[Internet Explorer] New IE spy progie exploits DCOM

A group of Japanese security enthusiasts has developed a little tool called IE'en which exposes traffic between an IE user and any server he's contacting, including logins and passwords over HTTPS.

The group, SecurityFriday, has made the tool available for download here.

To use the tool it's necessary to log in as a current user on a Win-NT or 2K system. Of course if someone can log into your account they already have a great deal of your life in their hands and this is only going to give them a little bit more.

What's interesting here is the ability to capture packets between the client and server by exploiting DCOM (Distributed Component Object Model), a Microsoft program interface allowing the mediation and exchange of program and data objects over a network, similar to CORBA.

According to MS, it "enables software components to communicate directly over a network in a reliable, secure, and efficient manner."

Well, reliable and efficient it may be, but 'secure' is clearly a bit of a stretcher. And as for a workaround, that's easy: make sure you have a strong password for your user account. If you think yours may be weak, or if you've shared it, then reset it. Ten characters involving a combination of lower and upper-case letters, numerals, and special characters will keep you safe from IE'en jockeys. ®

If they can see your https traffic what keeps them from getting your new and improved 10 character password as well?

Hopefully your brain is not so feeble that it can't keep track of multiple passwords.
You use your strongest password on your workstation as a logon password... this protects the workstation and all of the tools you have installed. Then think of different passwords for your network stuff.

I would say that a program that allows you to sniff its' SSL traffic has a security problem.

Normally I would agree with you. But the article doesn't exactly say that.

Remotely connects to or activates Internet Explorer
Captures data sent and received using Internet Explorer
Even on SSL encrypted websites (e.g. Hotmail), IE'en can capture user ID and password in plain text.
Change the web page on the remote IE window.

It's a remote admin hack on IE using DCOM. The attacker can see and manipulate certain data in the memory space of the remote IE, before it gets formatted / encrypted / sent / rendered... it's not an SSL sniffer.

Looks like it requires Admin privs on the local box and a valid user account on the remote box. It looks like an interesting hole, but no biggie.

"A group of Japanese security enthusiasts..."

Yep, Japanese all right. Read the EULA for the tool:

We have the rights made a patent, the copyrights, and the right of the name etc. of this software. Only if you agree to all the presented items, will we permit you the use of this software. Only you obtain the permission to use this software by agreeing to these conditions. The right to permit use to change, resale to third parties, remodeling, and the copyright notice, etc. are not obtained. We are occasionally setting the use time limit of this software. Please read the explanation of this software about a detailed thing. This limitation prevents that this software is unrestrictedly misused. In this case, after the time limit, you cannot use it. Then, please use a new version or contact us for consultation. You must not use this software for purposes in contradiction to law and general common sense. You can copy this software for backup only. Do not reverse-engineer this software, even what purpose you are or what techniques. This software permits using without any guarantees to you. We are confirming this software operation in our computer environment. However, it does not do guarantee that it operates without causing problems in your environment. You should solve the problem yourself when the software is not normally operating. However, latest information on our homepage might help you in problem solving. We prohibit using this software for all malfeasances, absurd acts, and acts by which others rights are violated. Even if you do those acts with this software, we do not take responsibility. Also, we do not take responsibility about all problems which relate to them. You must assume all those responsibilities. Our judgment gives priority when there is a difference of the opinion between us and you for the recognition of "Absurd act". We occasionally change and revise this software. We do not answer the occurring problem at all as a result. Moreover, we may occasionally cancel the permission to use this software to the user by various laws and International Law, etc. When we declare this cancellation on the homepage, you are lost of the right to use this software. In this case, please promptly stop using and delete the related files.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.