Updated September 30,
1999
Son of
"ImportExportFavorites" Security Hole...
Noted Bulgarian Hacker Exposes
IE5 'Download Behavior' Privacy Peephole; Netscape is
Unscathed
YOU
MAY remember the most recent security problem to
bite IE5 -- the "ImportExportFavorites"
security hole. Well, now there's an allied incursion, the
"Download Behavior" privacy peephole.
Where the
"ImportExportFavorites" security hole in IE5
opened users' systems to the danger of unauthorized
access to their hard drive, the "Download
Behavior" privacy peephole can enable maliscious
webmasters to read files on a user's hard drive.
The problem is this: when a user
downloads a Web page using Microsoft IE5, that page can
use server-side redirection to execute client-code
capable of accessing and then returning those files to
the Web server.
Under IE's security architecture,
Internet-based Web servers shouldn't be able to access
data on client machines because the two do not reside on
the same network. But because of a security flaw in the
product's "Download Behavior" function call, a
malicious server could trick the client into thinking
that a downloaded JavaScript or VB Script application
resides on the same domain, enabling that application to
access local files.
Using code obtained from the noted
Bulgarian hacker, Georgi Guninski (http://www.nat.bg/~joro/index.html), KeyLabs verified that a remote JavaScript
application could indeed run within a browser's local
domain, with full file system access. Guninski was also
responsible for popularizing the recent "ImportExportFavorites" security hole. (Hint to Microsoft: on his Web site Guninski
says he's looking for a job -- is this all some sort of
elaborate job application?)
"This is a very serious bug. The
sample code used in our testing opened and then displayed
our autoexec.bat file," said Ralph Decker, Lab
Director for KeyLabs. "But this code could just as
easily have accessed sensitive system files."
KeyLabs also tested Netscape
Communications' Communicator 4.61 and found it immune to
this form of attack. Because Communicator does not allow
remote code to execute locally, it is able to sidestep
the issue entirely.
In a Security Bulletin
posted this Tuesday, Microsoft acknowledged the flaw.
"This is really a risk to privacy," said Scott
Culp, product manager in charge of security response at
Microsoft. "Hackers can only read files, not modify
or delete them."
Culp maintains that a patch is
forthcoming from Microsoft and will be posted on
Microsoft's Security Advisor site (http://www.microsoft.com/security/) as soon as possible. In the meantime, he
recommends that users work around this security issue by
disabling Active Scripting.
Until Microsoft provides a security
patch, the only solution is to disable Active Scripting
through the following steps:
- Within IE 5, select the Tools
pull-down menu and click on Internet Options.
- Select the Internet Zone and click
on the Custom Level button.
- Look for the Scripting heading and
then select the "Disable" setting for
Active scripting.
- Click OK twice.
This shotgun solution will keep you
safe from malicious server-side code, but it will also
prevent you from utilizing client-side code. This means
you won't be able to effectively interact with sites that
rely upon JavaScript and VB Script to perform even the
most menial of tasks, such as form validation routines,
image rollovers, and even page formatting directives done
through Dynamic HTML.
Microsoft suggests IE5 users can add
trusted Web sites one by one to their Trusted Sites Zone
from the Security Tab within their Internet Options.
"But without a real fix," says Decker,
"users who are concerned about personal security
will have to either live dangerously or find a new
browser."
-- Bradley F. Shimmin
© BugNet material copyright 1994-1999 by BugNet.
® BugNet is a Registered Trademark of KeyLabs.
Astonisher.com material is
© Copyright 1973 - 2020 by Bruce Brown and BF Communications Inc.
Astonisher.com is a trademark of BF Communications Inc.
This historic replica of BugNet from the period 1994-1999
is presented by astonisher.com with the permission of BugNet.
BF Communications Inc.
P.O. Box 393
Sumas, WA 98295 USA (360) 927-3234
Website by Running Dog
|