Posted on 08/21/2004 6:37:02 AM PDT by Salo
Researchers spot XP SP2 security weakness
IE drag and drop feature could be exploited by hackers
Iain Thomson, vnunet.com 20 Aug 2004
Security researchers believe they have discovered a weakness in the new security given to Windows XP by the recently unveiled Service Pack 2 (SP2).
Since XP SP2 was released, activists have been searching for weaknesses in the security-focused service pack. Microsoft yesterday dismissed claims by German researchers to already have discovered a flaw.
Now a group has claimed that exploit code could bypass the new security procedures in XP by using the 'drag and drop' features of Internet Explorer.
In an advisory, consultant Secunia said researchers http-equiv had demonstrated that "the vulnerability is caused due to insufficient validation of drag-and-drop events issued from the 'Internet' zone to local resources.
"This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up."
But Microsoft believes that any hacker looking to exploit this issue would have to rely on considerable help from users.
The company said an attacker would need to first entice the user to visit a specific website and then entice them to drag and drop the malicious file in a specific location within that website.
"Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," the firm said in a statement.
"Microsoft is not aware of any customer impact at this time. However, we will continue to investigate the issue to determine the appropriate course of action to protect our customers."
But Secunia argued that the flaw is "highly critical", as much of the work the user needs to follow could be masked into a single click.
"Even though the 'proof of concept' depends on the user performing a drag-and-drop event, it may potentially be rewritten to use a single click as user interaction instead," the consultant warned.
Meanwhile, Microsoft has published the first 'hotfix' for XP following the release of SP2, to deal with a loopback addressing problem.
A loopback address is a special internet protocol (IP) number (127.0.0.1) designated for the software loopback interface of a machine.
It allows IT professionals to test IP software without worrying about broken or corrupted drivers or hardware.
Microsoft is working towards a better patch for the problem, which showed up in Release Candidate versions of SP2.
Pinging.
Over the coming months there will be a lot more holes discovered. SP2 is running fine on my system but I still prefer 98SE and 5.5 anyday, they're not such a resource hog or as bloated and the use of third party software helps to keep them protected.
Really?
Yes, when I set my firewall interfaces and routers to loopback, the equipment doesn't even need to be turned on. ;-)
Makes you wonder about tech journalists, doesn't it?
I just got a new HP with XP home. I use to use 98se. IMO, XP is 1000% times better. For work, I run a large amount of Java applications and it just handles it much better. Alot of it has to do with the hyper threading feature and I'm running a Pentium4 with 2.8GHrz as opposed to 900Mhrz on my old computer, but the archetecture of XP seems to handle resources and just about everything else better than my 98se.
It might be for handling larger applications and overall stability XP is better than the rest. The main problem with 98SE is that it starts out good but gets bogged down quicky from installing and uninstalling programs and so it has to be reinstalled more often. XP can go a lot longer without having to do a reformat.
But still for surfing and burning software like Nero I find 98SE is more efficient and easier. For some reason Nero's latest, Ultra 6 doesn't have their built-in lame encoder included in XP but it is in 98SE, I'm beginning to wonder if it's being disallowed in XP somehow and if that's a sign of things to come.
Makes you wonder about tech journalists, doesn't it?
Microsoft is doing the right thing, trying to improve their software security. These foreign "researchers", on the other hand, fall under the category of black hat hackers when they publicly release exploits without first giving the vendor a chance to respond. They may not even know the full extent of the whole, and rushing out an announcement in the middle of all the already existing confusion isn't helping anyone.
These foreigners should be privately submitting the flaws to the vendor, who may have other information or other submissions to consider, so that a patch can be designed/tested and ready for release before everybody under the sun knows that the flaw exists. But they seem to have an agenda if you ask me, of damaging the reputation of US software vendors, which is why they almost always release the exploits straight to the public.
Should have said they may not even know full extent of the "hole". Reminds me of that guy a couple of months ago who found a hole in the Linux kernel. Did he privately submit the hole to the OSDL for patching? No, he publicly released exploit code in open source form, along with some patch HE developed that he wanted everyone to use. WTF, let the professionals build the patches, and keep the exploits private. What he did potentially caused much more harm than good. Same here.
It ought to make you wonder about all journalists. This sort of lack of basic knowledge of the subject matter is common in reporters of every stripe.
Really?
Actually, it's used for a lot more than just that... It's commonly used by software for IPC or "interprocess communication" where you need to refer to "this computer." It has numerous other uses as well.
Mark
The best journalists never major in journalism.
The question was rhetorical but I'll point it out anyway.
Thanks, have a good weekend.
BUSH/CHENEY 2004
Yep. Every so often, I like to post the email address spamTHIS@127.0.0.1 right here in the forum. I figure some 'bot will come by and add it to the spammers' mailing lists. That way they can send their crap to themselves. Hopefully they get a bounce notice, too.
You're probably right. I think this was mainly done to tweak MS' nose, and I get that idea from the wording of the first sentence of the PoC post:
Yet another silent delivery and installation of an executable on the target computer using Internet Exlorer 6.
Whether they realize it or not, MS needs some serious help. They're going backward. Secunia has a test page here for another issue, which IE6 fails, but IE5 passes. It makes you wonder what happened to the big security emphasis they had on a couple of years ago.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.