New Explorer hole could be devastating

New Explorer hole could be devastating Browser users could be fooled into downloading executable files

A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.

A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.

However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.

The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.

If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.

We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.

In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.

Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.

OK, you COULD use it in a vbscript, batch, or other active scripting goodie which is default installed on Windows systems, and which are treated as executables by default.

A. That isn't even remotely relevant to this so-called exploit; in fact, the path is passed by an ActiveX control written in native code to the Win32 CreateFile() or CreateProcess() API -- where it isn't replacing %USERNAME%. There's simply no way for the caller to know what that path is.

B. Explain how (be precise) the %USERNAME% gets exploited by VBScript, etc.

Your mention of CreateFile is a strawman, it's not one I mentioned.

I could care less whether you mentioned something else. Your reference was nonsensical blather that has no bearing on the exploit described in this report.

You still could always use the other API call I mentioned previously to grab the environment variable, and stick that variable into the path for use with CreateFile, so CreateFile can do it, you just need an intermediate step.

You could also theoretically pump a few rounds into your own head -- but what the Hell does that have to do with an ActiveX control using CreateFile() or CreateProcess() to open a local file?!?

In other words, you replied to only a part of my post an a method akin to picking fly crap from horse crap, ie, a distinction without a difference.

Face it, Adam. You're grasping at straws. You thought that a simple replacement of %USERNAME% in the shell was the same mechanism used by the ActiveX control to open the local binary (either using CreateFile or CreateProcess). You were wrong. It's that simple. And you tried to cover your ignorance by spewing some nonsense about VBScript, etc.

You said earlier that it was impossible, it's clearly not.

I'm still waiting for you to explain how it's possible -- using reality (not your imagination) as the basis for your explanation.

>And if every American made that decision America would immediately be caput.
There is some great proprietary software. Some of it is made in the USA. But if America's software industry devolves to a state of 'Buy our over-priced, second-rate software to support the old Red, White and Blue' than it is rotten to the core and *deserves* to fail. Capitalism and competition at it's finest.
Sun has *never* had a good track record of producing good applications. Old versions of SunOS were OK, but mostly piggybacked on previous UNIX development efforts. Sunview sucked rocks, but had little competition for quite a while. Sun's C compiler sucked rocks. CDE, which was mostly developed by HP, was clunky when it came out and is still clunky.
I don't really have much more to add to this thread. If you choose to buy inferior products just because they're American, that's your choice, but I won't do it. I've been in the American software industry too long to reward second rate products and second rate strategies. There are too many good companies that are doing innovative work (and, yes, making money in the process).

Can you explain what the hell any of this has to do with an activex control or createfile() or createprocess()?

You must be reading the wrong advisory, dude.

I expect an apology.

Here's the actual exploit:

http://malware.com/

There are example codes as well.

In fact, you don't even need to know the username.

Here is why:

"When the email or news post is opened, the embedded *.chm and *.exe will automatically and silently be transferred to the client temp folder, intact and with the given names. Default locations on all machines calls for the temp folder to be at C:\windows\temp. The AMC control, will deposit the two files to wherever the temp folder is located, if you have changed the location, these two files will still be delivered there, however because the *.chm file is constructed to seek out the *.exe in the default location, it will fail. Likewise so will the script in the html email message or news post. Hence, this will only work on default OS installs."

then

"Once the news post or email has been opened or even previewed via Outlook or Outlook Express preview pane, the two files are delivered to the temp folder, sufficient time elapses when the script in the html message calls the *.chm which opens silently and minimised in the task bar (because we have instructed it to open at the minimum size and off-set 2000, 2000), once opened it, the ActiveX link control in it, runs the executable."

Yeah that's why I don't have it loaded. What happened to CDE? But Gnome has some proprietary parts you seem to be overlooking.

CDE is an abortion of a window manager. I've used CDE with Ultrix, True 64, AIX, Solaris, and HP-UX. I suppose you would say that we should stick with something truely horrible like CDE even though the open source community has come up with much better alternatives like, KDE, Gnome, and others. The only redeeming thing I can think of that came with KDE is that the Ultrix version of the calendar applet had a nifty feature where in the single day view, the window scrolled with the day, so that the current/previous hours were always at the top of the window, rather than you having to scroll to the present time as the day progressed.

Yeah and Apple has some involvement too. But they control it, instead of letting possible foreign communists control them. Serious difference you seem oblivious to.

You seem to be awefully concerned with communists writing software, yet show a blithe disregard for their efforts at undermining our Republic. That would seem to be the case, at least, given that you don't seem to care enough about any of the other, more important subjects that are regularly discussed on this site. it is this inconsistancy that marks you as a troll.

But they are being destroyed by Open Source, now their operating system is being given away for free, and a near perfect duplicate of their office suite is now being given away too, they are cornered and finally had to sell out to Linux and had a psychiatric breakdown in the press in the proccess. So sad to see it, Apple will be next, they're already morphing into a music company.

Sun may very well be destroyed in the process. That is what happens in a free enterprise system. Some companies succeed, while others fail. I like OO so much that I bought a copy of StarOffice. You can still buy it btw. It does everything that I need and runs on both Solaris and Linux, so it was worth spending cash to get it.

It's not just open source that has put the crimp on those who would sell office suites. I recall when WordPerfect (and before that, WordStar), were the standard word processors. Like Microsoft does today, they'd priced their product at several hundred dollars per copy. Funny thing though, at that price you also got something that is sadly lacking in today's microsoft-dominated world - support. I contacted them on a few occasions as I was a leasion of sorts for folks dealing with such things. Their support was absolutely fantastic and without parallel, outside of the really expensive support contracts you get with Sun or IBM for their high-end systems.

What happened to that? Well, along came microsoft, who bought word processor, spreadsheet, and presentation programs from other companies, rebranded them as their own, and started undercutting everyone with a "competitive upgrade" program, while using their virtual monopoly of the OS market to subsidize this program. They eventually drove just about everyone else out of business because noone else could compete with that constant DOS/Windows revenue stream that sustained everything else microsoft did. Eventually all the companies that had prided themselves on their customer support had to adopt microsoft's tactic of saying support was someone else's problem, or worse, was a profit center.

Yet you come here as some troll astroturfer for microsoft bemoaning the fact that open source is destroying Staroffice, and Sun because open source provides solutions to problems, and can often do it for free. Open source threatens the business models of some companies. Tough. That's the way the world is. I'm sure buggy-whip and harness makers were rather upset at the creative destruction of the automobile industry, as were candlemakers with Edison and others.

Note, that there are still folks who make candles, harnesses, and probably even buggy whips. They aren't anywhere near the same scale as had been previously the case, but that's the way the market works. Some companies are going to have to change their business model to survive. Those not smart enough to adapt to the realities of the 21st century are going to die. Good riddance to them.

Personally, I'm much more concerned with this country devolving into a stinking democracy than the threat of hordes of unwashed open source programmers.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.