Forwarded From: phreak moi <hackerelitet_private> http://www.wired.com/news/news/technology/story/15530.html Privacy Bug Rash Spreads to IE by Chris Oakes 12:10 p.m. 9.Oct.98.PDT A security hole in the latest version of Internet Explorer could deliver your private computer files to the wrong hands. The bug was uncovered by Juan Carlos García Cuartango, a Spanish Web developer. It apparently allows code on a malicious Web page to steal virtually any file off a user's hard disk. Cuartango posted a description of the problem earlier this week, which only attracted the attention of browser and email-security gurus when it hit a mailing list on Thursday evening. A spokeswoman for Microsoft told Wired News late Friday that the company has confirmed the problem and is working to correct it. She could not say when a fix would be available. This time, it's Microsoft that takes the fall. Two recently discovered bugs affected only Netscape's Navigator browser. Cuartango could be reached for comment. "This [security threat] is probably the worst I've seen because it allows you to upload an arbitrary file," said Richard Smith of Phar Lap Software. Smith tested the bug and found that it causes Internet Explorer 4.01 to upload a file when a browser visits a malicious Web site whose pages contain a simple, but potent, set of JavaScript instructions. The person writing and posting the script needs to know the specific location and name of a user's file in order to retrieve it. But Smith notes that many sensitive files, including a person's email message repository, are kept in a common location under a default and widely known filename. For example, Smith said many email applications keep users' incoming and outgoing messages in the same disk location. It would be a simple matter, he said, for a Web site to take the user's entire inbox. The Windows registry file, he added, is also kept in a common location and, if stolen, would reveal information about the location of other files. The vulnerability is rooted in extensions to hypertext markup language and JavaScript that were added as part of Internet Explorer's latest Dynamic HTML features. The bug doesn't affect versions of Explorer prior to 4.0, Smith said. The vulnerable feature allows sites to include an HTML form on their Web page that will prompt a user to upload a file from the computer to the Web site. Cuartango's site said that Microsoft implemented the feature so that only the user can enter the name of the file to be uploaded. Microsoft explicitly prevented JavaScripts -- basically sections of advanced code -- from being able to modify the contents of the filename field. However, Microsoft programmers overlooked a simple workaround, Cuartango says. The information can be entered by a script by simply using common "copy" and "paste" commands. Though a script cannot enter file data, it is allowed to carry out the pasting function. Therefore, a script can use the function to simply "paste" in the filename, and thereby upload the file. Though Microsoft clearly made an effort to prevent such an exploit, Smith said that companies need to devote more effort to assessing all possible vulnerabilities when implementing new features. -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:02 PDT