IE Flaw Gives Hackers Access To User Files

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

*sigh* ... blame Netscape.

[hey!]

Had Microsoft not needed something to drive a stake through Netscape's heart, it wouldn't have needed to concoct it's own Frankenstein's monster of confused and misbegotten priorities.

This is bad.

[Buelldozer]

When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

Re:This is bad.

[jimicus]

Well, if any of those cookies are being used by supposedly secure sites to remember somebody's login so they can conveniently purchase in future, you may well know enough to log into their account on those shopping sites and get their real name, address and purchasing history. From this point, it's not a particularly large step to large-scale identity theft.

Re:This is bad.

[girlintraining]

When you go to my website I know what the cookie name is and I know the default file system location for that cookie. This one seems pretty bad.

You seem to forget that Windows XP, Vista, and Windows 7 all have file indexing enabled by default. By accessing those hidden .db files, you can get the complete list of filenames in each directory, including the names of the subdirectories in some cases.

I wonder...

[Ismene]

I wonder how many people have a "passwords.txt" file in their Documents. ;-)

Re:I wonder...

[byrdfl3w]

Whew! Thanks! I deleted all my password.txt files before some nasty hacker got to me.
Now I gotta tell my friends about this! Hold on while I log..

Oh crap.

Flawed

[mcgrew]

an attacker may be able to access files with an already known filename and location

One more reason not to keep your files in "My Documents". That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

"Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008," it said.

Does XP have a protected mode? That's the version of Windows most people use IINM. Is this a ploy to get people to upgrade from XP?

Microsoft hasn't seen any attacks that exploit the flaw and has yet to decide whether to repair the flaw through its monthly security patch release cycle or an urgent, out-of-cycle update.

Has yet to decide whether to repair it? Hmmm... Ok, they're trying to decide when to. How about doing what every other browser company does and give us the patch NOW?

Re:Flawed

[radish]

Is this a ploy to get people to upgrade from XP?

I'd say it's (yet another) reason to stop using a 9 year old OS. How many of the major linux distros still support versions that old? How many people would recommend continuing to run a version that old?

Re:Flawed

[Leynos]

C:\users\%USERNAME%\Documents anyone?

Re:Flawed

[drinkypoo]

The difference is that a lot of software which works on Windows XP is broken on Windows 7, including several games that I tried, whereas for the various Loki games that don't work there's Loki_Compat, and for most everything else you have source and can recompile. There's still ample reason to use Windows XP, because for many tasks it is superior to modern Windows. Of course, there are limited cases where this is true for Linux as well, such as when you desire to run OpenMOSIX which AFAIK last worked on 2.4 series kernels.

Re:Flawed

[cbhacking]

Protected Mode requires a substantial change to the process security model. Basically, until Vista/Server 2008, NT followed what was essentially the *NIX security model, where access permissions of a program were determined by the user/group the program was run by. There are differences in implementation between NT and the various POSIX systems, but that's the general idea. The problem is that when the vast majority of your users run with nearly full access to the system, one misbehaved (vulnerable) program can bring everything crashing down.

In NT6 (Vista/Server 2008), Microsoft introduced a new concept of process integrity levels, which are a per-process (rather than per-user) level of security. By default, programs run with medium integrity, which means their access permissions are basically what they were before. High integrity processes, such as system processes or anything run with actual Administrator permissions, can access anything but can't be accessed by lower-integrity programs (which helps prevent elevation of privilege from a non-Admin program.

The relevant datum here is that Internet Explorer runs (by default) with Low integrity, which means it has extremely limited access to the rest of the system. A low-integrity process can't start medium-integrity processes, can't write to the vast majority of the filesystem (there's a special low-integrity folder for things like Temporary Internet Files) or registry, and basically is unable to cause any harm. The trick is, it has these limitations regardless of the permissions of the user who runs the program.

XP can't do that. If you, as a user, can write to a location, any program you start can too (unless you tell Windows to start it as another user). Therefore, since Protected Mode is just Microsoft's term for "this process runs with low integrity" and XP can't *do* low integrity, no, you don't get Protected Mode on XP, and never will (it would require a substantial change to the kernel security subsystem).

c:\Windows\System32\

[LikwidCirkel]

Hmm.. the most obvious predictable file names are conveniently the most dangerous for someone to have access to.

Re:c:\Windows\System32\

[eln]

The article seems to suggest (although does not explicitly state) that the hacker would be able to read the files, not overwrite them. If that's the case, I don't see why the System32 directory would be that important, unless you keep secret data embedded in your system binaries.

Re:c:\Windows\System32\

[radish]

Except as far as I can tell from the advisory, the files are read only.

Re:c:\Windows\System32\

[hawaiian717]

C:\windows\system32\config\sam

Read-only access is all you need...

Re:c:\Windows\System32\

[WillAffleckUW]

yeah, it's not like there are stored connection strings to databases ... um ...

I'm really getting sick of this excuse

[apparently]

"The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

Good thing no one knows to look for: "%USERPROFILE%\My Documents\Quicken\qdata.qdf"

Only under certain circumstances.

[140Mandak262Jamuna]

There is nothing to see here folks, move on. The bug kicks in only under certain circumstances. The circumstances are apparently running a Windows system with Internet Explorer as the default browser. Come on, how many slashdotters do that?

Windows.edb = windows search index

[electrogeist]

If they grab the windows search index file then they'd have a map to everything else?

get \ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb (vista)
or \All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb (xp)

and http://www.simplecarver.com/tool.php?toolname=Windows Search Index Extractor

Re:Steam

[legio_noctis]

Unfortunately, the thread asking for Webkit in Steam at http://forums.steampowered.com/forums/showthread.php?t=861863 demonstrates how clueless the average gamer is about standards etc.

Some choice quotations:

"ie is fine"

"I'd rather not have steam bloated with redundant tech right now."

"Also W3C != Web Standards, and IE aren't the only ones not complying with the "standards", Firefox didn't comply with all W3C published recommendations either.(Don't know if that's still the case) [...] Microsoft is a business, and they don't want to take the blame because of a third parties inabillity to properly design websites. That is their design goal, and as the W3C isn't enforcable, as it's not considered a standard"

"It works, it is secure and it isn't that slow"

"IE is fine, and so was Windows 98."

"there is nothing wrong with the day-to-day performance of Trident."

financial information vulnerable

[commodoresloat]

That part is easily guessed; "2009 Income Tax Returns" would be easy to guess as well.

Oh shit ... hackers can find out how broke I really am!!

You mean like...

[Sfing_ter]

You mean like...
C:\users\%username%\AppData\Local\Microsoft\Outlook\outlook.pst?
hmmm...??? like that?

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[sopssa]

If a site needs IE today, I don't need that particular site.

Good luck trying to tell that to your boss.

Re:WHY THE FUCK DO PEOPLE STILL USE IE?

[Blakey+Rat]

Only one reason as far as I'm concerned - Netflix instant viewing. Won't run in FF at all

It won't? What the hell have I been doing for the last 6 months?! I must be delusional.

Or, more likely, you have your Firefox tweaked all to hell and you're blaming Netflix for your own tinkering. Believe me: it works fine in Firefox.