-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Thursday, November 29, 2001 3:15 PM To: daily Subject: NIPC ASSESSMENT 01-028 National Infrastructure Protection Center "Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions" Assessment 01-028 29 November 2001 The National Infrastructure Protection Center (NIPC) continues to track vulnerabilities within Microsoft Internet Explorer (IE). This assessment addresses vulnerabilities that are primary means through which several generations of recent mass-mailer computer worms (i.e., LoveLetter, Nimda, Klez, Badtrans.B) propagate. First, when Microsoft Windows 95/98/NT/2000 scripting is turned on, IE is vulnerable to an ActiveX and HTML exploit. Any e-mail or web page with scripting that includes the command "GetObject()" as well as an ActiveX html file can view any file on the user's hard drive. This includes password files, cookie files, and/or other files containing personal or sensitive information. This vulnerability allows an unauthorized person to read or open files on the user's hard drive. The malicious executable program (malware) must request a file that exists on the drive. There are many files universal to Microsoft operating systems containing sensitive information. The Microsoft Windows password files require specific location within the directory structure, as do cookie files that may contain personal information. A second vulnerability within IE allows a malicious web site to spoof file extensions in the download dialog box to disguise a malware file as a text, image, audio, or other file type. In this scenario, the user will see a dialog window open, asking if the user wants to "Open" or "Save." Should the user decide to open the file, the malware will execute without further prompting, allowing the malware full access to the user's system. This does not require any scripting turned on, but can be called via javascript, inside an iframe, or even as a normal link. This file extension bug takes advantage of the way IE handles file extensions. The HTML, Web site, e-mail, or any other HTML medium that takes advantage of this can contain a Trojan, backdoor program, or other malware. The file extension could be .txt, .wav, .mp3, or any other file extension. The "Open File" dialog box opens and asks if the user wants to save or open the file from its source. If the user chooses to open the file from its source, the file runs without any further questions or options given to the user. The NIPC is providing this assessment in order to raise awareness about these significant vulnerabilities which otherwise have not been widely publicized. NIPC Recommendations: The NIPC recommends that users consider turning off Active Scripting in Outlook Express (OE) by setting OE to use the "Restricted Sites Zone" (Note that this is the default for Outlook Express 6.0). Users of Outlook should also consider installing the Outlook E-mail Security Update (OESU) which sets Outlook to use "Restricted Sites" by default and blocks access to potentially harmful attachments (Note that the OESU is part of Outlook 2000 SP2 and Outlook XP). To protect against the ActiveX and HTML exploit, users should consider their web browsing habits. Those who go to untrusted sites can turn off ActiveX and all scripting through IE's security settings in the "Internet" zone and move sites that they trust into the "Trusted Sites" zone. It is further recommended that users consider not downloading anything from unknown or untrusted sources and verify the e-mail attachment before saving or executing. Users should also consider only downloading or accepting files from a trusted source and not relying on the apparent file type. System administrators and home users are strongly encouraged to patch vulnerable system software as the primary means of defense against this and similar exploits (i.e., LoveLetter, Nimda, Klez, Badtrans.B). Administrators and users are also advised to keep their anti-virus current by frequently checking vendor Web sites for updates and routinely checking for alerts issued by the NIPC, CERT/CC, and other similar organizations. The following link contains additional information on this threat: http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@private ml <http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@private tml> Microsoft has made available a patch for Outlook and Outlook Express to prevent this exploit from automatically executing, which can be found at: http://www.microsoft.com/technet/security/bulletin/ms01-020.asp <http://www.microsoft.com/technet/security/bulletin/ms01-020.asp> Recipients of this advisory are further encouraged to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm <http://www.fbi.gov/contact/fo/fo.htm> or the NIPC, and to other appropriate authorities. Incidents may be reported online using http://www.nipc.gov/incident/cirr.htm <http://www.nipc.gov/incident/cirr.htm> . The NIPC Watch and Warning Unit can be reached at (202) 323-3205, 1-888-585-9078 or nipc.watch@private
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:35:57 PDT