Yet another Internet Explorer bug...
(The "UMD" Bug)

Last updated on 3/8/97


A patch is now available from Microsoft!

 

Overview:

On certain machines running Internet Explorer 3.0, an icon can be embedded within a web page.  When double-clicked, this icon may run a remote application without warning.  This is not the same as the ".LNK and .URL" bug discovered recently.

 

Breaking News:

 

Who may be victimized by the bug:

This bug only effects Internet Explorer 3.0 users (version 4.70.1215).  The problem is significantly more serious if the user is on a platform with CIFS (Windows NT 4.0 with Service Pack 1 or later installed).  If this is the case, the location of the malicious executable code to be run on the victim's machine could be anywhere on the Internet.  If this is not the case, the location of the machine containing the code is restricted to within the scope of Windows name resolution.  For example, the host must be either on the same subnet, listed in the victim's LMHOSTS file, or listed on the victim's WINS server.

 

Examples:

Working examples of this bug are provided on a separate page because Windows name resolution often forces Internet Explorer to block for 10 to 15 seconds. If this happens, just wait it out, your computer has not crashed. If you are using Internet Explorer on a machine that doesn't have CIFS, the wait period may be significantly longer in order for Windows name resolution to time out. It should be noted however that CIFS is required for these examples to function.

Click here to see the Examples page.

 

Is this related to the "other" Internet Explorer bug of a similar nature discovered by Paul Greene?

NoThis is not the same bug and the patch released to fix the other bug does not prevent this problem from occurring.  The only similarities between the the discovery of this bug and the discovery of the other bug is that I go to a college, live in a dorm, and have friends who helped me with this page.  It should also be noted that this bug is probably the result of the move to merge Internet Explorer with the Windows desktop, just as the other bug was.

 

So how does this work?

Internet Explorer enables a user to use a URL describing a remote directory.  When a user clicks on such a link, they are brought to what is essentially a Windows Explorer window, but inside of Internet Explorer.  If this URL is used as the basis for an <IFRAME> tag, an embedded frame can be created with what is essentially a Windows Explorer window inside.  If this window is made small enough, it appears to be some sort of button, one which runs a remote program when double clicked.  CIFS allows a machine to use the IP or hostname provided in the URL as a way of contacting the remote host containing the executable. 

 

Disclaimer:

I discovered a different bug in a Microsoft product a year ago, and I found that it is very bad for my own personal PR. The bug was a small and couldn't be used to gain access to a foreign computer system.  I wrote about the bug in an extremely responsible way and even submitted my description of the bug as a writing sample on an interview.  Nevertheless I was accused of being irresponsible, and even of being a "hacker."  I'll admit that I might have been irresponsible by not letting Microsoft know about the problem ASAP, but I am NOT a hacker.  Anyone who attempts to gain access to a computer without authorization is doing something dishonorable, illegal, and wrong.  Period.  If I am somehow made aware that someone has made use of the information on this page for a malicious purpose, I will not hesitate to alert the authorities.

In light of my experiences in the past, I feel I should mention that:

 


Initial discovery by David Ross [Widdle Doggie Now!]
Help from
Dennis Cheng and Asher Kobin.

Page created on 3/4/97
© 1997 Widdle Doggie. All rights reserved.