CRIME FW: NIPC ASSESSMENT 01-028

From: Goerling, Richard J. LT (TAD to CGIC Portland) (RIGoerling@private)
Date: Thu Nov 29 2001 - 15:31:07 PST

  • Next message: Heidi: "CRIME secure mail programs/internet"

     
    -----Original Message-----
    From: NIPC Watch [mailto:nipc.watch@private]
    Sent: Thursday, November 29, 2001 3:15 PM
    To: daily
    Subject: NIPC ASSESSMENT 01-028
    
    
    National Infrastructure Protection Center 
    "Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions" 
    Assessment 01-028 
    29 November 2001
    
    The National Infrastructure Protection Center (NIPC) continues to track
    vulnerabilities within Microsoft Internet Explorer (IE). This assessment
    addresses vulnerabilities that are primary means through which several
    generations of recent mass-mailer computer worms (i.e., LoveLetter, Nimda,
    Klez, Badtrans.B) propagate. 
    
    
    First, when Microsoft Windows 95/98/NT/2000 scripting is turned on, IE is
    vulnerable to an ActiveX and HTML exploit. Any e-mail or web page with
    scripting that includes the command "GetObject()" as well as an ActiveX html
    file can view any file on the user's hard drive. This includes password
    files, cookie files, and/or other files containing personal or sensitive
    information. 
    
    
    This vulnerability allows an unauthorized person to read or open files on
    the user's hard drive. The malicious executable program (malware) must
    request a file that exists on the drive. There are many files universal to
    Microsoft operating systems containing sensitive information. The Microsoft
    Windows password files require specific location within the 
    directory structure, as do cookie files that may contain personal
    information. 
    
    
    A second vulnerability within IE allows a malicious web site to spoof file
    extensions in the download dialog box to disguise a malware file as a text,
    image, audio, or other file type. In this scenario, the user will see a
    dialog window open, asking if the user wants to "Open" or "Save."  Should
    the user decide to open the file, the malware will execute without further
    prompting, allowing the malware full access to the user's system. This does
    not require any scripting turned on, but can be called via javascript,
    inside an iframe, or even as a normal link. 
    
    
    This file extension bug takes advantage of the way IE handles file
    extensions. The HTML, Web site, e-mail, or any other HTML medium that takes
    advantage of this can contain a Trojan, backdoor program, or other malware.
    The file extension could be .txt, .wav, .mp3, or any other file extension.
    The "Open File" dialog box opens and asks if the user wants to save or open
    the file from its source. If the user chooses to open the file from its
    source, the file runs without any further questions or options given to the
    user. 
    The NIPC is providing this assessment in order to raise awareness about
    these significant vulnerabilities which otherwise have not been widely
    publicized. 
    
    
    NIPC Recommendations: 
    
    
    The NIPC recommends that users consider turning off Active Scripting in
    Outlook Express (OE) by setting OE to use the "Restricted Sites Zone" (Note
    that this is the default for Outlook Express 6.0). Users of Outlook should
    also consider installing the Outlook E-mail Security Update (OESU) which
    sets Outlook to use "Restricted Sites" by default and blocks access to
    potentially harmful attachments (Note that the OESU is part of Outlook 2000
    SP2 and Outlook XP). 
    
    
    To protect against the ActiveX and HTML exploit, users should consider their
    web browsing habits. Those who go to untrusted sites can turn off ActiveX
    and all scripting through IE's security settings in the "Internet" zone and
    move sites that they trust into the "Trusted Sites" zone. 
    
    
    It is further recommended that users consider not downloading anything from
    unknown or untrusted sources and verify the e-mail attachment before saving
    or executing. Users should also consider only downloading or accepting files
    from a trusted source and not relying on the apparent file type. 
    
    
    System administrators and home users are strongly encouraged to patch
    vulnerable system software as the primary means of defense against this and
    similar exploits (i.e., LoveLetter, Nimda, Klez, Badtrans.B).
    Administrators and users are also advised to keep their anti-virus current
    by frequently checking vendor Web sites for updates and routinely checking
    for alerts issued by the NIPC, CERT/CC, and other similar organizations. 
    
    
    The following link contains additional information on this threat:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@private
    ml
    <http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@private
    tml>  
    
    
    Microsoft has made available a patch for Outlook and Outlook Express to
    prevent this exploit from automatically executing, which can be found at:
    http://www.microsoft.com/technet/security/bulletin/ms01-020.asp
    <http://www.microsoft.com/technet/security/bulletin/ms01-020.asp>  
    
    
    Recipients of this advisory are further encouraged to report computer
    intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm
    <http://www.fbi.gov/contact/fo/fo.htm>  or the NIPC, and to other
    appropriate authorities. Incidents may be reported online using 
    http://www.nipc.gov/incident/cirr.htm
    <http://www.nipc.gov/incident/cirr.htm> . The NIPC Watch and Warning Unit
    can be reached at (202) 323-3205, 1-888-585-9078 or nipc.watch@private 
      
      
      
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:35:57 PDT