Results 1 to 5 of 5
  1. #1
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Significant Security Hole IE6, Possibly 5X (Win XPP SP1 IE6SP1)

    <P ID="edit" class=small>(Edited by jscher2000 on 28-Jan-04 22:04. See IMPORTANT NOTE)</P>Let's take these one at a time, in mostly backwards order:

    1. <LI>URL Spoofing

      The idea here is that your browser address bar can display the wrong URL for a web site when a special character is inserted into it. For more information, see this thread from earlier this month.

      <LI>File Download Extension Spoofing

      As shown in the picture below, a dangerous HTML application file can appear in the Open/Save dialog to be a legitimate file (although perhaps the ... and the missing file type will tip you off that something is weird). As recommended in the fourth link above, always choose Save if you do not totally trust the source. Choosing save will show you that something is very definitely weird and you can cancel the save. Obviously some people will not be so careful, but you should be.

      IMPORTANT NOTE: I used the malware.com site to study the vulnerability because I didn't click the fourth link above. However, the fourth link above appears to be a safer site.

      By the way, the reason an HTA files is more dangerous than an HTML file is that it runs without security restrictions, ignoring the concept of security zones. This is necessary to take full advantage of the programmable functionality of Windows, but with 20-20 hindsight, Microsoft probably never should have invented this technology.

      <LI>That first one...

      I don't understand this issue. How is someone going to get a malicious folder onto my computer? I think if this is a serious issue for Windows XP, it should be discussed on that board, not here in IE.
    Hope this helps explain some of the above.
    Attached Images Attached Images

  2. #2
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Significant Security Hole IE6, Possibly 5X (Win XPP SP1 IE6SP1)

    As to URL spoofing, I don't think it's enough to be skeptical and anyone who is frequenting or knows the Lounge probably already has a healthy modicum of security skepticism. These quick steps may help in addition to the useful suggestions you gave on the linked thread on spoofed urls:

    Take Steps to Avoid Getting Tricked by Spoof Websites

    I'm trying to research and F/U the other exploits a little bit and when I clarify the folder aspect of the XP problem, I'll take it up on in the XP section if it seems worthwhile. I think the comments and screenshot you just put up can be helpful to people in looking for these--they are for me.

    When you say "in hindsight MS should have never invented this technology," are you talking about HTA files?
    <A target="_blank" HREF="http://lists.evolt.org/archive/Week-of-Mon-20011210/064012.html">
    Difference between *.html and *.hta files</A>

    [i]Ed by SMBP: Microsoft referred me to a new KB this afternoon that they said would remedy one of these exploits: 834489: Microsoft plans to release a software update that modifies the default behavior of Internet Explorer for handling user information in HTTP and HTTPS URLs January 27, 2004 It is the first KB I've ever seen with the Title "Microsoft Plans to Release A Software Update..."

    SMBP

  3. #3
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Significant Security Hole IE6, Possibly 5X (Win XPP SP1 IE6SP1)

    There is a potentially devestating security hole in Internet Explorer 6 and possibly earlier versions. IE. This follows the discovery of a vulnerability in Windows XP earlier this week. You could be fooled into downloading files that look safe but could be anything, particularly executables. A demo (POC Proof of Concept Exploit) of both the hole in Windows and the hole in IE is avialable on Security Company Secunia's sites. The Windows security flaw allows construction of a malicious folder that has both script code and a malicious file. If you are tricked into opening that folder, Windows Explorer will execute the code.

    The latest vulnerability in Internet Explorer can display a fake URL in the address and status bars which is different from the real page location. The idea is to engineer users into revealing sensitive information or executing malware as a download.

    The third vulnerabilty allows IE to be tricked into opening a file with a different application than the file extension indicates by embedding a CSLID in the file name.

    Privilege Escalation in Windows XP
    New Explorer hole could be devastating; Browser users could be fooled into downloading executable files
    Internet Explorer URL Spoofing Vulnerability
    Internet Explorer File Download Extension Spoofing
    Another IE Spoofing Hole Found

    It would be easy to get people to download the Doom Worm or even worse, to combine this latest hole with the Explorer spoofing problem discovered in December but not fixed by Microsoft. Many articles on the web are speculating that the reason Microsoft has not fixed it is because it can't.

    Microsoft has been beefing up security according to a large number of releases from MS Presspass. They hired Scott Charney, an attorney who was Chief of Computer Crime at the U.S. Department of Justice in April sending Howard Schmidt to the President's Critical Infrastructure Protection Board. Mike Nash is Vice President for the Security Business Unit at Microsoft.

    Neither gentleman has had a comment on any of the three exploits, and Microsoft has posted nothing to date on any of its sites. However, on November 19, 2003 Mr. Charney testified to Congress that "Security is the #1 Microsoft Priority."

    SMBP

  4. #4
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Significant Security Hole IE6, Possibly 5X (Win XPP SP1 IE6SP1)

    MS has addressed one of these exploits with:

    Microsoft Windows Security Bulletin Summary for February, 2004

    Microsoft Security Bulletin MS04-004

    Woody's Windows Watch Feb. 4, 2004 Internet Explorer Double Whammy

    "Speaking of gaping security holes, Internet Explorer has so many known - and actively exploited - security holes that it's hard to keep track....Microsoft's solution? "Type the URL of your intended destination in the address bar yourself". In other words, if you click on a link, and it looks like you're sitting inside ebay.com or microsoft.com or citibank.com, there's a chance that you're really sitting inside ripoffyourcreditcardnumber.com or tellmeyourpassword.net, and there isn't a single way in the world (aside from writing and running a JavaScript program inside your address bar, fer heaven's sake) that you would know the difference. Any idiot can type a spoofed URL in two seconds flat. Makes you feel secure, eh?"--Woody's Window's Watch Feb. 4, 2004


    SMBP

  5. #5
    Gold Lounger
    Join Date
    Feb 2003
    Location
    Wardrobe Malfunction Junction, Derry
    Posts
    2,953
    Thanks
    0
    Thanked 0 Times in 0 Posts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •