New Internet Explorer vulnerability. As opposed to what Russ states below there is a new risk created by this vulnerability. The default setting for authentication in IE for the Medium security setting is to automatically logon to machines in the Intranet zone when the web server requests user authentication without prompting the user. Nice way for someone to go finishing for passwords by posting some message with an embedded URL in a newsgroup or mass emailing some corporation. Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ---------- Forwarded message ---------- Date: Mon, 19 Oct 1998 21:06:16 -0400 From: Russ <Russ.Cooperat_private> To: NTBUGTRAQat_private Subject: Alert: IE 4.0 Security Zone compromise Sune Hansen, Webmaster of <http://www.WorldWideWait.com>, discovered a security problem which affects Trust Zones within Internet Explorer 4.0+. Basically, if you provide IE with <http://3475932041>, you'll arrive at Microsoft's web site. However, it will be listed, and treated, as part of your Local Intranet Zone when in fact it should be part of any other zone. For anyone who has made no modifications to their zones (i.e. using the defaults supplied with IE), there is no difference since both Local Intranet Zone and Internet Zone are set to "Medium" security. If, however, modifications have been made to the zone security configuration such that, for example, the Internet Zone is more restrictive than the Local Intranet Zone, then the fact such 32-bit URLs end up being seen by IE as trusted can create a problem. IE appears to assume that anything it sees without a period in the URL should be treated as part of the Local Intranet Zone. Winsock then takes the address and properly translates it to a reachable IP address (you could just as easily use PING or some other utility with such an address). Sune tested this on Windows '98, and I've tested it on NT 4.0 SP4 RC2 with IE 4.0 (SP1;2735 - 4.72.3110.8), and both caused the same problem. Essentially the problem exists within IE, and not NT, but since Sune is franticly seeking out media outlets to report the story, I figured it was worth a note here. Microsoft did receive a brief message from Sune on Sunday morning, although they were made more aware of the issues by the media trying to verify Sune's claims. I'm not trying to downplay the problem. Anyone who is using Trust Zones should understand that they, alone, will not prevent a site from placing a URL in the above fashion and causing a site to be viewed as a Local Intranet Zone site. Proxies, and Firewalls, however, are not affected by this and will properly enforce restrictions if so configured. The problem appears to reside entirely within the mechanism that IE uses to determine if something is part of the Local Intranet Zone when no servers are configured in that zone. My conversations with Microsoft indicate we will hear more when they have more fully investigated the ramifications of the issue. Cheers, Russ
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:02 PDT