Last updated on 3/8/97
A patch is now available from Microsoft!
On certain machines running Internet Explorer 3.0, an icon can be embedded within a web page. When double-clicked, this icon may run a remote application without warning. This is not the same as the ".LNK and .URL" bug discovered recently.
- 3/8/97 6:47 pm - Microsoft has released a patch which fixes all three recently discovered bugs!
- 3/8/97 1:30 pm - Microsoft has given us a beta version of their patch. The patch fixes ALL three bugs and will be avaliable on their IE security page shortly.
- 3/8/97 2:00 am - There are now THREE very recent Internet Explorer bugs that have been discovered. This page describes the bug discovered second, recently dubbed the "UMD" bug by Microsoft. The first bug, the "CyberSnot" bug, has been patched. A newly discovered third bug exploits the fact that ".isp" script files may be downloaded and executed by Internet Explorer. This is essentially just another permutation of the "CyberSnot" bug, however the patch released by Microsoft to fix the "CyberSnot" bug does not fix this bug.
- 3/8/97 12:13 am - CNN has published this article.
- 3/7/97 7:30 pm - Microsoft has posted a FAQ at http://www.microsoft.com/ie/security/update.htm.
- 3/7/97 5:22 pm - Microsoft has let us know that more information will be posted on their site soon.
- 3/7/97 1:30 am - TechWeb published this article and MSNBC published this article with RealAudio clips.
- 3/6/97 4:30 pm - Microsoft asked that we provide a link to their security updates page at http://www.microsoft.com/ie/security/update.htm. Also, if you have security related questions, send mail to secure@microsoft.com.
- 3/5/97 7:30 pm - Microsoft contacted us and they are working on a fix.
- 3/5/97 5:45 pm - Reported to work in Memphis. (thanks to anonymous)
This bug only effects Internet Explorer 3.0 users (version 4.70.1215). The problem is significantly more serious if the user is on a platform with CIFS (Windows NT 4.0 with Service Pack 1 or later installed). If this is the case, the location of the malicious executable code to be run on the victim's machine could be anywhere on the Internet. If this is not the case, the location of the machine containing the code is restricted to within the scope of Windows name resolution. For example, the host must be either on the same subnet, listed in the victim's LMHOSTS file, or listed on the victim's WINS server.
Working examples of this bug are provided on a separate page because Windows name resolution often forces Internet Explorer to block for 10 to 15 seconds. If this happens, just wait it out, your computer has not crashed. If you are using Internet Explorer on a machine that doesn't have CIFS, the wait period may be significantly longer in order for Windows name resolution to time out. It should be noted however that CIFS is required for these examples to function.
No. This is not the same bug and the patch released to fix the other bug does not prevent this problem from occurring. The only similarities between the the discovery of this bug and the discovery of the other bug is that I go to a college, live in a dorm, and have friends who helped me with this page. It should also be noted that this bug is probably the result of the move to merge Internet Explorer with the Windows desktop, just as the other bug was.
Internet Explorer enables a user to use a URL describing a remote directory. When a user clicks on such a link, they are brought to what is essentially a Windows Explorer window, but inside of Internet Explorer. If this URL is used as the basis for an <IFRAME> tag, an embedded frame can be created with what is essentially a Windows Explorer window inside. If this window is made small enough, it appears to be some sort of button, one which runs a remote program when double clicked. CIFS allows a machine to use the IP or hostname provided in the URL as a way of contacting the remote host containing the executable.
I discovered a different bug in a Microsoft product a year ago, and I found that it is very bad for my own personal PR. The bug was a small and couldn't be used to gain access to a foreign computer system. I wrote about the bug in an extremely responsible way and even submitted my description of the bug as a writing sample on an interview. Nevertheless I was accused of being irresponsible, and even of being a "hacker." I'll admit that I might have been irresponsible by not letting Microsoft know about the problem ASAP, but I am NOT a hacker. Anyone who attempts to gain access to a computer without authorization is doing something dishonorable, illegal, and wrong. Period. If I am somehow made aware that someone has made use of the information on this page for a malicious purpose, I will not hesitate to alert the authorities.
In light of my experiences in the past, I feel I should mention that:
- I do not hold a grudge against Microsoft. I use (and love!) their products and would like to see them as bug-free as possible.
- I do not have any idea (or care about) how to "crack Windows 95 screensaver passwords." For some reason I keep getting mail about this, and I just want it to stop.
- Please drop me an e-mail if you reference this page.
Initial discovery
by David Ross
Help from Dennis Cheng and Asher Kobin.
Page created on 3/4/97
© 1997 Widdle
Doggie. All rights reserved.