17 Holes Found in Internet Explorer A study by Shake Communications Pty Ltd found 17 vulnerabilities in Microsoft Internet Explorer, including Versions 3 and 4. Shake Communications compiled the results by surveying computer security bureaus and hacker groups worldwide. This forms part of a comprehensive 6 week study into the vulnerabilities existing in all hardware, operating systems, applications, programming languages and Unix commands used by organisations around the world today. A Vulnerabilities Database has been developed to describe each vulnerability and provide a link to, or description of, the associated fix or patch (if available). This Database is available at http://www.shake.net. Importantly, the study will be ongoing and the Vulnerabilities Database updated on a daily basis as new vulnerabilities and fixes are found. Microsoft is aware of many of these holes and has developed the appropriate patches. However, the software maker hardly publicises the fact that it has fixed vulnerabilities in its software. Indeed, it is likely that many organisations and PC owners are unaware of these holes, let alone the patches. More significant is that, as of writing, some quite serious vulnerabilities have no known solutions. These include a hole enabling a bad Web Site to capture e-mail and log-in user IDs and passwords! The nature of these holes varies. Some are exploitable when the browser visits a malicious Web Site; others are triggered by a series of intentional or accidental commands. Many of these holes give unauthorised users access to an organisation's network or an individual's PC system. Having gained access, hackers are capable of causing further damage by cracking passwords, stealing or deleting files, even bringing down the entire network. The costs of an incident could range from thousands to millions of dollars. If you use Internet Explorer, be aware of its holes and the associated threats, and take preventative steps where possible. This report describe six (6) of the vulnerabilities found in the study, and the associated patches or fixes (if available). Where and how the vulnerabilities can be exploited is not disclosed for security reasons. For details about the remaining vulnerabilities (and any other hardware or software vulnerabilities) contact Shake Communications at info@shake.net or telephone 613+9555 8560. 1. Java Script Allowing Theft of Files from a Remote Computer A hole in the Internet Explorer extensions to Java, including Java Script, makes it possible for an attacker to obtain the contents of any text and HTML files on a remote computer. The problem exists even if a user has activated the highest security level in his or her browser. Files on a corporate intranet are equally as vulnerable and are not protected by a firewall configured to shield the intranet. The hole exists in both the English and German version of Internet Explorer 4.0 so a patch must be downloaded from http://www.microsoft.com. Subscribers to the Shake Vulnerabilities Database can access the direct link. Go to http://www.shake.net/vulnerabilities . 2. Multiple Programming Flaws in the HTML Decoding System Multiple programming flaws in the HTML decoding system can enable a remote user to cause an application page fault, which could cause the application to crash. Alternatively, the remote user can execute arbitrary precompiled native code which could be used to delete files, steal passwords, cause the system to reboot, and any number of other actions. Enabling the highest security level for that particular zone will not provide protection. The systems affected are the Internet Explorer 4.0(1) Suite, Outlook Express (both mail and news), Windows Explorer used on systems running Windows NT and Windows 95. It has also been reported to affect Internet Explorer 3.0 where you have Visual Studio (VC++/J++ etc) installed on your system. In order to prevent such assaults it is necessary to download the patch available from Microsoft. Subscribers to the Shake Vulnerabilities Database can access the direct link. Go to http://www.shake.net/vulnerabilities . 3. Icons Running Remote Applications without Warning A remote user can embed an icon in a Web page. When double-clicked, the icon can execute a arbitrary precompiled native code on the system running Internet Explorer. Such an application could cause the system to crash, capture passwords, steal files, delete files and cause other harm. The susceptible systems are Internet Explorer 3.0 running under Windows 95, Windows 97 (Memphis edition) or Windows NT. The problem is greater if you are using a platform with CIFS (Windows NT 4.0 with Service Pack 1 or later). The solution is to upgrade to the latest version of Internet Explorer or download the patch from Microsoft. Subscribers to the Shake Vulnerabilities Database can access the direct link. Go to http://www.shake.net/vulnerabilities . 4. Web Sites able to Capture Usernames and Password Hashes A Web Site can exploit a hole in Internet Explorer which permits a remote user to obtain your e-mail or log-in username and password hash. This could allow an attacker to gain unauthorised access to your machine or e-mail account/s and wreak havoc. The following systems are vulnerable… * Internet Explorer 2.0 3.0 3.01 3.02 4.x (all versions) * Netscape Navigator 2.x or 3.x (all versions) * Netscape Communicator 4.x (all versions) * NCSA Mosaic Version 3.0 …running on any of the following: * Windows NT 4.0 Workstation (up to and including Service Packs 1-3) * Windows NT 4.0 Server (up to and including Service Packs 1-3) * Windows NT 3.51 Workstation (up to Service Pack 5) * Windows 97 Beta (all Memphis builds) * Windows 95 configured a particular way in certain Novell environments At the time of writing, there is no solution. 5. Remote Users able to Capture Windows 95 Login Password A remote user can exploit a hole in Internet Explorer to obtain the Windows 95 log-in password. The remote user needs an IP address and the workgroup of the target system, which are extremely easy to obtain, especially when the user is connected to the Internet. Consequently, the remote user can connect to the local machine using Dial-up Networking and damage, destroy, delete and otherwise compromise the local machine and/or network. Internet Explorer (all versions) running under Windows 95 is vulnerable. Preventative measures include using a proxy firewall or packet filter to close off ports 137, 138 and 139 from external access to your network. However, you are still at risk from internal attacks so your only other alternative is to use a different browser, such as Netscape Navigator. 6. Unauthorised Users able to See Contents of User's Files A hole enables unauthorised users to "spy" on the contents of files on a system running Internet Explorer. Malicious Web pages can contain an IFRAME, which can copy HTML or text files from the user's system to any other system. Hence, unauthorised users can access system resources and do what they want with them. Internet Explorer 4.0 under Windows 95 or Windows NT is vulnerable. Download the patch from Microsoft. Subscribers to the Shake Vulnerabilities Database can access the direct link. Go to http://www.shake.net/vulnerabilities . Acknowledgements Shake Communications Pty Ltd acknowledges the following people and companies for providing the information contained in this report: * Aaron Spangler * Andrew McNaughton * Chris Rioux * Cybersnot Industries * David Ross * DilDog * The L0pht * Mark Gazit * Michael Bernard * Mudge * Ralf Hueskes of Jabadoo Communications * Roman Lasker * Steve Birnbaum * Yacov Drori [WB01337_.gif (904 bytes)][ssjgry.gif (6058 bytes)] [WB01339_.gif (896 bytes)]