[Dshield] An unfixed highly critical vulnerability discoveredinMicrosoft Internet Explorer
thor at pivx.com
Thu Apr 8 23:19:23 GMT 2004
There's a lot you can do to mitigate against potential impact. In the
case of IE, you can lock down the My Computer zone, restrict privileges
for the Temporary Internet Files, remove unnecessary URL protocol
handlers, implement a deny-all policy for ActiveX components for all
security zones, etc.
Microsoft has documented the security zone settings in IE at KB 182569
I elaborated on this in
US-CERT also just published a CERT advisory and a cyber security
technical advisory about this vulnerability:
One of the fixes that we implemented in Qwik-Fix back in September was
an IEZone lockdown that has proactively prevented every single command
execution vulnerability in Internet Explorer published since then. We
have just released Qwik-Fix Pro at the Gartner Symposium/ItXpo 2004.
Even though we first started discussing this particular vulnerability in
February, we did not need to change the IEZonefix to accommodate this
new IE vulnerability. Mitigating potential impact for entire genres of
vulnerabilities is precisely what Proactive Threat Mitigation is about.
Senior Security Researcher
24 Corporate Plaza #180
Newport Beach, CA 92660
thor at pivx.com
Phone: +1 (949) 231-8496
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
From: Laura Vance [mailto:vancel at winfreeacademy.com]
Sent: Thursday, April 08, 2004 12:25 PM
To: General DShield Discussion List
Subject: Re: [Dshield] An unfixed highly critical vulnerability
discoveredinMicrosoft Internet Explorer
After reading the sites that reported it, it seems like there is really
nothing to stop it, because it's using a "feature" of MSIE and
MSOutlook. It's supposed to be able to allow sites to pop up help
windows that completely mimic the OS's help system so the user doesn't
get all confused by different styles of help. As long as web sites are
allowed to store help files on the local machine, there is no safety
net. Unless they add security that doesn't allow web sites to put files
on the local machine in a trusted location. The description said that
they didn't even have to store the help file on the local machine, all
they had to do is provide a bogus help file name then an alternate help
file from a web server somewhere, and when the bogus one failed, the
Internet one is followed with local machine privilages executing
whatever mailicious script is in it.
Jon R. Kibler wrote:
>"Johannes B. Ullrich" wrote:
>>There is no good workaround. Disabling Active X will not help.
>Q #1: Is it possible to create a Trojan web site that would contain a
>link that could infect a system in a manner similar to an email?
Yes, but you don't even have to know that it's happening, because sites
can put their help files on your system with no user interaction.
>Q #2: If the AV sigs are up to date, will that stop the worm, or as
>Johannes' email says "Just clicking on the URL sent by the worm will
>get you infected. NO POPUPS! NO WARNINGS!" (Does that mean you will get
>infected even if you have the latest AV sigs?)
Yes, because the AV doesn't protect against system-allowed functions,
all that it can do is check the file after it's downloaded, and as your
help system tries to read it. But if the help file doesn't contain an
actual virus, let's say that it just contains a script command to delete
files on your hard drive... malicious code? yes, but virus? no.
After he posted that problem, I started trying to find an alternative,
but it's somewhat difficult to do, because of a few problems. 1. IE
allows sloppy (non-standard) HTML coding, and all other browsers
are more standards-compliant.
2. There are several web sites that want to take advantage of executing
unprotected code on the local machine.
3. Some web sites do a browser check and block any non IE browsers, even
if the browser is perfectly capable of handling the page.
One way around 2 and 3 is to install Opera. It can tell the server that
it's IE6.0, and the server lets it in just fine. It also internally
handles VBScript and other proprietary code that may not work with
Mozilla. I prefer Mozilla, but Opera might be the browser of choice if
it can work with all of the IE-specific sites that the our users would
need to access.
I hope this info helps.
Winfree Academy Charter Schools, Data-Business Office
Irving, Tx 75061
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list