|
One patch fits all
Microsoft has released a patch that fixes lots of old and new
vulnerabilities in IE 4 and 5, and one in IE 5.5. Most of these have the
potential to expose your private data over the Internet while you’re surfing.
The patch is available at: www. microsoft.com/windows/ie/download/critical/patch11.htm.
Some of the vulnerabilities it fixes are explained below.
"Frame domain verification" vulnerability
This vulnerability lets a malicious Website operator read
files on the machine of a visiting user.
A malicious Website operator could open a frame within a
browser window on your machine, and display a file from your local machine on
it. Ideally, IE’s cross-domain security model should prevent the two from
reading each other’s data, because the window is in the Website’s domain,
while the frame is in the local file system domain. However, because of three
functions in IE that don’t perform domain checking properly, script running in
the window can send the contents of the frame to the malicious Website, which
means that your local data can be read, but not changed, by the Website
operator. However, the Website operator could access only files that can be
opened in a Web browser, for example, TXT, HTM, or JS files, and he would need
to know, or guess, the names and paths of the files he wants to access. Also,
you can disable Active Scripting from IE’s Security Settings (see box
"Zoning sites" for more details) as a workaround.
Versions affected are IE 4, 4.01, 5, and 5.01.
"Scriptlet rendering" vulnerability
An ActiveX control—called Microsoft Scriptlet Component—that
ships as part of IE, and is used to render HTML pages, can render non-HTML files
as well. Scriptlets are used by Web developers to script code that provides
additional services and functions, such as linking Web pages, performing
animation, etc, which then appear as part of the base HTML language. Scriptlets
are implemented as HTML files, and when a Web page needs to use the additional
functionality, it uses the Microsoft Scriptlet Component to render the file in
IE. This Component has a vulnerability that enables it to render any type of
file. This would not be too big an issue in most cases, because most files don’t
contain data that can be interpreted as HTML code.
However, a malicious Website operator could use this
vulnerability to introduce valid HTML code into a non-HTML file stored on your
machine. He could then use the Scriptlet Component to render this file. This
would make the script run in the Local Computer Zone, and would give operator
access to local files on your system. All he needs for doing this is the name
and location of any file on your system, in which he can insert the HTML code.
What can give him this information is the catalog file of previously-viewed Web
pages that IE stores in a known location. This file also contains information
provided by the Website. So, the operator could send bogus catalog information
that consists of HTML script, and use the Scriptlet component to render the file
and make the script available to his Website.
Versions affected are IE 4.x and 5.x.
"Active Setup Download" vulnerability
This vulnerability allows a malicious Website operator to
overwrite files on your system.
The Active Setup Control is an ActiveX control, which ships
with IE. This control is used to help manage software updates over the Internet,
Windows updates, for example. It’s set up to automatically download CAB files
which have been digitally signed by Microsoft, which is treated as a
"trusted" source, as part of installing software updates on your
machine. What leads to the vulnerability is two factors—one, the control doesn’t
prompt you when downloading a file that has been digitally signed by Microsoft;
and two, the caller—the entity who activates the Active Setup Control, in this
case the Website from where you’ll download the update—can specify the
location and path of a directory where you want the file to be installed.
So, what a mischief-monger can do is download
Microsoft-signed updates from the Microsoft Website to his own site, and since
these are trusted by default, he can then download them to your machine without
your knowledge. Since the ActiveX control allows him to specify the path and
file name to which the file should be downloaded, he could overwrite any file on
your system. If this were a crucial system file, your system could even crash,
and you wouldn’t have an inkling of what happened.
However, if you’re running Win 2k, your critical system
files would be protected via a feature called System File Protection (SFP).
Also, you could use the Security Zones feature in IE. This feature lets you
divide the sites you visit into different zones, and grant privileges levels to
the sites in these zones (see box "Zoning sites" for more details).
IE 5.5 users can use the patch mentioned above to safeguard
themselves against this vulnerability. Users of IE 4.01 SP2, IE 5.01, and IE
5.01 SP1 can download a patch from www.microsoft. com/windows/ie/download/critical/patch8.htm.
"IE Script" vulnerability
This vulnerability can allow malicious script code on a Web
page to reference a remotely hosted MS Access file, which in turn can cause a
VBA or macro—which could be malicious—in the file to be executed. All this
would happen without giving you any prompt or warning.
By default, Access files are marked as unsafe for scripting,
but a script tag called the <OBJECT> tag allows the execution of Access
files if referenced from a scripted Web page, irrespective of your browser’s
settings.
Apart from vulnerabilities fixed by the patch mentioned
earlier, another vulnerability has been found in Excel 2000 and PowerPoint
97/2000, which allows a remotely-hosted file to be saved on your hard disk:
"Office HTML Script" vulnerability
This allows malicious script running on a Website to
reference an Excel 2000 or PowerPoint 97/2000 file such that a file hosted on
the Website can be saved to your hard drive.
For example, an HTML file can contain script code that
executes when you reference the file from IE or through a link in e-mail. This
script code can then reference a remotely hosted Excel or PowerPoint file, which
can invoke a function within VBA (Visual Basic for Applications)—the SaveAs
function—to save a file to your local hard drive.
A workaround for this is to go to disable "Run ActiveX
controls and plug-ins" from the security settings in Internet Explorer (see
box "Zoning sites" for more details). A patch for this vulnerability
is available at:
Excel 2000 and PowerPoint 2000: http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm
PowerPoint 97: http://officeupdate.
microsoft.com/downloaddetails/PPt97sec.htm
| 
