- IE

                                                     DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  IE


SYSTEMS AFFECTED

  Win '95, Win NT, Win '97 (Memphis), IE 3.0

  

PROBLEM


    Initial  discovery  for  this  vulnerability  is  by  David   Ross

    [Widdle  Doggie  Now!]  Help  was  obtained  from Dennis Cheng and

    Asher Kobin.



    On certain machines running Internet Explorer 3.0, an icon can  be

    embedded within a  web page.   When double-clicked, this  icon may

    run a remote application without warning.  This is not the same as

    the ".LNK and .URL" bug discovered recently.  Be very afraid.



    The problem  is significantly  more serious  if the  user is  on a

    platform with CIFS  (Windows NT 4.0  with Service Pack  1 or later

    installed).  If  this is the  case, the location  of the malicious

    executable  code  to  be  run  on  the  victim's  machine could be

    anywhere on the Internet.  If  this is not the case, the  location

    of the  machine containing  the code  is restricted  to within the

    scope of Windows name resolution.   For example, the host must  be

    either on the  same subnet, listed  in the victim's  LMHOSTS file,

    or listed on the victim's WINS server.



    Working examples of  this bug are  provided on a  separate page on

    the page that pointed out this vulnerability.  Please check out:



        http://dec.dorm.umd.edu/index.htm



    Note  about  this  separate  page.   Separate page because Windows

    name resolution often forces Internet Explorer to block for 10  to

    15 seconds. If this happens,  just wait it out, your  computer has

    not crashed. If you are using Internet Explorer on a machine  that

    doesn't have CIFS, the wait period may be significantly longer  in

    order for Windows name resolution to time out. It should be  noted

    however that CIFS is required for these examples to function.



    Internet Explorer enables a user to use a URL describing a  remote

    directory.  When a user clicks on such a link, they are brought to

    what  is  essentially  a  Windows  Explorer  window, but inside of

    Internet Explorer.If this URL is used as the basis for an <IFRAME>

    tag, an embedded frame can  be created with what is  essentially a

    Windows Explorer  window inside.   If this  window is  made  small

    enough, it appears  to be some  sort of button,  one which runs  a

    remote program when double clicked.  CIFS allows a machine to  use

    the IP or hostname provided in the URL as a way of contacting  the

    remote host containing the executable.





EXPLOIT

  

SOLUTION


    Microsoft was contacted and they made a fix.  You can download

    fix at following address:



        http://www.microsoft.com/ie