on 2004-10-13).
That's almost whole 3 months. And since then no vendor patch for such a critical bug found in a major product. Not even a warning or anything. That must be the service that any microsoft software user would expect. Wondering if this is a promotion campaign for their new virus and spyware tools.

This bug and some recent others again proved that Microsoft embedded Internet Explorer in such a way that you can't distinguish it from Windows Explorer.

Re:McAfee virusscan itself is also affected in a w

[zerocool^]

I am sorry that I cannot reccomend any free virus scanners. The *only* virus scanner that I ever reccomend to anyone now is TrendMicro. After working with it for a while now, I almost refuse to fix problems with McAfee and Norton. Both of them drastically slow down a computer, and both of them miss viruses that TM finds regularly.

If you'd like to see it in action, go to Trendmicro.com/download and click on "Damage Cleanup Engine", download "sysclean", then go back and click on "Virus Pattern File" and download the latest (currently lpt335.zip). Unzip this into the same directory as sysclean and run it.

This solution won't stay in memory and scan everything that accesses your computer or HDD, but it will find viruses if you have any.

~Will

No luck with Safari, either

[Ohreally_factor]

I just e-mailed Steve Jobs basically the same thing about the Safari Browser. If Apple ever hopes to make it into the enterprise, they're going to have to include at least equivalent functionality for developers to, er, exploit.

So what you're telling me is that

[TrekkieGod]

this has been known for 3 months and there are still no patches available from microsoft? According to windows update, I'm fully patched, according to their test page, IE is still vulnerable. I think that's even worse than it being a new vulnerability.

Lucky me that I use firefox, and just got IE out to try out that test. And don't give me stuff about "turn off activeX" or some bs like that. The point is, how many non-tech savvie people think they're safe because they've done what we told them to do and kept their computers patched?

Re:So what you're telling me is that

[CerebusUS]

No, What I'm telling you is that this article was written and posted to provide fodder for a flame war.

You are still vulnerable because Microsoft has determined that this vulnerability is:

a) unpatchable without ruining the functionality of the product

and / or

b) not a large enough threat to worry about.

Now I'm _not_ going argue whether either of these points is correct or not. But to present these as "New exploits" is typical Slashdot anti-journalism. they did the same thing when they announced the "New" vulnerabilities for Firefox a few days ago. Those were not new either, but neither the submitters or editors bothered to read the articles that were submitted.

Your solution breaks McAfee virusscan

[PommeFritz]

As you can read in my comment below about McAfee Virusscan 9.0, disabling activex in internet explorer breaks every settings and information panel of that virus scanner.
Great. A virus scanner that contains IE.
(I deinstalled McAfee an hour ago).