New Explorer hole could be devastating

Infoworld ^ | 01/28/04 | Kieren McCarthy

[Salo]

New Explorer hole could be devastating Browser users could be fooled into downloading executable files

By Kieren McCarthy, Techworld.com January 28, 2004

A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.

A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.

However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.

The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.

If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.

We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.

In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.

Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.

All in all, it does not look good. Not good at all.

[justlurking]

The ActiveX control does not know the absolute path to "C:\Documents and Settings\[USER]\Local Settings\Temp" because it lacks knowledge of who the "[USER]" is.

It appears to work fine on my Windows XP laptop.

[Bush2000]

That's interesting. Does it run as a different user?

No, the attack just hardcodes the path to "C:\WINDOWS\TEMP\foobar.exe" and runs within the context of the current user.

[Outlaw76]

I've been using Firebird for about two weeks now. I love the tabbed browser windows. I don't see me going back to exlorer any time soon.

[Bush2000]

It appears to work fine on my Windows XP laptop.

You're either lying -- or you're tuning the sample to your config. There's no way that it can run an executable from C:\WINDOWS\TEMP under XP when the exe will be downloaded to C:\DOCUMENTS AND SETTINGS\[USER]\Local Settings\Temp

[Salo]

So if you are running as an admin, as most home machines do, you could be in for a world of hurt?

[djf]

Yup. Been using Firebird for about 3 months now, and got the Thunderbird mail client too. Best browser I've ever used.

[justlurking]

You're either lying -- or you're tuning the sample to your config.

I'm doing neither. I'm simply running the demo:

http://secunia.com/Internet_Explorer_File_Download_Extension_Spoofing_Test/

If I understand it correctly, they are claiming that you can be led to believe you are opening an PDF file, instead of something else.

The demo actually opens an HTML file. But, it could just as easily be an executable. If I can figure out all the details, I'll create a better demo.

BTW, Mozilla Firebird will do something similar, with one exception: it will tell you that you are opening an HTML file, rather than a PDF file. Since Firebird will warn you separately about opening an executable file, the protection is a little better, but not foolproof for people that open attachments in email from unknown senders.

[sigSEGV]

Microsoft gave up on properly supporting IE months ago.

http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/index.html

[antiRepublicrat]

First MyDoom and then this. Not a good start to the year for Microsoft. And they still haven't fixed the flaw found in December, which can be used in conjunction with this.

Oh, I figured it out. MS wanted to have that patch-free month, so they just decided not to release patches for known security flaws.

[justlurking]

A bit of additional info: the Adobe Acrobat plugin is usually launched immediately when one clicks on a PDF link.

However, this exploit prompts you for the download, which is unusual behavior if you recognize it. The issue seems to be the ability to obscure the true type of the file being downloaded.

[adam_az]

You're either lying -- or you're tuning the sample to your config. There's no way that it can run an executable from C:\WINDOWS\TEMP under XP when the exe will be downloaded to C:\DOCUMENTS AND SETTINGS\[USER]\Local Settings\Temp

BUSH LIED!!!

No, not the President, just the uneducated pretender who uses his name. ;)

It could always just point to c:\Documents and Settings\%username%\

Type that into your browser if you don't believe me, or from a dos promt, type
c: (if you aren't already on the c: disk)
cd \Documents and Settings\%username%\

Ever hear of an ENVIRONMENT VARIABLE, Bushie? You are farm league, yet you feign skillz.

[adam_az]

Just another example of Bush 2000's technical skills being purely bush league, aka all bushed out.

[RS]

".....demonstrates that if you click on a link, and select “Open” ....."

If you click on a link and select "open" your computer should kick your butt - and then go out and kick the butt of the fool who put the "open" button there in the first place.

[justlurking]

BUSH LIED!!!

No, he didn't lie. He just made an error. Given the vague description of the exploit, it's not reasonable to expect everyone to interpret it correctly.

However, when given an opportunity to correct his mistake, he instead escalated to an accusation of fabrication.

[AdmSmith]

Use another browser, such as Opera at http://www.opera.com

[Principled]

Firebird flag.

I think I'll try it. How big is it?

[mhking]

I think I'll try it. How big is it?

The entire folder, once installed is somewhere around 13MB, so it's not too big...

[Principled]

So mhking recommends i to principled?

Is it Red Hat or some such?

[Principled]

i=it

and Mozilla... who does Mozilla?

[Prime Choice]

I have no worries...