[ISN] Privacy Bug Rash Spreads to IE

From: mea culpa (jerichot_private)
Date: Fri Oct 09 1998 - 18:03:43 PDT

  • Next message: mea culpa: "[ISN] Rigging Software to Swear"

    Forwarded From: phreak moi <hackerelitet_private>
    
    http://www.wired.com/news/news/technology/story/15530.html
    Privacy Bug Rash Spreads to IE
    by Chris Oakes
    12:10 p.m.  9.Oct.98.PDT
    
    A security hole in the latest version of Internet Explorer could deliver
    your private computer files to the wrong hands. 
    
    The bug was uncovered by Juan Carlos García Cuartango, a Spanish Web
    developer. It apparently allows code on a malicious Web page to steal
    virtually any file off a user's hard disk. Cuartango posted a description
    of the problem earlier this week, which only attracted the attention of
    browser and email-security gurus when it hit a mailing list on Thursday
    evening. 
    
    A spokeswoman for Microsoft told Wired News late Friday that the company
    has confirmed the problem and is working to correct it. She could not say
    when a fix would be available. 
    
    This time, it's Microsoft that takes the fall. Two recently discovered
    bugs affected only Netscape's Navigator browser. 
    
    Cuartango could be reached for comment. 
    
    "This [security threat] is probably the worst I've seen because it allows
    you to upload an arbitrary file," said Richard Smith of Phar Lap Software. 
    
    Smith tested the bug and found that it causes Internet Explorer 4.01 to
    upload a file when a browser visits a malicious Web site whose pages
    contain a simple, but potent, set of JavaScript instructions. 
    
    The person writing and posting the script needs to know the specific
    location and name of a user's file in order to retrieve it. But Smith
    notes that many sensitive files, including a person's email message
    repository, are kept in a common location under a default and widely known
    filename. 
    
    For example, Smith said many email applications keep users' incoming and
    outgoing messages in the same disk location. It would be a simple matter,
    he said, for a Web site to take the user's entire inbox. 
    
    The Windows registry file, he added, is also kept in a common location
    and, if stolen, would reveal information about the location of other
    files. 
    
    The vulnerability is rooted in extensions to hypertext markup language and
    JavaScript that were added as part of Internet Explorer's latest Dynamic
    HTML features. The bug doesn't affect versions of Explorer prior to 4.0,
    Smith said. 
    
    The vulnerable feature allows sites to include an HTML form on their Web
    page that will prompt a user to upload a file from the computer to the Web
    site. 
    
    Cuartango's site said that Microsoft implemented the feature so that only
    the user can enter the name of the file to be uploaded. Microsoft
    explicitly prevented JavaScripts -- basically sections of advanced code --
    from being able to modify the contents of the filename field. 
    
    However, Microsoft programmers overlooked a simple workaround, Cuartango
    says. The information can be entered by a script by simply using common
    "copy" and "paste" commands. 
    
    Though a script cannot enter file data, it is allowed to carry out the
    pasting function. Therefore, a script can use the function to simply
    "paste" in the filename, and thereby upload the file. 
    
    Though Microsoft clearly made an effort to prevent such an exploit, Smith
    said that companies need to devote more effort to assessing all possible
    vulnerabilities when implementing new features. 
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:02 PDT