IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ASSESSMENT 01-028

"Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions"
December 04, 2001

[Revision from original indicated in bold]

The National Infrastructure Protection Center (NIPC) continues to track vulnerabilities within Microsoft Internet Explorer (IE). Microsoft's Outlook Express (OE) uses IE to show the text of any e-mail message in the body window of OE. This assessment addresses vulnerabilities that are primary means through which several generations of recent mass-mailer computer worms (i.e., LoveLetter, Nimda, Klez, Badtrans.B) propagate.

First, when Microsoft Windows 95, Windows 98, Windows NT and, Windows 2000 scripting is turned on, IE is vulnerable to an ActiveX and HTML exploit. Any e-mail or web page with scripting that includes the command "GetObject()" as well as an ActiveX HTML file can view any file on the user's hard drive. This includes password files, cookie files, and/or other files containing personal or sensitive information. This vulnerability allows an unauthorized person to read or open files on the user's hard drive. The malicious executable program (malware) must request a file that exists on the drive. There are many files universal to Microsoft operating systems containing sensitive information. The Microsoft Windows password files require specific location within the directory structure, as do cookie files that may contain personal information.

A second vulnerability within IE allows a malicious web site to spoof file extensions in the download dialog box to disguise a malware file as a text, image, audio, or other file type. In this scenario, the user will see a dialog window open, asking if the user wants to "Open" or "Save." Should the user decide to open the file, the malware will execute without further prompting, allowing the malware full access to the user's system. This does not require any scripting turned on, but can be called via javascript, inside an iframe, or even as a normal link.

This file extension bug takes advantage of the way IE handles file extensions. The HTML, web site, e-mail, or any other HTML medium that takes advantage of this can contain a Trojan, backdoor program, or other malware. The file extension could be .txt,.wav, .mp3, or any other file extension. The "Open File" dialog box opens and asks if the user wants to save or open the file from its source. If the user chooses to open the file from its source, the file runs without any further questions or options given to the user. The NIPC is providing this assessment in order to raise awareness about these significant vulnerabilities which otherwise have not been widely publicized.

NIPC Recommendations:

The NIPC recommends that users consider turning off Active Scripting in OE by setting OE to use the "Restricted Sites Zone" (Note that this is the default for Outlook Express 6.0). Users of Outlook should also consider installing the Outlook E-mail Security Update (OESU) which sets Outlook to use "Restricted Sites" by default and blocks access to potentially harmful attachments (Note that the OESU is part of Outlook 2000 SP2 and Outlook XP).

To protect against the ActiveX and HTML exploit, users should consider their web browsing habits. Those who go to untrusted sites can turn off ActiveX and all scripting through IE's security settings in the "Internet" zone and move sites that they trust into the "Trusted Sites" zone.

It is further recommended that users consider not downloading anything from unknown or untrusted sources and verify the e-mail attachment before saving or executing. Users should also consider only downloading or accepting files from a trusted source and not relying on the apparent file type.

System administrators and home users are strongly encouraged to patch vulnerable system software as the primary means of defense against this and similar exploits (i.e., LoveLetter, Nimda, Klez, Badtrans.B). Administrators and users are also advised to keep their anti-virus current by frequently checking vendor web sites for updates and routinely checking for alerts issued by the NIPC, CERT/CC, and other similar organizations.

The following link contains additional information on this threat: http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

Microsoft has made available a patch for Outlook and Outlook Express to prevent this exploit from automatically executing, which can be found at: http://www.microsoft.com/technet/security/bulletin/ms01-020.asp

Recipients of this assessment are further encouraged to report computer intrusions to their local FBI office http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other appropriate authorities. Incidents may be reported online using http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3205, 1-888-585-9078 or nipc.watch@fbi.gov.