New Explorer hole could be devastating

Infoworld ^ | 01/28/04 | Kieren McCarthy

[Salo]

New Explorer hole could be devastating Browser users could be fooled into downloading executable files

By Kieren McCarthy, Techworld.com January 28, 2004

A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.

A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.

However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.

The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.

If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.

We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.

In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.

Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.

All in all, it does not look good. Not good at all.

[Golden Eagle]

This is a serious hole in IE but without a a seperate hole in webserver or hosting software to upload the malware to multiple web hosts there's not an easy way for it to be exploited. The spoof combination could possibly point some wanderers to an offshoot of another site but for how long.

Microsoft needs to update these IE holes fast since there are obviously a lot of malicious minded people that oppose them. These kinds of events are disturbing when they happen, but rest assured they ultimately will lead to stronger, more secure networks and further isolation of these anarchists from access.

Hackers should never be underestimated, that is security rule #1 since you never know who you're dealing with or their ultimate capability. But without a method of contaminating large numbers of web servers, of which there's no widely available method for remotely rooting commercial sites right now, there's little way to exploit this particular IE hole. Let's hope it's patched before there is.

[Prime Choice]

Not a good start to the year for Microsoft.

What makes you say that? It's no different than things were in 2003...or 2002...or 2001 (Nimda and Code Red, anyone?) or 2000...1999...1998...et cetera, ad nauseum.

Huh...and Steve Ballmer says everything would be fine if security researchers would "just be quiet."

[Salo]

Actually, IE has another related hole which makes it much easier: you can set up your own server www.goldeneagle.com, put your malware on it, send an email pointing to your server which will make it appear as www.microsoft.com in IE, put a link "emergency securty patch" to your malware, kick back and enjoy.

[spodefly]

Since I host alot of images that show up on FreeRepublic, I know what browsers we are all using. For all the IE bitchin' that goes on here, there are sure alot of IE users:

	Explorer	-	84.1%
	Netscape	-	13.7%
	unknown	-	0.3%

[Prime Choice]

You see, that's only because it's a popular widespread OS, not because there's anything inherently wrong with it.

Actually, that's not quite the whole of it. What makes an OS a target is not its popularity, but the ease with which it can be readily exploited.

Considering that Microsoft has been a known target for six years and it's still vulnerable to these issues shows the hazards of putting convenience ahead of security. By making things more convenient without thoroughly-audited code review, we're most assuredly going to be plagued with these silly viruses, trojans and worms for decades to come.

Why Microsoft doesn't address this core issue is simple. Microsoft doesn't hold itself accountable for its p!ss-poor security. Instead, Microsoft blames the hackers and the consumers.

You think a car manufacturer would stay in business long if it kept making cars that could be hijacked with a Radio Shack DIY electronics kit? You think a car manufacturer would stay in business long if it kept blaming Radio Shack and its consumer base for the hijackings? I personally doubt the American consumer would stand still for it.

...but for some reason, when the same thing happens on the digital level, the American consumer buys it; lock, stock and steaming, stinking barrel.

[justlurking]

This is a serious hole in IE but without a a seperate hole in webserver or hosting software to upload the malware to multiple web hosts there's not an easy way for it to be exploited.

If this exploit can be inserted into an HTML-formatted email, it could be spread the same way as the fdic.gov scam (which used the URL spoofing exploit).

Send out a bunch of emails, with a "PDF" link to a compromised webserver somewhere (or even one of the many "zombie" PC's). Entice the recipient to open the "PDF", but instead download and run a script that compromises the system. Finish up by actually loading and displaying a PDF file.

However, I don't know for sure if an HTML-formatted message is vulnerable to this exploit.

[Salo]

I use it on on my Windows box, and I have it on my mac, but prefer Safari. The fact that it is used more means MS should be more responsive to fixing it as it means more people are vulnerable to attack.

[Southack]

"Erg, let's try this again. The ActiveX control does not know the absolute path to "C:\Documents and Settings\[USER]\Local Settings\Temp" because it lacks knowledge of who the "[USER]" is."

Virus writers will guess that the user is Admin and hit 80% of all home XP users correctly, no?!

[Golden Eagle]

Steve Ballmer says everything would be fine if security researchers would "just be quiet."

He actually makes a very good point. Security researchers would be doing a much greater service to society if they submitted their findings to Microsoft for private correction so that the patch could be released before the public was even aware the hole had been found. That way, you got the patch before any of these foreign hackers were attacking you.

And it's always these foreign "security firms" that open source the exploit if not the viral code itself to the general public leaving Microsoft in a "you have to be kidding, who are you supposedly helping here" position, one that certainly seems understandable.

However some feel that the open source release of viral code before notification of Microsoft or other vendor is a positive thing. There are as we've come to learn those that wish as much ill harm on Microsoft as possible, and there is also a group that feels the virtual terrorists are already pulling out all the stops to get viral code in effective use by open sourcing it to the internet, but that ultimately that has helped the overall security of the internet by already requiring the fastest possible responses to emerging threats.

I disagree with anyone who supports publicly releasing exploits much less open source code of viral technology before vendor notification, as they are crossing the line between being a white hat hacker and a black hat one.

[adam_az]

I'm just razzing him, because we get into each other on most of these threads.

I recall fondly when his post revealed that he didn't know the difference between SMTP and POP protocols. Unsurprisingly, he's an unfailingly reliable sycophantic supporter of both SCO and Microsoft.

[Golden Eagle]

Actually, IE has another related hole which makes it much easier: you can set up your own server www.goldeneagle.com, put your malware on it, send an email pointing to your server which will make it appear as www.microsoft.com in IE, put a link "emergency securty patch" to your malware, kick back and enjoy.

Certainly possible, and hackers can never be underestimated (can't say that enough), but a single serverhost attack is never going to infect millions of systems, not unless it was hosted overseas at a server farm or something, but then you have latency issues and the ability to block the requests at the major ISPs. However those sorts of attacks could be the next wave, as these anti-American hackers are relentless in their pursuit of causing us harm.

[adam_az]

You can just use %username% in place of the username, that's a system variable. It even works in file explorer and in the dos cmd.exe command line.

[adam_az]

"He actually makes a very good point. Security researchers would be doing a much greater service to society if they submitted their findings to Microsoft for private correction so that the patch could be released before the public was even aware the hole had been found. That way, you got the patch before any of these foreign hackers were attacking you. "

Not entirely true, Ballmer ALSO doesn't want exploit code or details to be released. The argument against this approach is the same as the argument against gun control. It is utterly critical that specific technical detail be released, and Microsoft is doing nothing but playing CYA at the expense of their customers.

[Golden Eagle]

Why Microsoft doesn't address this core issue is simple. Microsoft doesn't hold itself accountable for its p!ss-poor security. Instead, Microsoft blames the hackers and the consumers.

Microsoft rightly blames the hackers but where have they blamed "the consumers"? And Microsoft certainly bears the responsiblity of their product, but the fact is until a hacker exploits any vulnerability no crime has been committed. Microsoft is legally in the clear, and they must face their consumers (who I still don't remember them blaming for hacker attacks) in the free enterprise market, something they seem to be dominating with reports of record profits this week.

[Golden Eagle]

Not entirely true, Ballmer ALSO doesn't want exploit code or details to be released. The argument against this approach is the same as the argument against gun control. It is utterly critical that specific technical detail be released, and Microsoft is doing nothing but playing CYA at the expense of their customers.

I think a better description of Ballmer's position is he wants OFFICIAL law enforcemnt in charge of these events. Using your own gun analogy, he would prefer the "specific technical details" of the crime scene to be more in relation to the investigative work of equivalent "CSI" units that are publicly funded but keep their evidence to themselves.

The development of the Homeland Security department is a good step in that direction, and while highly criticized and currently limping as any new huge government agency would be, it will eventually prove essential in dealing with these virtual bandits.

[adam_az]

"I think a better description of Ballmer's position is he wants OFFICIAL law enforcemnt in charge of these events. Using your own gun analogy, he would prefer the "specific technical details" of the crime scene to be more in relation to the investigative work of equivalent "CSI" units that are publicly funded but keep their evidence to themselves. "

So you are saying that a federal program is better than the free market? Can I quote you?

You prefer a bureaucracy to the security industry? Your description does businesses, who have the most to lose with regard to computer exploits, not a lick of good.

[Malsua]

>>'Nuff said.<<

Yup.

I opened the link in a new Tab just to confirm I'm not vulnerable.

[Prime Choice]

Microsoft rightly blames the hackers but where have they blamed "the consumers"?

Yep. During the last major blow-up thanks to Microsoft's lousy security, they blamed administrators and users alike for not upgrading their systems. Don't you read their press statements?

[aruanan]

Actually, that's not quite the whole of it. What makes an OS a target is not its popularity, but the ease with which it can be readily exploited.

I was being sarcastic.

[Prime Choice]

The argument against this approach is the same as the argument against gun control. It is utterly critical that specific technical detail be released, and Microsoft is doing nothing but playing CYA at the expense of their customers.

That is precisely the reason why no-one in their right mind should trust Microsoft. Anyone who says otherwise is just a shill for Redmond.