Subject Microsoft Internet Explorer Vulnerability Date 05-mar-97
7c0f6a1c8f592093c6c41103c873326e03d02bceb3e923ad046e161a9bd73ec1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Rene Ritzen Index : S-97-17
Distribution : World Page :
Classification: External Version:
Subject : Microsoft Internet Explorer Vulnerability Date : 05-mar-97
===============================================================================
By courtesy of web-exposed information from Paul Greene, Geoffrey Elliott
& Brian Morin, checks by Jorg Bosman of the SURFnet Expertise Centre (SEC),
and public confirmation by Microsoft,
CERT-NL passes on information on a vulnerability in Microsoft Internet
Explorer version 3.01 and earlier for Windows 95 and Windows NT.
Microsoft Internet Explorer will execute ".LNK" and ".URL" files appearing on
webpages - this execution can result in many things up to your hard disk being
deleted. Having tweaked Internet Explorer to its highest security level,
including having excluded JAVA and ActiveX, *does not help*.
Microsoft published a bug-fix. We recommend to either install this bug-fix, or
*not use* Internet Explorer.
Details and fix information follow below.
===============================================================================
I. DETAILS
Quote from Greene, Elliott & Morin
<http://http://www.cybersnot.com/iebug.html> :
[BEGIN QUOTE]
Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155))
Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug
which allows web page writers to use ".LNK" and ".URL" files to run
programs on a remote computer. This bug is particularly damaging
because it uses NO ActiveX and works even when Internet Explorer is
set to its highest security level.
It was tested on Microsoft Internet Explorer Version 3.0 (4.70.1155)
running Windows 95. This demo assumes that Windows is installed in
"C:\WINDOWS". Windows 95 DOES NOT PROMPT BEFORE EXECUTING THESE FILES.
.URL files are WORSE than .LNK files because .URLs work in both
Windows 95 and Windows NT 4.0 (.LNK's only work in Windows 95).
.URL files present a possibly greater danger because they can be
easily created by server side scripts to meet the specific settings
of a user's system. [...]
The "shortcuts" can be set to be minimized during execution which
means that users may not even be aware that a program has been started.
Microsoft's implementation of shortcuts becomes a serious concern if
a webpage can tell Internet Explorer to refresh to an executable.
Or worse, client side scripts (Java, JavaScript, or VBScript) can use the
the Explorer object to transfer a BATCH file to the target machine
and then META REFRESH to that BATCH file to execute the rogue
command in that file.
The following table outlines which areas and users each shortcut
type effects:
File | Windows| Windows| Execute| Command | Searches|
Type | 95 | NT | Apps | Line Args| Path |
| | | | Allowed | |
======================================================
.LNK | Yes | No | Yes | Yes | No |
------------------------------------------------------
.URL | Yes | Yes | Yes | No | Yes |
======================================================
Security Comparision .URL vs .LNK
Naturally, the files must exist on the remote machine to be properly
executed. But, Windows 95 comes with a variety of potentially
damaging programs which can easily be executed.
[...like starting Windows Calculator, or deleting directories...]
This bug can be used to wreak havoc on a remote user's machine.
[...]
[END QUOTE]
II. FIX INFORMATION
Microsoft has released a security fix for Microsoft Internet Explorer
version 3.01 (english version) which can be found at
http://www.microsoft.com/ie/security/update.htm
Fixes for Microsoft Internet Explorer 3.0 for Windows 95 and Windows NT
4.0 will become available within the next 24 hours.
Fixes for the International versions will follow in the next few weeks.
After installing the fix Internet Explorer offers the user a choice
to either run the .LNK or .URL file or to store it on the local disk.
In the opinion of CERT-NL this fix is not complete. The user is still
not able to check in advance if the requested .LNK or .URL is safe to
run or to download.
However CERT-NL recommends that users limit the exploitation of this
vulnerability by immediately installing the Microsoft security fix and
still check the files they download before they execute them.
============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IUDSYjBqwfc9jEQJn5QCg4komC/qTsCDW84WJwv9y1B+dWaQAn0B8
ZZN/9oglMK0A0ikzhLVkhqGU
=ugKf
-----END PGP SIGNATURE-----