Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
Network Security
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Microsoft To Plug Devastating Browser Download Hole

  • From: Howell, Paul
  • Date: Wed Dec 12 06:24:59 2001 
At http://www.newsbytes.com/news/01/172878.html

Microsoft To Plug Devastating Browser Download Hole  

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
11 Dec 2001, 1:09 PM CST

 Microsoft [NASDAQ:MSFT] will patch a flaw in its Web browser that could
allow an attacker to silently download and execute malicious programs on the
computers of users who view a specially constructed Web page or e-mail
message. 
The patch for Internet Explorer (IE) is currently in testing and could be
released soon, according to Jouko Pynnonen, a security researcher with
Finland's Oy Online Solutions. Pynnonen reported the IE vulnerability to
Microsoft on Nov. 19 and recently tested the software fix at the company's
request. 

The vulnerability affects IE for Windows versions 5, 5.5, and 6, said
Pynnonen. Citing the severity of the flaw, he refused to release technical
details about the method he found for bypassing the browser's system for
securely handling downloaded files. 

A Microsoft spokesperson said the company does not currently have any
information to share on the issue and declined to discuss the status of the
browser patch. 

By design, IE should warn users when they attempt to download and open an
executable file. But as a result of the security flaw, a malicious Web site
could "relatively easily and unnoticeably ... spread virii, install DDoS
zombies or backdoors, format hard disks, and so on," wrote Pynnonen in an
advisory posted Nov. 26 to Bugtraq, a mailing list for security experts. 

Pynnonen revealed that the bug lies in IE's processing of Internet addresses
and "header" information that tells the browser what type of file it is
handling. The flaw is particularly dangerous because it can be exploited
using ordinary Web page code, without help from JavaScript or other
scripting programs, he said. 

Oy Online Solutions offered to demonstrate the flaw at a private Web site
only if recipients of the demo signed an agreement not to disclose
information about the exploit. 

Chris Wysopal, director of research and development for AtStake, a security
consulting firm, characterized the IE download flaw as "a very serious
problem" and potentially one of the most severe ever to affect the browser. 

However, to exploit the vulnerability, "attackers would probably need
control of a Web server so that they could control the information sent in
the HTTP header," Wysopal said. As a result, attacks could be traced to the
malicious site. 

According to Pynnonen, the vulnerability also may affect users of
Microsoft's Outlook and Outlook Express e-mail readers, which rely on IE to
display messages in Web-page or HTML format. Qualcomm's Eudora e-mail
reader, which optionally uses IE for HTML display, could also be vulnerable,
he said. 

Until the patch is available from Microsoft, Pynnonen said concerned users
can temporarily disable IE's ability to download files. To do so, users
should select Internet Options from the Tools menu. Then select the Security
tab and click on Custom Level. Scroll down to the listing for Downloads and
disable file downloads. 

Pynnonen's initial advisory on the flaw did not describe the automatic
downloading vulnerability and was concerned instead with the browser's
failure to properly differentiate between file types. 

A subsequent message sent to Microsoft and Bugtraq Nov. 28 described the
more serious issues but was not published on Bugtraq by joint agreement
between Pynnonen and the list's moderator, the security researcher said. 

Microsoft initially denied that the ability to "spoof" file types in IE
represented a security vulnerability, but the company later changed its
position, according to Pynnonen. 

Last month Microsoft patched a security flaw in IE's handling of browser
cookie files after Pynnonen reported the vulnerability to the company. 

Pynnonen's original report on the IE download spoofing flaw is at
http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng 

Microsoft security information site is at
http://www.microsoft.com/technet/security/default.asp 

Reported by Newsbytes, http://www.newsbytes.com .


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.