- IE

                                                     DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  IE


SYSTEMS AFFECTED

  Windows '95, Internet Explorer v3.01

  

PROBLEM


    A newly (at this momemnt)  discovered third bug exploits the  fact

    that  ".isp"  script  files  may  be  downloaded  and  executed by

    Internet Explorer.  This is  essentially just  another permutation

    of  the  "CyberSnot"  bug  (see  Internet  Explorer #1 on Security

    Bugware).  Author's text can be found at following address:



        http://web.mit.edu/crioux/www/ie/index.html#exploits



    Text used here is part of  author's original text.  This has  been

    discovered by Chris Rioux



    This hole  allows a  malicious web  page to  automatically run any

    program  on  the  user's  hard  drive,  which  means that users of

    Internet  Explorer  could  have   their  hard  drives   completely

    deleted,  their  private  information  stolen,  or  their computer

    infected with a virus merely by looking at a web page.



    This bug  works on  a similar  principle as  the bug discovered at

    WPI.   However, instead  of using  .lnk files  or .url files, this

    bug exploits the fact that other files can also be downloaded  and

    automatically executed without prompting the user for  permission.

    This bug is  not fixed by  the security patch  which Microsoft put

    out for the WPI bug.



    This  bug  has  thus  far  only  been  verified  on the Windows 95

    version of Internet Explorer. This  bug does not appear to  affect

    Windows NT (any service pack/version), in its usual configuration.



    On page mentioned above you can find simple demo exploits which:



        * Download a remote file (think about virus)

        * Create and delete directories (what about your HD)

        * Running a local file (familiar with deltree.exe)



    This bug only requires that a user look at a particular web  page.

    The user does not need to click on any "disguised hyperlinks"  for

    the bug to  be exploited. Our  example exploits demonstrate  this.

    Last time,  it was  mis-reported that  users needed  to click on a

    disguised  hyperlink  to  activate  the  exploit.  In fact, with a

    little more programming  it can be  made automatic so  that a user

    only needs to look at a page (as it is with our bug).





EXPLOIT

  

SOLUTION


    Even  this  is  essentially   just  another  permutation  of   the

    "CyberSnot" bug, however  the patch released  by Microsoft to  fix

    the "CyberSnot" bug does not fix this bug.  Anyway, Microsoft  has

    released their official patch to this bug:



        http://www.microsoft.com/ie/security/download.htm!



    There is also Third-Party Bugfix for those who will not apply

    patch from MS:



        * Start up Internet Explorer

        * Go to the "View" menu and choose "Options..."

        * Click on the "Programs" tab

        * In the "Viewers" section, click on the button labeled  "File

          Types..."

        * Scroll  down to  the "Internet  Communication Settings" list

          item, and highlight it.

        * Click on the "Edit..." button.

        * Check the box at  the bottom of the window  labeled "Confirm

          open after download"

        * Click OK on all of the windows.



    That should cause the browser  to prompt the user for  what he/she

    wishes to do with .ISP files.