Enterprise Software

Lock IT Down: Internet Explorer exposes cache location to hackers

Microsoft Internet Explorer releases a security patch


If you fail to make a patch to Internet Explorer following the recommendations in Microsoft Security Bulletin MS 01-015, you are exposing details about the location of your IE cache. In this article, I will explain this vulnerability and show you how to fix it.

The cache vulnerability
IE normally protects the cache of data it gathers from browsing the Internet in a concealed location in order to force any Web sites that need to access the cache to do this only through IE’s built-in security features.

It’s possible for a Web page you visit, or an HTML HTML-encoded e-mail, to exploit a vulnerability in several versions of IE to determine the actual location of this cache on your system. Using this information, a hacker could open the cache and launch compiled HTML help (.chm) files, which store the shortcuts to some of the executable code on your system, allowing remote activation of the programs. Depending on what is loaded on your system, this could be extremely dangerous.

According to Microsoft, this vulnerability affects IE 5.01 and IE 5.5, as well as Windows Scripting Host 5.1 and 5.5. However, since Microsoft no longer supports earlier versions of either program, it doesn’t take any position on whether earlier releases of IE or WSH are vulnerable. Obviously, security managers need to assume that they are.

Danger level
By restricting browsing to trusted sites and never opening HTML e-mail from untrusted sources (bearing in mind that various viruses can hijack e-mail lists, causing false addresses to appear in the From line), users can avoid this problem entirely. So the actual level of danger for your organization depends, to a great extent, on how responsible your users are when surfing the Web.

Of course, some users are required by their jobs to read e-mails from new contacts and browse the Web in search of new products or ideas. These systems are the most vulnerable and must have the new patch installed ASAP.

With the cost of patching an entire office or enterprise being quite high, managers should evaluate whether this particular patch should be made systemwide or just to the most exposed systems.

According to Microsoft Bulletin 01-015, some additional vulnerabilities are also addressed by a new patch, including:

“…the ‘Frame Domain Verification’ vulnerability discussed in Microsoft Security Bulletins MS00-033, MS00-055, and MS00-093. The vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site’s domain and the other on the user’s local file system, and then pass information from the latter to the former. This could enable the Web site operator to read, but not change, any file on the user’s local computer that could be opened in a browser window.”

There is also a known Telnet vulnerability. Both the FDV and Telnet problems are relatively minor dangers for most users, but the larger application range of this patch might influence managers to install the patch on a wider range of user systems.

The fix
To eliminate these dangers, you need to download and install one or more patches available from Microsoft.
  • “Cached content identification vulnerability and new variant of ‘frame domain verification’ vulnerability:
    IE 5.01 SP1
    IE 5.5 SP1
    “Note: Microsoft recommends that all customers install this patch. The patch for IE 5.01 SP1 also eliminates the vulnerabilities discussed in Microsoft Security Bulletin MS00-093; the patch for IE 5.5 SP1 only eliminates the vulnerabilities discussed here.
  • “Windows Scripting Host vulnerability:
    “Windows Scripting Host 5.1
    “Windows Scripting Host 5.5
    “Note: Microsoft recommends that all customers install the patch for their version of Windows Scripting Host. The FAQ provides information for determining which patch to install.
  • “Telnet invocation vulnerability:
    “IE 5.01 SP1 and IE 5.5 SP1
    “Note: Microsoft recommends that customers who have installed Services for Unix 2.0 install this patch.”

Since IE versions earlier than 5.01 are not covered by these very specific patches, the only way to protect systems using other versions of the browser is to first upgrade to IE 5.5 and then make the patch or upgrade to a newer version that includes the patch.

For complete information on these vulnerabilities and patches, see the complete text of Microsoft Security Bulletin (MS01-015).

Do you plan on making this patch to your systems?
We look forward to getting your input and hearing your experiences regarding this topic. Join the discussion below or send the editor an e-mail.

 

Editor's Picks