-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================


===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Rene Ritzen                                 Index  :    S-97-17
Distribution  : World                                       Page   :
Classification: External                                    Version:
Subject       : Microsoft Internet Explorer Vulnerability   Date   :  05-mar-97
===============================================================================

By courtesy of web-exposed information from Paul Greene, Geoffrey Elliott
& Brian Morin, checks by Jorg Bosman of the SURFnet Expertise Centre (SEC),
and public confirmation by Microsoft,
CERT-NL passes on information on a vulnerability in Microsoft Internet
Explorer version 3.01 and earlier for Windows 95 and Windows NT.

Microsoft Internet Explorer will execute ".LNK" and ".URL" files appearing on
webpages - this execution can result in many things up to your hard disk being
deleted. Having tweaked Internet Explorer to its highest security level,
including having excluded JAVA and ActiveX, *does not help*.

Microsoft published a bug-fix. We recommend to either install this bug-fix, or
*not use* Internet Explorer.

Details and fix information follow below.

===============================================================================


I. DETAILS

Quote from Greene, Elliott & Morin
<http://http://www.cybersnot.com/iebug.html> :

	[BEGIN QUOTE]

	Internet Explorer Bug 2/27/97 (Version 3.0 (4.70.1155))

	Microsoft Internet Explorer v3.01 (and earlier?) has a serious bug
	which allows web page writers to use ".LNK" and ".URL" files to run
	programs on a remote computer. This bug is particularly damaging
	because it uses NO ActiveX and works even when Internet Explorer is
	set to its highest security level.
	It was tested on Microsoft Internet Explorer Version 3.0 (4.70.1155)
	running Windows 95. This demo assumes that Windows is installed in
	"C:\WINDOWS". Windows 95 DOES NOT PROMPT BEFORE EXECUTING THESE FILES.

	.URL files are WORSE than .LNK files because .URLs work in both
	Windows 95 and Windows NT 4.0 (.LNK's only work in Windows 95).
	.URL files present a possibly greater danger because they can be
	easily created by server side scripts to meet the specific settings
	of a user's system. [...]

	The "shortcuts" can be set to be minimized during execution which
	means that users may not even be aware that a program has been started.
	Microsoft's implementation of shortcuts becomes a serious concern if
	a webpage can tell Internet Explorer to refresh to an executable.
	Or worse, client side scripts (Java, JavaScript, or VBScript) can use		the
        the Explorer object to transfer a BATCH file to the target machine
	and then META REFRESH to that BATCH file to execute the rogue
	command in that file.

	The following table outlines which areas and users each shortcut
	type effects:

            File | Windows| Windows| Execute| Command  | Searches|
            Type |   95   |   NT   |  Apps  | Line Args| Path    |
                 |        |        |        |  Allowed |         |
            ======================================================
            .LNK |   Yes  |   No   |   Yes  |   Yes    |  No     |
            ------------------------------------------------------
            .URL |   Yes  |   Yes  |   Yes  |   No     |  Yes    |
            ======================================================
                        Security Comparision .URL vs .LNK

	Naturally, the files must exist on the remote machine to be properly
	executed. But, Windows 95 comes with a variety of potentially
	damaging programs which can easily be executed.
	[...like starting Windows Calculator, or deleting directories...]

 	This bug can be used to wreak havoc on a remote user's machine.
	[...]

	[END QUOTE]


II. FIX INFORMATION

    Microsoft has released a security fix for Microsoft Internet Explorer
    version 3.01 (english version) which can be found at

                 http://www.microsoft.com/ie/security/update.htm

    Fixes for Microsoft Internet Explorer 3.0 for Windows 95 and Windows NT
    4.0 will become available within the next 24 hours.
    Fixes for the International versions will follow in the next few weeks.

    After installing the fix Internet Explorer offers the user a choice
    to either run the .LNK or .URL file or to store it on the local disk.

    In the opinion of CERT-NL this fix is not complete. The user is still
    not able to check in advance if the requested .LNK or .URL is safe to
    run or to download.

    However CERT-NL recommends that users limit the exploitation of this
    vulnerability by immediately installing the Microsoft security fix and
    still check the files they download before they execute them.

============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IUDSYjBqwfc9jEQJn5QCg4komC/qTsCDW84WJwv9y1B+dWaQAn0B8
ZZN/9oglMK0A0ikzhLVkhqGU
=ugKf
-----END PGP SIGNATURE-----