[Dshield] An unfixed highly critical vulnerability discoveredinMicrosoft Internet Explorer

Thor Larholm thor at pivx.com
Thu Apr 8 23:19:23 GMT 2004

There's a lot you can do to mitigate against potential impact. In the
case of IE, you can lock down the My Computer zone, restrict privileges
for the Temporary Internet Files, remove unnecessary URL protocol
handlers, implement a deny-all policy for ActiveX components for all
security zones, etc.

Microsoft has documented the security zone settings in IE at KB 182569


I elaborated on this in


US-CERT also just published a CERT advisory and a cyber security
technical advisory about this vulnerability:


One of the fixes that we implemented in Qwik-Fix back in September was
an IEZone lockdown that has proactively prevented every single command
execution vulnerability in Internet Explorer published since then. We
have just released Qwik-Fix Pro at the Gartner Symposium/ItXpo 2004.

Even though we first started discussing this particular vulnerability in
February, we did not need to change the IEZonefix to accommodate this
new IE vulnerability. Mitigating potential impact for entire genres of
vulnerabilities is precisely what Proactive Threat Mitigation is about.


Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
thor at pivx.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of

-----Original Message-----
From: Laura Vance [mailto:vancel at winfreeacademy.com] 
Sent: Thursday, April 08, 2004 12:25 PM
To: General DShield Discussion List
Subject: Re: [Dshield] An unfixed highly critical vulnerability
discoveredinMicrosoft Internet Explorer

After reading the sites that reported it, it seems like there is really 
nothing to stop it, because it's using a "feature" of MSIE and 
MSOutlook.  It's supposed to be able to allow sites to pop up help 
windows that completely mimic the OS's help system so the user doesn't 
get all confused by different styles of help.  As long as web sites are 
allowed to store help files on the local machine, there is no safety 
net.  Unless they add security that doesn't allow web sites to put files

on the local machine in a trusted location.  The description said that 
they didn't even have to store the help file on the local machine, all 
they had to do is provide a bogus help file name then an alternate help 
file from a web server somewhere, and when the bogus one failed, the 
Internet one is followed with local machine privilages executing 
whatever mailicious script is in it.

Jon R. Kibler wrote:

>"Johannes B. Ullrich" wrote:
>>There is no good workaround. Disabling Active X will not help.
>Q #1: Is it possible to create a Trojan web site that would contain a 
>link that could infect a system in a manner similar to an email?
Yes, but you don't even have to know that it's happening, because sites 
can put their help files on your system with no user interaction.

>Q #2: If the AV sigs are up to date, will that stop the worm, or as 
>Johannes' email says "Just clicking on the URL sent by the worm will 
>get you infected. NO POPUPS! NO WARNINGS!" (Does that mean you will get

>infected even if you have the latest AV sigs?)
Yes, because the AV doesn't protect against system-allowed functions, 
all that it can do is check the file after it's downloaded, and as your 
help system tries to read it.  But if the help file doesn't contain an 
actual virus, let's say that it just contains a script command to delete

files on your hard drive... malicious code? yes, but virus?  no.

>Jon Kibler
After he posted that problem, I started trying to find an alternative, 
but it's somewhat difficult to do, because of a few problems. 1. IE
allows sloppy (non-standard) HTML coding, and all other browsers 
are more standards-compliant.
2. There are several web sites that want to take advantage of executing 
unprotected code on the local machine.
3. Some web sites do a browser check and block any non IE browsers, even

if the browser is perfectly capable of handling the page.

One way around 2 and 3 is to install Opera.  It can tell the server that

it's IE6.0, and the server lets it in just fine.  It also internally 
handles VBScript and other proprietary code that may not work with 
Mozilla.  I prefer Mozilla, but Opera might be the browser of choice if 
it can work with all of the IE-specific sites that the our users would 
need to access.

I hope this info helps.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools, Data-Business Office
Irving, Tx  75061
Web: www.winfreeacademy.com

list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list