New Explorer hole could be devastating

Infoworld ^ | 01/28/04 | Kieren McCarthy

[Salo]

New Explorer hole could be devastating Browser users could be fooled into downloading executable files

By Kieren McCarthy, Techworld.com January 28, 2004

A security hole in Microsoft Corp.’s Internet Explorer could prove devastating. Following the exposure of a vulnerability in Windows XP earlier this week, “http-equiv” of Malware has revealed that Explorer 6 users (and possibly users of earlier versions) could be fooled into downloading what look like safe files but are in fact whatever the author wishes them to be -- including executables.

A demonstration of the hole is currently on security company Secunia’s website and demonstrates that if you click on a link, and select “Open” it purports to be downloading a pdf file whereas in fact it is an HTML executable file.

It is therefore only a matter of imagination in getting people to freely download what could be an extremely dangerous worm -- like, for instance, the Doom worm currently reeking havoc across the globe.

However what is more worrying is that this hole could easily be combined with another Explorer spoofing problem discovered in December.

The previous spoofing problem allowed Explorer users to think they were visiting one site when in fact they were visiting somewhere entirely different. The implications are not only troublesome, but Microsoft’s failure to include a fix for the problem in its January patches has led many to believe it cannot be prevented.

If the same is true for this spoofing issue, then it will only be a matter of time before someone who thinks they are visiting one website and downloading one file will in fact be visiting somewhere entirely different and downloading whatever that site’s owner decides.

We also have reason to believe there is no fix. It may be that today’s flaw is identical to one found nearly three years ago by Georgi Guninski in which double-clicking a link in Explorer led you to believe you were downloading a text file but were in fact downloading a .hta file.

In both cases, the con is created by embedding a CLSID into a file name. CLSID is a long numerical string that relates to a particular COM (Component Object Model) object. COM objects are what Microsoft uses to build applications on the Internet. By doing so, any type of file can be made to look like a “trusted” file type i.e. text or pdf.

Guninski informed Microsoft in April 2001. The fact that the issue has been born afresh suggests rather heavily that the software giant has no way of preventing this from happening.

So how bad could it get? Just off the top of our heads -- suppose someone set up a fake Hutton Inquiry site today with a link to the report’s summaries -- how many people across the U.K. would download a worm this afternoon? And imagine the computers it would end up on.

The possibilities are endless, and since both spoof issues appear to be unfixable, it must surely place a big question mark over Explorer’s viability as a browser.

The advice is to avoid this latest hole is always save files to a folder and then look at them. On your hard drive, the file’s true nature is revealed. But this advice is nearly as practical as Microsoft telling users not to click on links to avoid being caught out by the previous spoof problem.

All in all, it does not look good. Not good at all.

[Nick Danger]

Show me an example of this actually doing anything.

OK.

See where it says "http://www.microsoft.com" in the URL bar? And yet, the browser is on Secunia's web site.

Suppose I am an Evil Nigerian, and I send you one of those fake emails that says you should Watch Out for the Novarg virus, and you should update Windows right now by clicking here.

You click, and sure enough, you go to a Microsoft page. It even says "http://www.microsoft.com" in the URL bar. And it's asking for your Passport ID and password.

But it isn't a Microsoft page. It's really www.evilnigerians.com.

You're so smart that you wouldn't be fooled by that, but there are probably 6x10²³ people who would be fooled by that. And the Evil Nigerians would have their Passport ID's. Or their credit card number... these scammers are pretty clever. All they have to do is gin up a halfway-decent knockoff of a reputable web site, and then send out a millions spams tricking people into coming to disney.com or whatever to buy a stuffed Mickey Mouse for $1.50. Next thing you know, the Evil Nigerians will have 100,000 credit card numbers complete with name, address, and phone number.

As you know, there is an official Microsoft talking point on this feature. It is that this is not a flaw in a Microsoft product, because it doesn't do anything. And if it does do something, it is still not a flaw in a Microsoft product... it is stupid people being stupid. And if it is a flaw, it isn't Microsoft's fault; it's godless linux communists and their foreign precious bodily fluids. And if you try to defend yourself from this seemingly endless series of security holes in this totally flawless product by getting and using something else, then you personally are a godless communist and you probably rip off the music companies too and you pray to Richard Stallman and your father marched with Hitler.

In spite of which, game theory tells us that there is an advantage to be gained by being among the first to get and use something else. It is probably true that if Firebird (or whatever) someday achieves the 80% market share that IE has now, the Evil Nigerians will target Firebird. But right now they don't, and they probably won't for a few years at least. So there will be a few years of peace and quiet for those who got in on the Firebird trend first.

[Nick Danger]

Oh yeah, I almost forgot. I am an ordinary user with no ax to grind I got that there Firebird and it blowed up and killed my dog. What a piece of crap. And it's hard to use. Just to be safe everyone should buy and install Microsoft Windows.

[js1138]

Suppose I am an Evil Nigerian, and I send you one of those fake emails that says you should Watch Out for the Novarg virus, and you should update Windows right now by clicking here.

I suggest you try this on yourself. Outlook Express will not link you to a spoofed address. In fact Outlook Express will not link to any address that isn't in Ascii (7 bit) format. I know this because my personal site has a tilde in the address, and I have to URLencode the address when I email it. The tilde is clearly visible as "%7e".

Now anyone who responds to an email in the way you described will probably also buy the Nigerian stocks anyway. How would such an ignoramous know the correct URL anyway? How many people even look at the URL?

[MarkL]

You anarchists prefer vigilante style justice, something "the mob" can control. Forget it, the only way to root out the criminals from crime detection and prevention is to give it to the government. One of the very few things we need them for.

But at the same time, it's up to the "common folk" to do what they can to make sure that they're not victims of crime...

While it's illegal for someone to steal a car, isn't it up to the owner of that car to be sure that it's locked, and that the keys aren't left in it?

In Kansas City, there were a rash of home burglaries, as well as a number of home invasions, all of which had one thing in common... In all cases, the garage door was left open. Wouldn't you say that it was incumbant on the home owner to be sure that the door wasn't left open?

While we do need LE to punnish criminals ASAP, it's up to us to try not to become victims. Remember, the police aren't there to keep you from becoming a victim. They're there to take a report over your dead body.

Mark

[js1138]

Here's a nice URL. Tell me how an ordinary user is going to determine if this is a real site or a spoofed site, based on the URL.

http://www.pricegrabber.com/search_attrib.php?page_id=186&sortby=popular-&vendors%5B%5D=MST&lo_p=0&hi_p=0&form_keyword=&sortby=&ut=43641a1c11703e0a

[MarkL]

IE users who haven't tried it simply don't understand. I sure didn't, and to think I suffered with IE for years. It is way ahead of IE in configrability, security and ease of use.

Unfortunately, there are some situations where you really MUST use IE...

There are some portals that depend on IE to do what you need to do... For example, Netscape (or Konqueror) just doesn't work right with Novell's management portal, iManager, or for that matter, their remote management portal.

I believe that you also need to use IE for WindowsUpdate as well.

Mark

[MarkL]

Can you believe someone would actually recommend CDE? I shudder just thinking about it.

Hey, maybe we should go back to the "good old days" for everything! Retro is in right now, isn't it?

How about XEdit? Or even better, let's go back to keypunch! Think about how many jobs would be created in the "rubber band" sector!

Mark

[Nick Danger]

Here's a nice URL.

Click here for Windows Update.

[js1138]

But why would I trust a link that is labeled as microsoft, but clearly links to hail.he.net/~danger/iespoof.php? The real url is clearly displayed when you hover over your link.

[js1138]

I can see that this is a problem, but I don't see why it is unfixable.

[FLAMING DEATH]

Right. I've run into this situation too. Interestingly enough, as my mother has found, the MSN games site won't work with Mozilla, either. Wonder why? (wink, wink).

I installed an extension in Firebird that will allow me to right click on a link and have it open in Internet Explorer. I think I've only had to use it once or twice, though, in about a year of browsing with Firebird.

If it weren't for sites like those, I might consider actually deleting Internet Explorer altogether.

[Nick Danger]

why would I trust a link that is labeled as microsoft, but clearly links to hail.he.net/~danger/iespoof.php? The real url is clearly displayed when you hover over your link.

That's because I am not really the Nigerian Finance Minister. If I were really out to fool people, instead of merely demonstrating the exploit, I could have coded the link as a javascript button so you can't see where it goes.

[Salo]

It is fixable - there are many open-source examples of how to work around this bug. All MS has to do is copy the code from them. MS is licensed by SCO, who owns everything *nix - and all derivatives of everything *nix, so I am sure it would be peachy. :-)

I can see that this is a problem, but I don't see why it is unfixable.

[adam_az]

http://www.malware.com/

try again :)

[zeugma]

Well, I confess to using 'vi' on a regular basis. I'd probably use Emacs if I'd ever learned it. Nothin wrong with older utilities if they still work for you and provide functionality that you don't find elsewhere. Heck, I used 'Brief' for more than 13 years! I had the origional install disks, and it was one of the first things I loaded up whenever I built a new PC. The main reason I keep these older editors around, is that there are certain things that they do with raw ASCII text that no ter program that I've found will do as easily. I eventually bought a copy of TextPad because it had a 'brief' mode of operation. There were still some things that I couldn't do in TextPad that were trivial in Brief because of the massive macro language that it came with.

That said, I don't see how anyone could actually recommend CDE. It is slow, a memory hog (all window managers seem to be memory hogs though), and was generally clunky and hard to work with. It is only barely superior to the ms-windows interface, but only because it supports multile desktops, and is exportable to remote systems (if you have massive bandwidth). The fact that the Buzzard won't even address the fact that it is garbage goes a long way towards discrediting anything he might have to say about technology in general, and user interfaces in particular.

[Bush2000]

try again :)

The exploit failed on my box. No files are present in C:\Windows\Temp.

[js1138]

OK, I tried your spoofed link with Firebird. The displayed URL is

http://windowsupdate.microsoft.com%01@security.openwares.org/Update.htm

I'm sorry, but how is an ordinary user supposed to know that this is a spoofed link? It's true that IE truncates the display at the null character, but the true URL is displayed on the status line. In either case the user has to have some knowledge and be paying close attention in order not to be fooled.

[Salo]

They fixed it, so the hole obviously exists.

[adam_az]

The exploit failed on my box. No files are present in C:\Windows\Temp.

http://malware.com/

1. Using the following this can be accomplished with the default installation of Windows 95 and 98 and Internet Explorer 5 browsers and accompanying mail/news clients

snip

Hence, this will only work on default OS installs.

After you "explain" why you either 1) lack reading comprehension skills or 2) purposefully ignored the instruction for getting the exploit to work, please get back to why you even bothered to mess with the CreateFile() API call and why you are so sure that there is really no exploit, even though MICROSOFT ISSUED A PATCH AND CALLED THE BUG "CRITICAL" which is the HIGHEST RISK LEVEL in Microsoft's categorization scheme.

Apparently you are even more of a shill for Microsoft than THEY are!

This one was even more fun than the one time you were convinced you were "right" and yet didn't know the difference between POP and SMTP protocols.

You are clearly living proof of your assertion that it doesn't take someone with great experience or knowlege to "administer" Windows OS's. You just need to be able to find your balls. (Mouse balls, that is.)

[adam_az]

"The fact that the Buzzard won't even address the fact that it is garbage goes a long way towards discrediting anything he might have to say about technology in general, and user interfaces in particular."

You just nailed him and B2K's modus operandi to a tee.

Ah, tee(1), one of my more(1) or less(1) favorite commands. ;)