Scripting flaws pose severe risk for IE users

The Register ^ | 11/25/03 | John Leyden

[Salo]

Posted: 25/11/2003 at 18:01 GMT   A set of five unpatched scripting vulnerabilities in Internet Explorer creates a mechanism for hackers to compromise targeted PCs.

The vulnerabilities,unearthed by Chinese security researcher Liu Die Yu, enable malicious Web sites and viruses to bypass the security zone settings in IE6. Used in combination, the flaws might be exploited to seize control of vulnerable PCs.

Proof of Concept exploits have been released by Liu Die Yu to validate his warnings.

Microsoft has yet to patch the flaws. But users can protect themselves against the flaws by disabling active scripting or by using an alternative browser.

Thomas Kristensen, CTO of security Web site Secunia, toldThe Register that the five distinct vulns could used in combination to install executables (viruses, Trojans and porn diallers). Secunia describes the vulnerabilities as "extremely critical".

Despite this, Kristensen warns that Microsoft is unlikely to break its newly instituted monthly release cycle to release a stand-alone IE patch unless a vulnerability was widely exploited. Pending the availability of a patch, Secunia advises all IE users to disable active scripting.

The drawback of this workaround is that with some Web sites certain functions won't work unless scripting is enabled. IE users should define any sites they need to use as trusted so that they can continue to use scripting on those sites alone, Kristensen advised.

Secunia's advisory is here. ®

[Salo]

here's the advisory: Secunia Advisory: SA10289

Release Date: 2003-11-25

Critical: Extremely critical

Impact: System access Exposure of sensitive information Cross Site Scripting Security Bypass

Where: From remote

Software: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6

Description: Multiple vulnerabilities have been identified in Internet Explorer, which in combination can be exploited to compromise a user's system.

1) A redirection feature using the "mhtml:" URI handler can be exploited to bypass a security check in Internet Explorer, which normally blocks web pages in the "Internet" zone from parsing local files.

2) The above redirection feature can also be exploited to download and execute a malicious file on a user's system. Successful exploitation requires that script code can be executed in the "MyComputer" zone.

3) A cross-site scripting vulnerability can be exploited to execute script code in the security zone associated with another web page if it contains a subframe. This may potentially allow execution of script code in the "MyComputer" zone.

4) A variant of a fixed vulnerability can still be exploited to hijack a user's clicks and perform certain actions without the user's knowledge.

For more information: SA9711

5) An error in the download functionality can be exploited to disclose a user's cache directory by supplying a "HTM" file extension and an invalid value in the "Content-Type:" header field. This issue does not affect all versions and may have been fixed by the latest patch for Internet Explorer.

The vulnerabilities have been reported in Internet Explorer 6.0. However, other versions may also be affected and have been added due to the criticality of these issues.

PoC exploits (Proof of Concept) are available.

Solution: Disable Active Scripting.

Use another product.

[Salo]

Pinging all tech peeps.

[Salo]

Here's the (expletives deleted) URL.

[Endeavor]

so where do I go in my computer to turn off scripting?

[The Electrician]

If they are just talking about "active scripting", then you should be able to disable that as follows: (IE 5.5, anyway)

Tools
Internet Options
Security
Custom
scroll down to find Scripting - Active scripting
click disable
click OK

But since I haven't read all of the detail, I can't state with any authority that that is all that is needed...

[Bush2000]

1. Run Internet Explorer.
2. Choose Tools|Internet Options menus.
3. Click on Security tab.
4. Click "Custom Level" button.
5. Scroll down to "Active Scripting" item. Change to "Disable".
6. Click OK.
7. Click OK.

[Salo]

Open Internet Explorer.
Select Tools->Internet Options
Hit the Security Tab
Make sure Internet is highlighted
Hit the button that says Custom Level
Scroll down to "Scripting"
Disable all scripting actions.

[Question_Assumptions]

OK. But what does this break? That is, what won't work with this turned off?

[JCG]

so where do I go in my computer to turn off scripting?

www.opera.com

[palmer]

Some corporate applications.

[Brett66]

Mozilla is a good way to end all of these problems.

Mozilla

[Bubba_Leroy]

This is a much better fix:

1. Go to http://www.mozilla.org/
2. Download Mozilla web browser.
3. Stop using Internet Explorer.

[nutmeg]

read later

[Bubba_Leroy]

You beat me to it.

[Endeavor]

Thanks to all you guys for the "how to."

Bubba, I tried to download Mozilla and had problems.

[The Electrician]

As one poster mentioned, there may be a whole lot more corporate Intranet apps rather than Internet apps that require Active Scripting to be turned on, but there may still be some things that are done via the Internet that may require it. There's a useful article at this page, which is somewhat specific to that academic environment but still has info that is more broadly applicable. For example, it claims that turning off Active Scripting may impact the MS Windows Update service, but that you may be able to selectively enable it for trusted sites.

[The Electrician]

Good one... LOL!

[Looking for Diogenes]

Opera is the best browser I've used. It's fast and has a bunch of great features.

[Clara Lou]

Use another product.
I do. I use Firebird.

[Salo]

Me, too: I use Safari. ;-)

Use another product.

I do. I use Firebird.