|
SL Newsletter
|
| Recieve bi-weekly updates on news, new articles, and more |
|
|
|
|
12-14-01, 09:01 AM
|
 |
SLTrout
|
|
Join Date: Nov 2001
Location: Charlotte, NC
Posts: 296
|
|
Cumulative IE Patch
__________________
MSI 875P NEO-LSR Mainboard - Intel P4C 3.0Ghz (800Mhz FSB) - 2 x OCZ PC4000 512MB DIMMs - 4 x WD800JB 80GB/8MB Cache (RAID 0+1) - SB Audigy Platinum eX - ATi Radeon 9800 Pro AIW - Sony Trinitron 19" - Windows Server 2003 Enterprise
|
12-14-01, 09:03 AM
|
|
SLTrout
|
|
Join Date: Nov 2001
Location: Charlotte, NC
Posts: 296
|
|
Quote:
This posting is a revision of the one sent to Bugtraq on 26 Nov 2001 with the subject "File extensions spoofable in Microsoft IE download dialog" and discusses some details and newly found impacts the vulnerability has.
OVERVIEW
Due to a flaw in the way Microsoft Internet Explorer handles certain HTTP reply strings, a web site can spoof the name of a file being requested and disguise it as a harmless file. As opposed to what I stated in the previous posting, a variation of this exploit may cause the browser to download and run a program file automatically without any user interaction or decision. This may lead to system compromise when visiting a malicious web site or opening an HTML mail message which directs the user to such site. Opening an e-mail attachment or accepting a file download is NOT required.
With some versions of IE, the origin web server of the file being downloaded can also be hidden by using a variation of this exploit. In this case it will show and empty string instead of the host name in the download dialog.
Internet Explorer versions 6, 5.5, and 5.0 have been tested and found vulnerable. The only version which hasn't automatically downloaded and started an .exe program in our tests is is 5.5 with Service Pack 2. We don't know whether it could be vulnerable to some other variation of the exploit (different MIME types or other HTTP header contents maybe?). It is however vulnerable to the "plain" file name spoofing attack.
VULNERABLE VERSIONS
IE File ext Bypassing Hiding file
Version spoofing all dialogs origin
----------------------------------------------------------
IE 6 yes yes no
IE 5.5 SP2 yes no? yes
IE 5.5 yes yes yes
IE 5.0 yes yes
DETAILS
The problem is in the way Internet Explorer handles the Content-type and Content-disposition HTTP headers of a web server reply. With certain combinations of specially crafted reply strings, the browser can be made first to start downloading the file without asking for confirmation from the user, and then to open it - or in this case, run it.
The same method which can mislead the user in the "plain" file name spoof variation of the attack can be used to mislead the browser's logics resulting in automatical execution of the program.
WORKAROUNDS
If the patch for some reason couldn't be applied, disabling file downloads from Tools -> Internet options -> Security -> Custom level -> Downloads/File download seems to stop the exploit. No other known workarounds exist at the moment, except from switching to another browser such as Opera or Netscape, which don't seem to suffer from this problem.
VENDOR STATUS
Microsoft was initially contacted on November 19th with the information regarding the "file extension spoofing" problem. The Security Warning dialogs of IE5 could be bypassed with that exploit, but the "automatically start an .exe" variation of the vulnerability wasn't known at the time. Microsoft didn't consider the file extension spoofing problem a security vulnerability. The company was informed about the new variation on November 27th and started working on a patch to correct the flaw. The patch is now out and downloadable on Microsoft's site at the above url
|
__________________
MSI 875P NEO-LSR Mainboard - Intel P4C 3.0Ghz (800Mhz FSB) - 2 x OCZ PC4000 512MB DIMMs - 4 x WD800JB 80GB/8MB Cache (RAID 0+1) - SB Audigy Platinum eX - ATi Radeon 9800 Pro AIW - Sony Trinitron 19" - Windows Server 2003 Enterprise
|
12-14-01, 02:24 PM
|
 |
Senior Member
|
|
Join Date: May 2001
Location: Fort Knox, KY
Posts: 541
|
|
I hope that this workaround is the last we will need. It seems MS has had alot of problems lately with vulnerablities. But I'm sure something else will "pop" up and we'll be back at updating again.
__________________
Serious Soldier
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -8. The time now is 12:35 PM.
Hardware
Reviews, Articles, News, All Reviews...
|
Gaming
Reviews, Articles, News...
|
|
|
|
Regular Sections
A Guru's World, CPU/Memory Watch, SLDeals...
|
|
SLBoards
Forums, Register(Free), Todays Discussions...
|
Site Info
Search, About Us, Advertise...
|
|
|
