APPS: Internet Explorer Security Hole

Wayne Fisher (waynef@cyberenet.net)
Fri, 16 Jan 1998 18:08:33 +0000


The following article is quoted from PC World Online...

Just thought I should pass the info on....

- Wayne

Hacker Discovers New Way to Exploit IE
Security Bug
by Brian McWilliams, PC World News Radio
January 15, 1998

The tight integration of Internet Explorer with Windows is being
blamed for a new browser security flaw discovered Wednesday.

A Massachusetts college student and hacker named Dildog has
released the source code for an attack that in some circumstances
causes IE4 and IE4.01 to crash and then execute any attached binary
code.

It's a new version of the RES bug discovered by Dildog in November,
different only in that it's launched with a URL that begins with "mk"
instead of one that begins with "res". And it affects not only Windows
95 machines, but NT systems as well.

Dildog told NewsRadio that IE4's buffer overflows when it encounters
a Web page or an HTML e-mail message with the appropriate URL.
That causes the browser to page-fault and then, in some cases, to run
any binary code that's appended to the URL.

"Anything that uses mshtml.dll, or particularly urlmon.dll" is
vulnerable,
says Dildog. "Since IE is so integrated, almost all the apps that
Microsoft writes end up using mshtml and urlmon...so they're all
vulnerable."

A demo of the attack, which is available on the Web, causes some
Windows 95 and NT machines to crash and download what Dildog
says is a small, harmless file to your hard drive, which then
automatically executes. Microsoft has not yet commented on the bug.

According to Dildog, there's currently no way for IE4 users to avoid the
flaw, other than to use a different browser. He says there seems to be
"a pattern of coding carelessness on the part of the IE4 people who
wrote that particular section--it's happened twice in the same area. If
there are any more [security holes] in there, how long is it going to be
before people wise up?"