(Fwd) serious security problem with Microsoft IE and related t
smd at OCCLUSAL.RUTGERS.EDU
Fri Jan 16 16:25:44 PST 1998
I am not sure if any or all of you are aware of this, but I thought I
would pass this along.
------- Forwarded Message Follows -------
From: hedrick at geneva.rutgers.edu
Date: 16 Jan 1998 13:17:02 -0500
To: net-people at tdmx.rutgers.edu, pc_lan_admins at email.rutgers.edu,
support_staff at nbcs.rutgers.edu
Subject: serious security problem with Microsoft IE and related tools
A serious security problem has been discovered with Microsoft Internet
Explorere and related tools. There is a bug in the parsing of URL's.
With the appropriate URL specification, you can cause whatever code
you want to be executed on a user's machine. The problem occurs when
the user's system looks at the page that has the URL. Thus it is not
necessary for the user to click on the URL. It occurs for both web
page processing and mail processing in Outlook Express. This means
that for the first time the old "Good Times Virus" hoax could actually
be implemented: it is possible to send an email message which will
reformat your hard disk when you read it, if you are reading it with
Outlook Express. Exploits are available (that is, example code has
been distributed that uses the bug, although the example does not do
any damage to your system).
Information in this note is from http://l0pht.com/advisories.html
The problem occurs on both Windows 95 and NT. Exploits are available
for IE 4. There is some suggestion that the problem also exists in IE
3 if you have Visual Studio (VC++/J++ etc) installed on your system.
- exploits are available for Windows 95 OSR1 and OSR2 running IE4.0 or IE4.01
- the problem is believed to exist for Windows 95 OSR1, OSR2 running
IE3.0x+Infoviewer, IE4.0, IE4.01 Windows NT Workstation/Server running
One workaround is suggested:
Turn off MK support in the registry. If you look in the registry,
you'll see a key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\mkenabled set it to NO.
Of course the most obvious approach is not to use IE, particularly
not to read mail.
The mail aspect is the most worrisome. I use my browser to look at
Rutgers sites and a few vendor sites. I doubt that any of the places
I go will hack their web pages. However anyone can send me email.
This is a variant of a bug discovered in November. Apparently it was
clear at that time that the specific problem found was just one of a
class of possible problems. MS chose to fix just the one example,
rather than do a general fix. The same person who found the first one
has now found and publicized this example. Microsoft seems to be
taking the hint. This time they'll fix it right.
More information about the Oradlist