Posted on 01/28/2004 1:10:12 PM PST by Salo
New Explorer hole could be devastating Browser users could be fooled into downloading executable files
By Kieren McCarthy, Techworld.com January 28, 2004
A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.
A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.
It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.
However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.
The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.
If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.
We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.
In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.
Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.
So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.
The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.
The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.
All in all, it does not look good. Not good at all.
No, I'm just trying to explain the obvious to someone who doesn't quite get it.
You're going to need a host, to link to, and if you haven't already rooted the client your only other option is your own server, which would be like robbing a bank but leaving your driver's license.
It isn't difficult to find a host to link to, without leaving any trace back to the perpetrator, if the perpetrator already has a pool of compromised servers to choose from. They won't last much longer than the time it takes to investigate and disassemble the worm, but by then the damage will already be done to everyone who fell for it.
And while you correctly pointed out that firewalls would limit propagation, one could always link back to the compromised system that was used to send the email. It won't work all the time, but it's not necessary for it to work every time. And it would distribute the task and make it much more difficult to stop the propagation.
There's simply not much way this can be exploited, despite the obvious attempt of the author to distract from the Linux virus debacle.
Wow, where do I begin?
Spoken like a true slashdotter. What we need is a TruthDetector, then you guys would scatter like flies.
Do realize that SUN is borrowing very heavily from those evil open-source types in their use of Gnome as the default desktop?
Yeah that's why I don't have it loaded. What happened to CDE? But Gnome has some proprietary parts you seem to be overlooking.
SUN is also very suportive of the open source movement through their support of the SunFreeWare site.
Yeah and Apple has some involvement too. But they control it, instead of letting possible foreign communists control them. Serious difference you seem oblivious to.
SUN is a hardware company.
They are a technology company just like Apple but with a completely different clientel. I remember this guy that worked for me litterally foaming at the mouth talking about Java one day, that was a new direction for the company to push itself onto the internet, and I used to code Java applets all the time, still have tons on my own personal website.
But they are being destroyed by Open Source, now their operating system is being given away for free, and a near perfect duplicate of their office suite is now being given away too, they are cornered and finally had to sell out to Linux and had a psychiatric breakdown in the press in the proccess. So sad to see it, Apple will be next, they're already morphing into a music company.
Do realize that SUN is borrowing very heavily from those evil open-source types in their use of Gnome as the default desktop?
Yeah that's why I don't have it loaded, what happened to CDE? But Gnome has some proprietary parts you seem to be overlooking.
You claimed this exploit wasn't easy to exploit. I explained that it wasn't that hard at all. Now, you claim that the method isn't dependent on the exploit. I presume that means you have conceded that it is not difficult to exploit. If so, we can move on.
You are correct that the methodology isn't dependent on this particular exploit: a variant of the MyDoom worm could do the same thing. But, this exploit is one that could fool some users that know to not open an attachment, but are less cautious about clicking on a link to what claims to be a PDF file. It's just another variation on social engineering.
And if you really think my assumptions are so questionable, check this out:
http://www.interesting-people.org/archives/interesting-people/200307/msg00073.html
It's an article from the NY Times, published last year. It opens:
Hackers Hijack PC's for Sex Sites
By JOHN SCHWARTZ
More than a thousand unsuspecting Internet users around the world have recently had their computers hijacked by hackers, who computer security experts say are using them for pornographic Web sites.
The hijacked computers, which are chosen by the hackers apparently because they have high-speed connections to the Internet, are secretly loaded with software that makes them send explicit Web pages advertising pornographic sites and offer to sign visitors up as customers.
Unless the owner of the hijacked computer is technologically sophisticated, the activity is likely to go unnoticed. The program, which only briefly downloads the pornographic material to the usurped computer, is invisible to the computer's owner. It apparently does not harm the computer or disturb its operation.
The hackers operating the ring direct traffic to each hijacked computer in their network for a few minutes at a time, quickly rotating through a large number. Some are also used to send spam e-mail messages to boost traffic to the sites.
[follow the link to read the rest of the article]
So while you seem to be very if not interstingly well versed in virus creation methods, this particular hole isn't even necessary for your described exploit, therefore apparently being another attempt to distract attention from the "SCO Denial of Service Worm" (like that one better?).
I've been commenting on the article that started this thread. If you want to discuss MyDoom/Novarg, I suggest that you return to the thread that you started.
There have been hundreds of threads started since you posted that one. Despite your apparent belief that FR revolves around the threads that you start, starting another thread on similar or completely different topics doesn't constitute an effort to distract people from yours.
It's not being stolen. You're giving it away, remember?
I claimed it was very hard to get any significant advantage from this exploit, which is why I got tired of your lectures on proper virus creation which while demonstrating your expertise, you never successfully ever showed it to be of any particular significance in an attack. Therefore, hardly a "devestating" exploit as the author and you seem to have been implying.
As for the rest of your post, sorry, I don't need any advice from the NY Times on computer security, LOL.
Let's see how long it will be before there is a worm "in the wild" that exploits this security hole, and what kind of effect it has.
As for the rest of your post, sorry, I don't need any advice from the NY Times on computer security, LOL.
There's very little advice in the article, other than the standard "install a firewall". I cited it because I hoped it would help with your difficulty in understanding how "zombied" PC's are widespread, and can be used for all kinds of mischief -- including acting as a server to spread more email worms.
Sounds ominous, coming from a Linux guy who understands virii design so well. Hopefully we're safe with you?
Even if one is released it's still going require some sort of a combination attack, that wouldn't even be wholely depedent on this hole even if your other theories could be sustained. Also FYI, according to a new article on CNet a patch is coming right away.
And if the GPL is invalidated, ownership still remains with the author. Without explicit permission from the author, use and/or distribution of the software will be a copyright infringement.
And that will pose a problem for SCO, because they are still distributing a GPL'ed Linux kernel to their customers.
If SCO gets their way with the GPL, they are in a heap of trouble (of their own making).
Ownership of GPL code isn't worth a hill of beans. IBM, Novell and others will be profiting off that code, reproducing it, pretty much anything they want to it whether the GPL survives or not.
And those poor authors won't get much in return from the billions in dollars made off their code either. All their software engineering contributions become = the value of running a non-comercial version of the O/S for life.
LOL, what a pitiful return on investment!
I know very little about viruses and worms, other than how to recognize them. I went for years without running any anti-virus software and never needed any (but I did finally install an open-source mail scanner on my server last year).
But, unlike some of the people that I've encountered lately, I can derive possible outcomes from past history and current information.
Even if one is released it's still going require some sort of a combination attack, that wouldn't even be wholely depedent on this hole even if your other theories could be sustained. Also FYI, according to a new article on CNet a patch is coming right away.
Actually, the article says that Microsoft hasn't stated a release date -- they've only provided information about the feature they are removing in order to fix the problem.
And, there's no indication (in this article) that the fix will address the problem reported yesterday (by Secunia) -- which is the one we have been discussing.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.