Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE Flaw Gives Hackers Access To User Files

Posted by timothy on from the open-file-my-documents dept.

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

53 of 259 comments (clear)

  1. *sigh* ... blame Netscape. by hey! · · Score: 3, Insightful

    Had Microsoft not needed something to drive a stake through Netscape's heart, it wouldn't have needed to concoct it's own Frankenstein's monster of confused and misbegotten priorities.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  2. This is bad. by Buelldozer · · Score: 5, Insightful

    When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

    1. Re:This is bad. by Z34107 · · Score: 2, Insightful

      Package that up into a script and you could probably scan for 1,000 different cookies in the time it took you to read my post.

      Definitely! Reading everyone else's cookie is much more interesting than using an exploit to read your own cookies! :P

      --
      DATABASE WOW WOW
    2. Re:This is bad. by Pastis · · Score: 2, Funny

      1000 cookies! Fast way to a diet !

      --
      Sneak teach kids Algebra using a game
    3. Re:This is bad. by jimicus · · Score: 4, Insightful

      Well, if any of those cookies are being used by supposedly secure sites to remember somebody's login so they can conveniently purchase in future, you may well know enough to log into their account on those shopping sites and get their real name, address and purchasing history. From this point, it's not a particularly large step to large-scale identity theft.

    4. Re:This is bad. by JoshuaZ · · Score: 2, Insightful

      Someone please mod parent up. This is an excellent example of an exploit that at first glance looks harmless but could be used for very nefarious ends.

    5. Re:This is bad. by girlintraining · · Score: 4, Informative

      When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

      You seem to forget that Windows XP, Vista, and Windows 7 all have file indexing enabled by default. By accessing those hidden .db files, you can get the complete list of filenames in each directory, including the names of the subdirectories in some cases.

      --
      #fuckbeta #iamslashdot #dicemustdie
  3. I wonder... by Ismene · · Score: 5, Insightful

    I wonder how many people have a "passwords.txt" file in their Documents. ;-)

    1. Re:I wonder... by byrdfl3w · · Score: 5, Funny

      Whew! Thanks! I deleted all my password.txt files before some nasty hacker got to me.
      Now I gotta tell my friends about this! Hold on while I log..

      Oh crap.

  4. Flawed by mcgrew · · Score: 4, Insightful

    an attacker may be able to access files with an already known filename and location

    One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

    "Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.

    Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

    Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.

    Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

    --
    Free Martian Whores!
    1. Re:Flawed by radish · · Score: 3, Insightful

      Is this a ploy to get people to upgrade from XP?

      I'd say it's (yet another) reason to stop using a 9 year old OS. How many of the major linux distros still support versions that old? How many people would recommend continuing to run a version that old?

      --

      ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    2. Re:Flawed by Anonymous Coward · · Score: 2, Informative

      > Has yet to decide whether to repair it?

      No, has yet to decide whether to repair it now or wait until Patch Tuesday.

      There are plenty of legitimate reasons to criticise Microsoft (like leaving things unpatched until Patch Tuesday) but misinterpreting their statements doesn't help anybody.

    3. Re:Flawed by Leynos · · Score: 3, Insightful

      C:\users\%USERNAME%\Documents anyone?

      --
      "Did you exchange a walk on part in the war for a lead role in a cage?"
    4. Re:Flawed by drinkypoo · · Score: 3, Interesting

      The difference is that a lot of software which works on Windows XP is broken on Windows 7, including several games that I tried, whereas for the various Loki games that don't work there's Loki_Compat, and for most everything else you have source and can recompile. There's still ample reason to use Windows XP, because for many tasks it is superior to modern Windows. Of course, there are limited cases where this is true for Linux as well, such as when you desire to run OpenMOSIX which AFAIK last worked on 2.4 series kernels.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Flawed by cbhacking · · Score: 3, Informative

      Protected Mode requires a substantial change to the process security model. Basically, until Vista/Server 2008, NT followed what was essentially the *NIX security model, where access permissions of a program were determined by the user/group the program was run by. There are differences in implementation between NT and the various POSIX systems, but that's the general idea. The problem is that when the vast majority of your users run with nearly full access to the system, one misbehaved (vulnerable) program can bring everything crashing down.

      In NT6 (Vista/Server 2008), Microsoft introduced a new concept of process integrity levels, which are a per-process (rather than per-user) level of security. By default, programs run with medium integrity, which means their access permissions are basically what they were before. High integrity processes, such as system processes or anything run with actual Administrator permissions, can access anything but can't be accessed by lower-integrity programs (which helps prevent elevation of privilege from a non-Admin program.

      The relevant datum here is that Internet Explorer runs (by default) with Low integrity, which means it has extremely limited access to the rest of the system. A low-integrity process can't start medium-integrity processes, can't write to the vast majority of the filesystem (there's a special low-integrity folder for things like Temporary Internet Files) or registry, and basically is unable to cause any harm. The trick is, it has these limitations regardless of the permissions of the user who runs the program.

      XP can't do that. If you, as a user, can write to a location, any program you start can too (unless you tell Windows to start it as another user). Therefore, since Protected Mode is just Microsoft's term for "this process runs with low integrity" and XP can't *do* low integrity, no, you don't get Protected Mode on XP, and never will (it would require a substantial change to the kernel security subsystem).

      --
      There's no place I could be, since I've found Serenity...
  5. c:\Windows\System32\ by LikwidCirkel · · Score: 3, Insightful

    Hmm.. the most obvious predictable file names are conveniently the most dangerous for someone to have access to.

    1. Re:c:\Windows\System32\ by eln · · Score: 3, Interesting

      The article seems to suggest (although does not explicitly state) that the hacker would be able to read the files, not overwrite them. If that's the case, I don't see why the System32 directory would be that important, unless you keep secret data embedded in your system binaries.

    2. Re:c:\Windows\System32\ by radish · · Score: 3, Informative

      Except as far as I can tell from the advisory, the files are read only.

      --

      ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    3. Re:c:\Windows\System32\ by pipatron · · Score: 2, Interesting

      Actually, a very important distinction of the word "access" was not mentioned. This flaw only seem to give read access to the files, so you can not just modify any file you wish.

      It's still a major security flaw, of course, but will be slightly more difficult to exploit. It's great for targeted phishing though. You'll be able to find out a lot about the target.

      --
      c++; /* this makes c bigger but returns the old value */
    4. Re:c:\Windows\System32\ by hawaiian717 · · Score: 3, Insightful

      C:\windows\system32\config\sam

      Read-only access is all you need...

      --
      End of Line.
    5. Re:c:\Windows\System32\ by WillAffleckUW · · Score: 3, Insightful

      yeah, it's not like there are stored connection strings to databases ... um ...

      --
      -- Tigger warning: This post may contain tiggers! --
    6. Re:c:\Windows\System32\ by Sleepy · · Score: 2, Insightful

      That's not the case.

      It's not like memory dumps don't ever get dumped there if you had an OS crash, and it's not like memory dumps would ever contain user data like user passwords. There's user data in there. Where does the REGISTRY get saved???

      This is BAD.

    7. Re:c:\Windows\System32\ by EvanED · · Score: 2, Informative

      C:\windows\system32\config\sam
      Read-only access is all you need...

      And I'm sure that'd work real well:

      C:\WINDOWS\system32>echo %USERNAME%
      administrator

      C:\WINDOWS\system32>c:\cygwin\bin\head config\sam /usr/bin/head: cannot open `config\\sam' for reading: Device or resource busy

      C:\WINDOWS\system32>type config\sam
      The process cannot access the file because it is being used by another process.

  6. CVE-2010-0255 by Anonymous Coward · · Score: 2, Informative

    Core Security Advisory FTW

  7. WHY THE FUCK DO PEOPLE STILL USE IE? by Anonymous Coward · · Score: 2, Insightful

    This is just fucking stupid. WHY DO PEOPLE AND BUSINESSES STILL USE IE?

    We KNOW it's full of holes. Not just small ones, but literally, gaping goatse-sized holes. This is a perfect example, to go along with the hundreds of other problems we know of.

    There are so many alternatives today! We are living in a time of plenty when it comes to browsers. I mean, we have Opera that runs just about everywhere. We have Firefox if you want extensibility. If you prefer the feel of the old Netscape Communicator suite, there's Seamonkey. If you want a fast browsing experience, use Chrome or Safari or Konqueror.

    Legacy ActiveX controls just aren't enough of an excuse these days. If you're still using that piece of shit "technology", then you need to get your network off of the public Internet. You and your network are nothing but a disaster waiting to happen.

    1. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by calmofthestorm · · Score: 2, Interesting

      I read about vulns in Firefox pretty often too. Granted, IE's tend to be stupider and MS's policy of ignoring vulns until they're shoved in their faces with an in-the-wild exploit (and then only patching once a month) is pretty awful, but it's not like other browsers are a magic bullet.

      That said, i wouldn't be caught dead using IE, nor let friends or family do it.

      --
      93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
    2. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by LikwidCirkel · · Score: 2, Insightful

      If you give people a free car with houses, that "works" enough to get to A to B, then how many people will make the effort to get a different free car if they're not aware that there is anything wrong with the first one?

    3. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by c_sd_m · · Score: 2, Insightful

      The OP's point was closer to "if Fords were free, how many people would bother to buy Hondas?"

    4. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by sopssa · · Score: 3, Interesting

      If a site needs IE today, I don't need that particular site.

      Good luck trying to tell that to your boss.

    5. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by sopssa · · Score: 2, Insightful

      It doesn't work like that. There are billions of sites on the internet. If your site doesn't work with them, they go somewhere else. And it would be quite stupid to ignore a browser that holds the largest market share. Sad, but true.

    6. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by sopssa · · Score: 2, Insightful

      Because none of the browsers you listed are as easily configured enterprise wide as IE is with group policies.

      Exactly. This is a thing OSS developers usually miss. They develop primarily for home users or single users and have no idea how it works in work place, while MS understands a need for enterprise solutions.

    7. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by cbs4385 · · Score: 2, Interesting

      I work in the US Health Care Industry, principally making tools for hospitals to use a patients electronic health record. The majority of our clients are forced into using IE6 by their IT departments.
      There's a reason I use my HIPPA rights to make sure my records only live on paper.

    8. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by Sancho · · Score: 2, Informative

      Sure. But then we're probably talking about home computers. I don't ever use IE for personal work. If I have to use it for work, it's on a company computer.

    9. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by Blakey+Rat · · Score: 3, Informative

      Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all

      It won't? What the hell have I been doing for the last 6 months?! I must be delusional.

      Or, more likely, you have your Firefox tweaked all to hell and you're blaming Netflix for your own tinkering. Believe me: it works fine in Firefox.

      --
      Comment of the year
    10. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by hairyfeet · · Score: 2, Informative

      Uhhhh...You DO know that Frontmotion offers a Group Policy Friendly Firefox, yes? That they even offer a Community Edition for Group Policy support, and a Firefox packager that lets you even bundle the extensions you desire.

      One of the nice things about FOSS is if there is a need the parent company refuses to acknowledge then someone else is free to take that problem on and release their own version.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    11. Re:WHY THE FUCK DO PEOPLE STILL USE IE? by DJRumpy · · Score: 2, Informative

      Irrelevant for this issue, as it appears to affect all versions of IE with Win 2000, XP, and Server 2003 affected. From TFA:

      "The IE vulnerability disclosed on Wednesday, which is caused by incorrectly rendering local files in the browser, affects several versions, including Internet Explorer 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 Service Pack 4; and IE6, IE 7, and IE 8 on Windows XP and Windows Server 2003, Microsoft said."

      Unless someone is running Vista, or Win 7, they are at risk.

  8. I'm really getting sick of this excuse by apparently · · Score: 4, Insightful

    "The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

    Good thing no one knows to look for: "%USERPROFILE%\My Documents\Quicken\qdata.qdf"

  9. Modifying hosts.txt by Jorl17 · · Score: 2, Insightful

    Modifying hosts.txt could be one of the biggest issues with this one. And yet, it's just another flaw much like there are hundreds of others in any browser.

    --
    Have you heard about SoylentNews?
    1. Re:Modifying hosts.txt by natehoy · · Score: 2, Informative

      Actually, the security advisory describes the attack, and while the remote attacker would have access to any file the local user does, it does not appear the file could be altered, just copied or examined. The security bulletin never lays this out in uncertain terms, but the description of the actual process looks like a read-only one.

      Given that Windows usually stores important stuff in c:\Documents and Settings\(username)\blahblah, the remote attacker would have to know (username) before they could get to the juicy stuff. And that's just not all that practical in a remote attack scenario. Most of the truly known paths just don't contain a lot of common filenames that are unique and contain important data.

      Still, Protected mode in Vista and above protects you, and the bulletin shows a workaround for Windows XP (set the file:// protocol so it can't run ActiveX even locally).

      And there's always a better browser, which would be defined pretty much as anything without ActiveX. But that's a given.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    2. Re:Modifying hosts.txt by natehoy · · Score: 2, Insightful

      http://www.microsoft.com/technet/security/advisory/980088.mspx

      When in doubt, go to the source. Microsoft has a pretty decent write-up on this one. I don't know who taranfx.com is, but the only accurate bits of information in their article are what they cut-and-pasted from the Microsoft site. The rest is, umm, "fanciful". Sorry, I gotta call 'em like I see 'em.

      Oh, one other useful bit from their stie... that everyone should stop using IE. Now.

      I'd also add to only run a browser that has something like NoScript available. Javascript is just chock full of vulnerabilities of its own. Any time you allow strangers to run code on your computer, you are just asking for trouble.

      But by now that goes without saying, and I've already said it until I'm blue in the face, and I've given up. Don Quixote is cut out for that sort of thing, I'm not.

      If you use IE in Vista or Seven, turn protected mode on. If you use IE on XP, load the file:// protocol fix outlined at Microsoft's site. Hopefully Microsoft will come out with a fix soon. Load it. Immediately.

      This may not be a serious vulnerability, but the vector will surely be used for more serious ones real soon as the black hatted assholes figure out how to read your file index and get a list of files to choose from.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  10. Only under certain circumstances. by 140Mandak262Jamuna · · Score: 4, Funny

    There is nothing to see here folks, move on. The bug kicks in only under certain circumstances. The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  11. Windows.edb = windows search index by electrogeist · · Score: 5, Interesting

    If they grab the windows search index file then they'd have a map to everything else?

    get \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (vista)
    or \All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb (xp)

    and http://www.simplecarver.com/tool.php?toolname=Windows Search Index Extractor

  12. Firefox Mode by markalot · · Score: 2, Funny

    I run IE in Firefox mode, so I think I'm protected. ;)

  13. Re:Steam by legio_noctis · · Score: 5, Interesting

    Unfortunately, the thread asking for Webkit in Steam at http://forums.steampowered.com/forums/showthread.php?t=861863 demonstrates how clueless the average gamer is about standards etc.

    Some choice quotations:

    "ie is fine"

    "I'd rather not have steam bloated with redundant tech right now."

    "Also W3C != Web Standards, and IE aren't the only ones not complying with the "standards", Firefox didn't comply with all W3C published recommendations either.(Don't know if that's still the case) [...] Microsoft is a business, and they don't want to take the blame because of a third parties inabillity to properly design websites. That is their design goal, and as the W3C isn't enforcable, as it's not considered a standard"

    "It works, it is secure and it isn't that slow"

    "IE is fine, and so was Windows 98."

    "there is nothing wrong with the day-to-day performance of Trident."

  14. financial information vulnerable by commodoresloat · · Score: 4, Funny

    That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

    Oh shit ... hackers can find out how broke I really am!!

  15. Re:Holy Flashback, Batman?! by Z34107 · · Score: 2, Informative

    "Protected mode" is a marketing term meaning IE takes advantage of Vista's new permissions model. It means it's a low-privilege process and has most of its file system access effectively jailed or redirected.

    Long-winded article here, but I'm guessing the hack doesn't work in "Protected Mode" because the browser itself doesn't have much file system access.

    --
    DATABASE WOW WOW
  16. Hmm, how about the document search index? by Jason+Pollock · · Score: 2, Insightful

    Because there isn't an easily found, well known file that is a handy index of all of the files on your system:

    \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

    http://en.wikipedia.org/wiki/Windows_Search

  17. You mean like... by Sfing_ter · · Score: 3, Interesting

    You mean like...
    C:\users\%username%\AppData\Local\Microsoft\Outlook\outlook.pst?
    hmmm...??? like that?

    --
    A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
  18. I can see it coming.... by Asadullah+Ahmad · · Score: 2, Funny

    If things keep going like this regarding Microsoft and clever words, pretty soon this will be on Slashdot:

    "Microsoft has announced that it is investigating a vulnerability in IE where an attacker can gain access to customer's computer if they are connected to Internet. But as all versions of Windows do not have internet access by default, most users are not vulnerable"

    .

  19. Re:Steam by sopssa · · Score: 2, Informative

    Well to be fair, they are somewhat correct. While I don't like the clunky browsing withing steam or the in-game overlay, switching over to other engine would be a lot of work and testing to Valve and could create even more problems to users. And that's all while the browser component is a side thing.

    For example IE and it's embedded component is supported on all versions of Windows. If Steam were to integrate their own browsing engine, they would have to make sure it works for 100% of users and they would have to maintain it. IE works in all situations as long as it already works for the user (which is pretty much every case) and the component gets updated along when user updates IE.

    While I myself care a lot about standards, I don't see why an average gamer would do so. It already works well enough and is stable, so there's little to gain over the amount of added work it would put on Valve. I'm not even sure if any browser engine including Webkit can draw on DirectX surface anyway - they would have to the draw window contents to bitmap -> transfer to texture -> draw on DX surface anyway.

  20. Pesky NTOSKRNL.EXE by fibrewire · · Score: 2, Interesting

    Nobody knows where i keep THIS file.

  21. Re:Steam by Sleepy · · Score: 2, Informative

    >Nobody ships with all of the W3C published recommendations. That's just stupid. You can't hit a moving target like that.

    No no no no... red herring... you've been misled.

    A browser does NOT need to support all W3C recommendations.
    This is true for all browsers, even for IE.

    What all browsers are EXPECTED to do is - "if" they support a recommendation - that they do what the recommendation SPECIFIES.
    In other words, you choose to a CSS attribute CORRECT.. or do it NOT AT ALL. IE would randomly do something *undefined* instead of nothing.

    Web developers literally spent YEARS reverse-engineering the exact behavior of Microsoft's undocumented standard. Had Microsoft not done anything at all with certain elements, the behavior would be quickly understood.

    I'll give you an example: IE 6 and 7 would recognize many attributes for CSS padding and margins. IE would certainly do something with these attributes... but what they did was the OPPOSITE of the specs in some cases. Not only that, but the inheritance rules were not consistent. You literally had to write 2X the CSS code if you wanted your web-standards code to work on IE6.

    This worked well for Microsoft - they essentially killed all progress on the web for a DECADE. Companies who locked themselves into IE6-based intranets did not care because there was no FireFox and no basis for Microsoft to put out new browser technology. MS wanted people to give up on HTML and just write everything in .NET. This is a holdover from the Microsoft "Blackbird" project, which seriously wanted to replace web HTML with compiled binary Microsoft-patented markup. Bill Gate's emails in the trial said he didn't want their bugs fixed if they were only causing problems in non-Microsoft browsers.

    When a browser does not support an effect, you can easily workaround it. For example, if I couldn't assign a yellow background to an link, I could easily change course and wrap the A in a DIV and assign the style there instead. But what if the link color ceased to be yellow whenever that DIV was positioned with absolute instead of relative? What if the link disappeared whenever the DIV was inside a BODY tag which had a CSS background attribute?

    It's the *random* nature of MSIE bugs (and the arrogance of not fixing them) that made web developers the most vocal critics of Microsoft.

        if FireFox versions have issues with following the standard wrong, that gets fixed but it also is published what versions had that bug. So it's easy to design around without self-doubting your markup and CSS. You still can't go to the Microsoft website and get a solid definition of their CSS Box Model bugs.

    So, what percentage of W3 that gets implemented is not ever an issue; it's the quality and the truthfulness of the implementation.

  22. Re:NoScript isn't really "complex" by hairyfeet · · Score: 2, Informative

    The problem is they call me to tell them how to disable it, after spending 20 minutes getting frustrated because they have no idea which of those dozen scripts is the right one. Now surely it can't be that hard to scan the page, look for the *.flv or *.mp4 and give the user an easy "play video" button, followed by an "advanced button" sitting beside it if there are scripts besides the video?

    Sadly I am not a coder but what I am thinking of would NOT lower security, nor take away features from the user, simply give the less advanced user a less advanced option to make their usage a little easier. The geeks would simply have to press a single button in options to keep the advanced (read regular) menu, while the less tech savvy would have a single button that says "play video" and a single button that says "advanced" where it would pop up the regular menu when pressed. Because I have seen pages with video where the Noscript list of blocked items nearly extends off the page, and having to click those one at a time until you trip over the right one is frustrating. I just think it needs to be a little easier for the average Joe to use, that's all.

    --
    ACs don't waste your time replying, your posts are never seen by me.