New Explorer hole could be devastating

Infoworld ^ | 01/28/04 | Kieren McCarthy

[Salo]

New Explorer hole could be devastating Browser users could be fooled into downloading executable files

By Kieren McCarthy, Techworld.com January 28, 2004

A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.

A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.

However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.

The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.

If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.

We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.

In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.

Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.

All in all, it does not look good. Not good at all.

[FLAMING DEATH]

The cool thing is, the .ZIP file that you download is under 7MB.

[FLAMING DEATH]

Now, check this out...

http://texturizer.net/firebird/extensions/

You'll be amazed at what Firebird can do with a little tweaking.

[FLAMING DEATH]

I got that one. I also got the ad killer that zaps banner ads within a page. Very cool, and speeds up page loads.

[zeugma]

I'm trying to find it again. I thought it was at the Texturizer site, but I can't seem to locate it. If I find it, I'll let you know. I really need to put all this stuff in one place so I can find it easily when I need it!

[Bush2000]

I think I'll trust the Gartner figure over your generalizations. And I know first hand that Gartner is not anti-Microsoft.

Since you're on the Gartner wagon, here's another interesting conclusion of theirs:

http://www.infoworld.com/article/03/09/10/HNlinuxoverstated_1.html
Gartner: Desktop Linux savings overstated
Analyst firm says that desktop environment more tricky than servers

By Gillian Law, IDG News Service September 10, 2003

Using a Linux OS (operating system) might save you money on your servers, but most enterprises shouldn't expect to see the same cost saving if they switch their Microsoft Corp. Windows desktops over, a report from Gartner Inc. said Wednesday."

BWAHAHAHAHAHAHAHAHAHAHA!!!!

[Bush2000]

Type that into your browser if you don't believe me, or from a dos promt, type c: (if you aren't already on the c: disk) cd \Documents and Settings\%username%\

That doesn't work in this case. '%username%' does get replaced when you type it on the commandline in the Shell -- but not when accessed as a filename within an app. Nice try, though.

[adam_az]

Actually, you can. The environment variable is exploded when you make a file call.

Also, you can always use the Windows API to get the %username% environment variable

here's the declaration:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/getenvironmentvariable.asp

DWORD GetEnvironmentVariable(
LPCTSTR lpName,
LPTSTR lpBuffer,
DWORD nSize
);


Nice try, though, newbie.

[antiRepublicrat]

Since you're on the Gartner wagon, here's another interesting conclusion of theirs:

They're right. If you do a large Linux desktop install these days, you'd better make sure it's done right. Then it can save money. Slapping together a Windows system these days is more forgiving.

Personally, I think Linux is good for the desktop in only specific cases, but it is maturing -- give it a few years. If you want better than Windows for the desktop, just get a Mac.

[Golden Eagle]

You're still afraid to link those titles like I've asked because you know if you do people will see me defending Sun and Apple just as vigorously as Microsoft.

I support ALL US software companies in the face of foreign freeware. And I'm proud to say this last week I've personally converted someone who was running Red Hat Linux to reload that system with Sun Solaris Unix for Intel, a truly American product although it is currently having to be given away for free with the onslaught of Linux upon America's shores. Yes some of you will say free is better, but it's not, not for America's tech economy and not for us working in the industry.

[Vermonter]

FR Stats

[Bush2000]

Actually, you can. The environment variable is exploded when you make a file call.

Uh, no, it's not. My test app invokes a call to CreateFile() and it returns file not found -- and your assertion is inconsistent with the API docs. But what do I know -- I'm only compiling real code. You? You're just shooting off your mouth.

[Bush2000]

They're right. If you do a large Linux desktop install these days, you'd better make sure it's done right. Then it can save money. Slapping together a Windows system these days is more forgiving.

And, therefore, it's no wonder that people aren't moving to Apple on the desktop.

[Destructor]

I own an iMac! Life is good!! LOL!!!

[Salo]

Red Hat is NC-based. Suse is owned by Novell, which is sort of based in Utah (I think the HQ is in New Jersey now). Now that you've had this little geography lesson, I'm glad to see you coming on board.

I support ALL US software companies in the face of foreign freeware. And I'm proud to say this last week I've personally converted someone who was running Red Hat.

[zeugma]

You're still afraid to link those titles like I've asked because you know if you do people will see me defending Sun and Apple just as vigorously as Microsoft.

I might include the individual URLS in TrollAlert version 1.2. It depends upon how long it will take to make.

And I'm proud to say this last week I've personally converted someone who was running Red Hat Linux to reload that system with Sun Solaris Unix for Intel, a truly American product although it is currently having to be given away for free with the onslaught of Linux upon America's shores

What a wonderful thing. Do realize that SUN is borrowing very heavily from those evil open-source types in their use of Gnome as the default desktop? SUN is also very suportive of the open source movement through their support of the SunFreeWare site.

The trouble for them is that the software world is leaving them behind. Their hardware still rocks in many ways, though they are not as competitive as they used to be.

BTW: unless you are running Solaris on SUN hardware, you really aren't doing anything for SUN except for possibly expanding mindshare by a small margin. SUN is a hardware company. They've never made all that much money on their OS or other hardware as a percentage of gross revenues. It is the support contracts, customer education srvices, and hardware that make the big cheese there. People don't get SUN equipment because it comes with Solaris. Rather the opposite is the case, they get Solaris because it runs on SUN hardware. We use a lot of SUN hardware where I work, and I can tell you it isn't the cheapness of the hardware that drives the purchases. Reliability and support are the major drivers. The average uptime of about 250 days for our SUN hardware is a bit less than the IBM boxes, which at present are standing at over 800 on several of them, but the AIX systems are on EOL at the moment and no real development beyond break/fix is happening.

[Principled]

I'm running it now on another window. Took about 24 sec to download, about 2 mins to unpack and begin. Cool.

[Principled]

Now I'm on Mozilla. I never thought it would be so easy.

I'm gonna go play!

[Colonel_Flagg]

I'm very impressed - thanks much for the link! But I have a couple of questions. Would you mind if I Freepmailed you?

[Golden Eagle]

I own an iMac! Life is good!! LOL!!!

Great Post! LOL!

[Golden Eagle]

I was simply pointing out that surfing a website isn't necessary. The link can be delivered in email.

You're talking in circles again, what? You're going to need a host, to link to, and if you haven't already rooted the client your only other option is your own server, which would be like robbing a bank but leaving your driver's license. There's simply not much way this can be exploited, despite the obvious attempt of the author to distract from the Linux virus debacle.