[Dshield] An unfixed highly critical vulnerability discoveredin Microsoft Internet Explorer

Laura Vance vancel at winfreeacademy.com
Thu Apr 8 19:24:57 GMT 2004

After reading the sites that reported it, it seems like there is really 
nothing to stop it, because it's using a "feature" of MSIE and 
MSOutlook.  It's supposed to be able to allow sites to pop up help 
windows that completely mimic the OS's help system so the user doesn't 
get all confused by different styles of help.  As long as web sites are 
allowed to store help files on the local machine, there is no safety 
net.  Unless they add security that doesn't allow web sites to put files 
on the local machine in a trusted location.  The description said that 
they didn't even have to store the help file on the local machine, all 
they had to do is provide a bogus help file name then an alternate help 
file from a web server somewhere, and when the bogus one failed, the 
Internet one is followed with local machine privilages executing 
whatever mailicious script is in it.

Jon R. Kibler wrote:

>"Johannes B. Ullrich" wrote:
>>There is no good workaround. Disabling Active X will not help.
>Q #1: Is it possible to create a Trojan web site that would contain
>a link that could infect a system in a manner similar to an email?
Yes, but you don't even have to know that it's happening, because sites 
can put their help files on your system with no user interaction.

>Q #2: If the AV sigs are up to date, will that stop the worm, or as
>Johannes' email says "Just clicking on the URL sent by the worm will 
>get you infected. NO POPUPS! NO WARNINGS!" (Does that mean you will
>get infected even if you have the latest AV sigs?)
Yes, because the AV doesn't protect against system-allowed functions, 
all that it can do is check the file after it's downloaded, and as your 
help system tries to read it.  But if the help file doesn't contain an 
actual virus, let's say that it just contains a script command to delete 
files on your hard drive... malicious code? yes, but virus?  no.

>Jon Kibler
After he posted that problem, I started trying to find an alternative, 
but it's somewhat difficult to do, because of a few problems.
1. IE allows sloppy (non-standard) HTML coding, and all other browsers 
are more standards-compliant.
2. There are several web sites that want to take advantage of executing 
unprotected code on the local machine.
3. Some web sites do a browser check and block any non IE browsers, even 
if the browser is perfectly capable of handling the page.

One way around 2 and 3 is to install Opera.  It can tell the server that 
it's IE6.0, and the server lets it in just fine.  It also internally 
handles VBScript and other proprietary code that may not work with 
Mozilla.  I prefer Mozilla, but Opera might be the browser of choice if 
it can work with all of the IE-specific sites that the our users would 
need to access.

I hope this info helps.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools, Data-Business Office
Irving, Tx  75061
Web: www.winfreeacademy.com

More information about the list mailing list