Internet Explorer Does it Again
Security Warning
March 7, 1997 - Yet another security hole has been found in
Microsoft's(TM)
Internet Explorer v3.01a.
This is not the same hole reported by
the trio of WPI students a
few days ago. This hole allows a malicious web page to automatically
run any program on the user's hard drive, which means that users of
Internet Explorer could have their hard drives completely deleted,
their private information stolen, or their computer infected with a
virus merely by looking at a web page.
This bug works on a similar principle as the bug discovered at WPI.
However, instead of using .lnk files or .url files, this bug exploits the fact
that other files can also be downloaded and automatically executed
without prompting the user for permission. This bug is not
fixed by the security patch which Microsoft put out for the WPI bug.
This bug has thus far only been verified on the Windows 95 version of
Internet Explorer. This bug does not appear to affect Windows NT (any service pack/version), in its usual configuration.
The Exploits
These exploits are harmless and are for demonstration purposes only.
However, they could easily have been made very harmful if that had
been our intent. These demos require that the "Internet Wizard" be present
on your system. It is the Internet Wizard that parses the ".ISP" files.
You must also have Win95 located in "C:\WINDOWS". Note that a script to delete
a whole hard drive wouldn't care where windows is located, however.
- Downloading a remote file -
Viewing this page will automatically
download a disclaimer from the Microsoft ftp site and display it using
dos edit. Note: this could easily be altered to download a
virus and infect your computer with it.
(This bug will only work if you use the default directory for your
"Temporary Internet Files". Of course, most people do use the default
directory.)
- Creating and deleting directories -
Viewing this page will automatically take you
on a guided tour which creates
a directory called C:\junkdir, dumps some files to that
directory, and then deletes the entire
C:\junkdir directory along with all the files that it created.
Note: this could
easily be altered to delete C:\ instead which would erase your entire
hard drive.
- Running a local file -
Viewing this page will automatically
start the calc.exe (calculator) program on your machine.
Note: this could
easily be altered to run deltree.exe with the appropriate
options to automatically erase your
entire hard drive.
The Truth
There was some confusion in the press when the WPI bug was announced
as to the actual severity of the bug. To keep this confusion from
occurring again, we would like to set some things straight from the
start:
- This bug only requires that a user look at a particular web
page. The user does not need to click on any "disguised
hyperlinks" for the bug to be exploited. Our example exploits demonstrate this.
Last time, it was mis-reported that users needed to click on a
disguised hyperlink to activate the exploit. In fact, with a little
more programming it can be made automatic so that a user only needs to
look at a page (as it is with our bug).
- The severity of the WPI bug was unjustly downplayed by some of the press by
saying that in order to manipulate a user's files, the malicious web
page would need to know the exact location of the files on the user's
computer. However, this does not reduce the severity at all
because almost everybody running Windows has such directories as
C:\, C:\WINDOWS, and C:\WINDOWS\COMMAND. If a
malicious web page were set up to delete any of these directories
almost all users would suffer serious damage.
- The severity of the WPI bug was also downplayed by Microsoft which
said that no malicious pages are actually known which use this
exploit. However, the most likely reason that there aren't any malicious
pages using the WPI exploit, or this exploit, is that these exploits were just
released and nobody has had much time to make anything malicious yet.
Don't feel safe just because there are no known malicious pages now.
Microsoft's Official Bugfix (3/8/97 2:47pm)
Our Third-Party Bugfix (3/8/97 12:25am)
Contact Us
Microsoft is a trademark of Microsoft Corporation.